From ed457e5f9ebfe9f663472983f762d9cc4c886693 Mon Sep 17 00:00:00 2001 From: Guillaume Valadon Date: Fri, 2 Aug 2013 10:38:38 +0200 Subject: [PATCH 1/3] RandIP6() bug: http://thread.gmane.org/gmane.comp.security.scapy.general/4872 --- scapy/volatile.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scapy/volatile.py b/scapy/volatile.py index f7dcfbc08..5d3e2adcb 100644 --- a/scapy/volatile.py +++ b/scapy/volatile.py @@ -291,6 +291,8 @@ class RandIP6(RandString): ip.append("%04x" % n) if len(ip) == 9: ip.remove("") + if ip[-1] == "": + ip[-1] = 0 return ":".join(ip) class RandOID(RandString): From b77e3cb7813eb79374d688dab2e1c4382cc6c6e3 Mon Sep 17 00:00:00 2001 From: Guillaume Valadon Date: Fri, 2 Aug 2013 13:33:05 +0200 Subject: [PATCH 2/3] Errors preventing ICMPv6 packets to be built --- scapy/layers/inet6.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scapy/layers/inet6.py b/scapy/layers/inet6.py index a131f7a90..bd2122ef6 100644 --- a/scapy/layers/inet6.py +++ b/scapy/layers/inet6.py @@ -1207,8 +1207,8 @@ class ICMPv6PacketTooBig(_ICMPv6Error): class ICMPv6TimeExceeded(_ICMPv6Error): name = "ICMPv6 Time Exceeded" fields_desc = [ ByteEnumField("type",3, icmp6types), - ByteField("code",{ 0: "hop limit exceeded in transit", - 1: "fragment reassembly time exceeded"}), + ByteEnumField("code",0, { 0: "hop limit exceeded in transit", + 1: "fragment reassembly time exceeded"}), XShortField("cksum", None), XIntField("unused",0x00000000)] @@ -1262,7 +1262,7 @@ class _ICMPv6ML(_ICMPv6): XShortField("cksum", None), ShortField("mrd", 0), ShortField("reserved", 0), - IP6Field("mladdr",None)] + IP6Field("mladdr","::")] # general queries are sent to the link-scope all-nodes multicast # address ff02::1, with a multicast address field of 0 and a MRD of From b48efefaba1304096cd3eb0c52cc7b01ef93fb2d Mon Sep 17 00:00:00 2001 From: Guillaume Valadon Date: Fri, 2 Aug 2013 13:39:47 +0200 Subject: [PATCH 3/3] Issue #820: _IPv6GuessPayload.default_payload_class() now hecks the lenght of data --HG-- branch : Issue #820 --- scapy/layers/inet6.py | 37 +++++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/scapy/layers/inet6.py b/scapy/layers/inet6.py index bd2122ef6..3dccc5046 100644 --- a/scapy/layers/inet6.py +++ b/scapy/layers/inet6.py @@ -331,12 +331,14 @@ class IP6ListField(StrField): class _IPv6GuessPayload: name = "Dummy class that implements guess_payload_class() for IPv6" def default_payload_class(self,p): - if self.nh == 58 and len(p) > 2: + if self.nh == 58: # ICMPv6 t = ord(p[0]) - if t == 139 or t == 140: # Node Info Query + if len(p) > 2 and t == 139 or t == 140: # Node Info Query return _niquery_guesser(p) - return get_cls(icmp6typescls.get(t,"Raw"), "Raw") - elif self.nh == 135 and len(p) > 3: + if len(p) >= icmp6typesminhdrlen.get(t, sys.maxint): # Other ICMPv6 messages + return get_cls(icmp6typescls.get(t,"Raw"), "Raw") + return Raw + elif self.nh == 135 and len(p) > 3: # Mobile IPv6 return _mip6_mhtype2cls.get(ord(p[2]), MIP6MH_Generic) else: return get_cls(ipv6nhcls.get(self.nh,"Raw"), "Raw") @@ -1111,6 +1113,33 @@ icmp6typescls = { 1: "ICMPv6DestUnreach", 153: "ICMPv6MRD_Termination", } +icmp6typesminhdrlen = { 1: 8, + 2: 8, + 3: 8, + 4: 8, + 128: 8, + 129: 8, + 130: 24, + 131: 24, + 132: 24, + 133: 8, + 134: 16, + 135: 24, + 136: 24, + 137: 40, + #139: + #140 + 141: 8, + 142: 8, + 144: 8, + 145: 8, + 146: 8, + 147: 8, + 151: 8, + 152: 4, + 153: 4 + } + icmp6types = { 1 : "Destination unreachable", 2 : "Packet too big", 3 : "Time exceeded",