dpkt icon indicating copy to clipboard operation
dpkt copied to clipboard

Published 20 hours ago verified publisher icon kbandla

Record Fragmentation not handled in TLSMultiFactory(buf)

Open kbandla opened this issue 9 years ago • 4 comments

From [email protected] on November 12, 2014 20:42:23

What steps will reproduce the problem? 1. Send data more than 17000 Bytes. 2. The TLSMultiFactory will throw an error in finding the TLs version 3. The number of records returned is 0 What is the expected output? What do you see instead? We should see two records, one with length 16383 and another record with length 17000-16383 What version of the product are you using? On what operating system? Dpkt 1.8 and Windows Platform, Win 8.1 64 Bit Please provide any additional information below. def TLSMultiFactory(buf): ''' Attempt to parse one or more TLSRecord's out of buf

Args:
  buf: string containing SSL/TLS messages. May have an incomplete record
    on the end

Returns:
  [TLSRecord]
  int, total bytes consumed, != len(buf) if an incomplete record was left at
    the end.

Raises SSL3Exception.
'''
i, n = 0, len(buf)
msgs = []
while i \< n:
    v = buf[i+1:i+3]
    if v in SSL3_VERSION_BYTES:
        try:
            msg = TLSRecord(buf[i:])
            msgs.append(msg)
        except dpkt.NeedData:
            break
    else:
        raise SSL3Exception('Bad TLS version in buf: &#37;r' &#37; buf[i:i+5])
    i += len(msg)
return msgs, i

I couldn't find the code that handles fragmentation in the Record layer.

Original issue: http://code.google.com/p/dpkt/issues/detail?id=136

kbandla avatar Jun 04 '15 03:06 kbandla

I hate to comment on issues from years ago, but this one is still open, so.. I ran into this bug today. Does anybody have a clue how to fix this?

HugooB avatar Jun 14 '21 14:06 HugooB

@HugooB could you attach a pcap to reproduce the issue?

obormot avatar Jun 14 '21 19:06 obormot

You can use the same pcap as #587 for this, so this one issue_587.pcap.gz.

Bad TLS version in buf: b'\x16\x12n\x16e'
Bad TLS version in buf: b'\x16\x0f/\xdb\xc1'
Bad TLS version in buf: b'\x16\xcdu\xc0w'
Bad TLS version in buf: b'\x16\xe5\x98\xde\x87'
Bad TLS version in buf: b'\x16A`V\x9b'
Bad TLS version in buf: b'\x16\xa5rj\xa0'

HugooB avatar Jun 15 '21 07:06 HugooB

I don't get this error with changes made in PR https://github.com/kbandla/dpkt/pull/588 so hopefully it fixes both issues. @HugooB are you getting this error running ja3, or some other code? If the latter, could you attach a sample code that helps to reproduce the issue

obormot avatar Jun 15 '21 17:06 obormot