Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS class modifies packets with invalid extensions data #3853

Closed
stevenskevin opened this issue Jan 13, 2023 · 1 comment · Fixed by #4554
Closed

TLS class modifies packets with invalid extensions data #3853

stevenskevin opened this issue Jan 13, 2023 · 1 comment · Fixed by #4554
Labels
tls

Comments

@stevenskevin
Copy link

Brief description

bytes(TLS(b)) == b isn't true for certain TLS packets with invalid extensions data.

Scapy version

5c60850

Python version

3.10

Operating system

Ubuntu 22.04

Additional environment information

No response

How to reproduce

from scapy.layers.tls.record import TLS

b = bytes.fromhex("""
16 03 01 00 51 02 00 00 49 03 01 cd 8a 0e d1 00
01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10
11 12 13 14 15 16 17 18 19 1a 1b 20 20 21 22 23
24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33
34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 00 02 00 04
01 00 0e 00 00 00
""")

print(b.hex())
print(bytes(TLS(b)).hex())
print(bytes(TLS(b)) == b)

Actual result

1603010051020000490301cd8a0ed1000102030405060708090a0b0c0d0e0f101112131415161718191a1b20202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0002000401000e000000
1603010051020000490301cd8a0ed1000102030405060708090a0b0c0d0e0f101112131415161718191a1b20202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f00020004010e000000
False

Expected result

1603010051020000490301cd8a0ed1000102030405060708090a0b0c0d0e0f101112131415161718191a1b20202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0002000401000e000000
1603010051020000490301cd8a0ed1000102030405060708090a0b0c0d0e0f101112131415161718191a1b20202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f0002000401000e000000
True

The difference is that the second line is no longer missing a null byte near the end of the data.

Related resources

Explanation: In the example packet above, the first handshake message (TLSServerHello), which is 77 bytes long, declares that it has 1025 bytes of extensions data, but actually only has one. Scapy discards that byte, causing the packet data to change when converted back to bytes.

"Any packet data can survive a round-trip through Scapy unmodified" isn't an explicit documented guarantee as far as I can tell, but "What makes Scapy so special" makes it sound like Scapy tries to avoid assuming anything in order to cater to unusual use cases. So this feels like a bug to me, personally. Let me know if I'm wrong :)
@gpotter2
Copy link
Member

Hi & thanks for the report !

You're probably right, looks like a but.
TLS is quite hard so I'm actually not that surprised that you would find something like that. Feel free to have a look and maybe submit a PR, we'll be happy to have a look, but this is unlikely to be prioritised :p

@gpotter2 gpotter2 added the tls label Oct 23, 2023
@arjunbhat1 arjunbhat1 mentioned this issue Oct 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tls
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix corruption of certain packets containing invalid TLS extension fields arjunbhat1/scapy
2 participants
@gpotter2 @stevenskevin