Skip to content

Commit

Permalink
DCE/RPC: defragment should happen after integrity check/decryption
Browse files Browse the repository at this point in the history
  • Loading branch information
gpotter2 committed Feb 11, 2025
1 parent c15a670 commit 9833f3b
Showing 1 changed file with 14 additions and 13 deletions.
27 changes: 14 additions & 13 deletions scapy/layers/dcerpc.py
Original file line number Diff line number Diff line change
Expand Up @@ -2618,24 +2618,24 @@ def _up_pkt(self, pkt):
# Since the connection-oriented transport guarantees sequentiality, the receiver
# will always receive the fragments in order.

def _defragment(self, pkt):
def _defragment(self, pkt, body=None):
"""
Function to defragment DCE/RPC packets.
"""
uid = pkt.call_id
if pkt.pfc_flags.PFC_FIRST_FRAG and pkt.pfc_flags.PFC_LAST_FRAG:
# Not fragmented
return pkt
return body
if pkt.pfc_flags.PFC_FIRST_FRAG or uid in self.frags:
# Packet is fragmented
self.frags[uid] += pkt[DceRpc5].payload.payload.original
if body is None:
body = pkt[DceRpc5].payload.payload.original
self.frags[uid] += body
if pkt.pfc_flags.PFC_LAST_FRAG:
pkt[DceRpc5].payload.remove_payload()
pkt[DceRpc5].payload /= self.frags[uid]
return pkt
return self.frags[uid]
else:
# Not fragmented
return pkt
return body

def _fragment(self, pkt):
"""
Expand All @@ -2660,12 +2660,6 @@ def _fragment(self, pkt):
# Similarly the signature output SHOULD be ignored.

def in_pkt(self, pkt):
# Defragment
pkt = self._defragment(pkt)
if not pkt:
return
# Get opnum and options
opnum, opts = self._up_pkt(pkt)
# Check for encrypted payloads
body = None
if conf.raw_layer in pkt.payload:
Expand Down Expand Up @@ -2787,6 +2781,13 @@ def in_pkt(self, pkt):
if pkt.vt_trailer:
vtlen = len(pkt.vt_trailer)
body, pkt.vt_trailer = body[:-vtlen], body[-vtlen:]
# Defragment
if body:
body = self._defragment(pkt, body)
if not body:
return
# Get opnum and options
opnum, opts = self._up_pkt(pkt)
# Try to parse the payload
if opnum is not None and self.rpc_bind_interface:
# use opnum to parse the payload
Expand Down

0 comments on commit 9833f3b

Please sign in to comment.