Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StrFixedLenField with incomplete packet #4450

Open
LRGH opened this issue Jul 4, 2024 · 5 comments
Open

StrFixedLenField with incomplete packet #4450

LRGH opened this issue Jul 4, 2024 · 5 comments

Comments

@LRGH
Copy link
Contributor

LRGH commented Jul 4, 2024

Brief description

Interactions between StrFixedLenField and raw packet cache cause some inconsistencies when some packet field is or is not modified. This should probably be fixed by a modification of StrFixedLenField but a choice needs to be made between two possible behaviours.

Scapy version

all (at least from 2.3.1 to 2.6.0rc1)

Python version

all

Operating system

all

Additional environment information

No response

How to reproduce

from scapy.packet import Packet
from scapy.fields import StrFixedLenField

class P(Packet):
    fields_desc = [
        StrFixedLenField('a', None, length=1),
        StrFixedLenField('b', None, length=1),
        ]

p = P(b'0')
s0 = p.build()
p.a = b'1'
s1 = p.build()
print(s0, s1)

Actual result

b'0' b'1\x00'

Expected result

Either b'0\x00' b'1\x00' (if StrFixedLenField shall always be of the given length) or b'0' b'1' (if incomplete StrFixedLenField are to be remembered as incomplete)

Related resources

No response
@LRGH LRGH mentioned this issue Jul 4, 2024
Merged
@gpotter2
Copy link
Member

gpotter2 commented Jul 6, 2024
edited
Loading

I would argue that using a StrFixedLenField while trying to dissect something smaller than the minimum size is an undefined behavior, so not really a bug.

If you have a LongField (8B) and try to dissect 2 bytes, Scapy discards the packet as "Raw". We currently don't do that for StrFixedLenField, and maybe we should, but I really don't believe that we should have the behavior you expected.

@LRGH
Copy link
Contributor Author

LRGH commented Jul 6, 2024

I don't like undefined behaviors...
I agree that the expected behaviour could be that the dissection fails, and that there could be a StrMaxLenField that would return b'0' b'1' with a semantics that the field gobbles up to length bytes.

@polybassa
Copy link
Contributor

In my opinion, the Packet s0 is build as one would expect it in the current implementation. I think it’s not desired to magically add fields to a captured packet. This would eliminate the use case to capture malformed packets and replay them.

Maybe it would be a good idea, to add a „malformed Packet“ information to the Packet whenever the dissector failed or the length doesn’t match the expected one. Similar as wireshark would do it.

With that in mind, I could see even a third possible behaviour after setting the field „a“ in your example, the packet could stay malformed, „a“ is changed to 1 and no field „b“ would be added.

@gpotter2
Copy link
Member

gpotter2 commented Jul 11, 2024
edited
Loading

In my opinion, the Packet s0 is build as one would expect it in the current implementation. I think it’s not desired to magically add fields to a captured packet.

I agree with that.

With that in mind, I could see even a third possible behaviour after setting the field „a“ in your example, the packet could stay malformed, „a“ is changed to 1 and no field „b“ would be added.

This would, in my opinion, add too much complexity. We would have to somehow remember what fields were parsed, etc. I also thinks it makes things more confusing that it should, as you end up having a 'hidden state' that wouldn't really be explicit to anyone.

I don't think that the comparison to wireshark makes much sense, they don't build packets.

Generally I'm also against adding a general case that shows "Invalid something" in a Scapy (except when you're absolutely sure of what you're doing), because at the end of the day there are so many protocols that we'll always have one wrong dissector. We might want to stay humble and say Scapy failed to parse that, rather than "it's invalid".

My current stance on this specific issue is that Scapy is working as intended.

@LRGH
Copy link
Contributor Author

LRGH commented Jul 11, 2024

I agree that having a "malformed packet" information is likely to make many things more complex.
However, I support the approach mentioned above If you have a LongField (8B) and try to dissect 2 bytes, Scapy discards the packet as "Raw"
It does not seem to be complex to implement in StrFixedLenField, we could just add in getfieldthe following test:

        if len(s) < len_pkt:
            raise Scapy_Exception("remaining packet length %s too small for field %s of length %s" % (len(s), self.name, len_pkt))

And the behaviour that I expected would be for another type of field:

class StrMaxLenField(StrFixedLenField):
    def addfield(self, pkt, s, val):
        return s + self.i2m(pkt, val)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@polybassa @LRGH @gpotter2