Fix (SSL)StreamSocket handling of underflowed data. (#4315)

Also remove a HTTP 'iptables' option which is terrible.

Author: gpotter2

scapy/layers/http.py

@@ -47,7 +47,6 @@
 import struct
 import subprocess
 
-from scapy.base_classes import Net
 from scapy.compat import plain_str, bytes_encode
 
 from scapy.config import conf
@@ -694,7 +693,7 @@ def guess_payload_class(self, payload):
 
 def http_request(host, path="/", port=80, timeout=3,
                  display=False, verbose=0,
-                 raw=False, iptables=False, iface=None,
+                 raw=False, iface=None,
                  **headers):
     """Util to perform an HTTP request, using the TCP_client.
 
@@ -706,9 +705,6 @@ def http_request(host, path="/", port=80, timeout=3,
     :param raw: opens a raw socket instead of going through the OS's TCP
                 socket. Scapy will then use its own TCP client.
                 Careful, the OS might cancel the TCP connection with RST.
-    :param iptables: when raw is enabled, this calls iptables to temporarily
-                     prevent the OS from sending TCP RST to the host IP.
-                     On Linux, you'll almost certainly need this.
     :param iface: interface to use. Changing this turns on "raw"
     :param headers: any additional headers passed to the request
 
@@ -730,11 +726,6 @@ def http_request(host, path="/", port=80, timeout=3,
     if iface is not None:
         raw = True
     if raw:
-        # Use TCP_client on a raw socket
-        iptables_rule = "iptables -%c INPUT -s %s -p tcp --sport 80 -j DROP"
-        if iptables:
-            host = str(Net(host))
-            assert os.system(iptables_rule % ('A', host)) == 0
         sock = TCP_client.tcplink(HTTP, host, port, debug=verbose,
                                   iface=iface)
     else:
@@ -751,9 +742,6 @@ def http_request(host, path="/", port=80, timeout=3,
         )
     finally:
         sock.close()
-        if raw and iptables:
-            host = str(Net(host))
-            assert os.system(iptables_rule % ('D', host)) == 0
     if ans:
         if display:
             if Raw not in ans:

scapy/supersocket.py

@@ -27,7 +27,6 @@
 from scapy.error import warning, log_runtime
 from scapy.interfaces import network_name
 from scapy.packet import Packet, NoPayload
-import scapy.packet
 from scapy.plist import (
     PacketList,
     SndRcvList,
@@ -438,23 +437,22 @@ def __init__(self,
         self.rcvcls = streamcls(basecls or conf.raw_layer)
         self.metadata: Dict[str, Any] = {}
         self.streamsession: Dict[str, Any] = {}
-        self.MTU = MTU
+        self._buf = b""
         super(StreamSocket, self).__init__(sock, basecls=basecls)
 
     def recv(self, x=None, **kwargs):
         # type: (Optional[int], Any) -> Optional[Packet]
         if x is None:
-            x = self.MTU
+            x = MTU
         # Block but in PEEK mode
         data = self.ins.recv(x, socket.MSG_PEEK)
         if data == b"":
             raise EOFError
         x = len(data)
-        pkt = self.rcvcls(data, self.metadata, self.streamsession)
+        pkt = self.rcvcls(self._buf + data, self.metadata, self.streamsession)
         if pkt is None:  # Incomplete packet.
-            if len(data) == self.MTU:  # Bigger than MTU. Increase
-                self.MTU *= 2
-            return None
+            self._buf += self.ins.recv(x)
+            return self.recv(x)
         self.metadata.clear()
         # Strip any madding
         pad = pkt.getlayer(conf.padding_layer)
@@ -471,41 +469,30 @@ def recv(self, x=None, **kwargs):
 class SSLStreamSocket(StreamSocket):
     desc = "similar usage than StreamSocket but specialized for handling SSL-wrapped sockets"  # noqa: E501
 
+    # Basically StreamSocket but we can't PEEK
+
     def __init__(self, sock, basecls=None):
         # type: (socket.socket, Optional[Type[Packet]]) -> None
-        self._buf = b""
+        from scapy.sessions import TCPSession
+        self.sess = TCPSession(app=True)
         super(SSLStreamSocket, self).__init__(sock, basecls)
 
     # 65535, the default value of x is the maximum length of a TLS record
     def recv(self, x=None, **kwargs):
         # type: (Optional[int], **Any) -> Optional[Packet]
         if x is None:
             x = MTU
-        pkt = None  # type: Optional[Packet]
-        if self._buf != b"":
-            try:
-                pkt = self.basecls(self._buf, **kwargs)
-            except Exception:
-                # We assume that the exception is generated by a buffer underflow  # noqa: E501
-                pass
-
+        # Block
+        data = self.ins.recv(x)
+        try:
+            pkt = self.sess.process(data, cls=self.basecls)  # type: ignore
+        except struct.error:
+            # Buffer underflow
+            pkt = None
+        if data == b"" and not pkt:
+            raise EOFError
         if not pkt:
-            buf = self.ins.recv(x)
-            if len(buf) == 0:
-                raise socket.error((100, "Underlying stream socket tore down"))
-            self._buf += buf
-
-        x = len(self._buf)
-        pkt = self.basecls(self._buf, **kwargs)
-        if pkt is not None:
-            pad = pkt.getlayer(conf.padding_layer)
-
-            if pad is not None and pad.underlayer is not None:
-                del pad.underlayer.payload
-            while pad is not None and not isinstance(pad, scapy.packet.NoPayload):   # noqa: E501
-                x -= len(pad.load)
-                pad = pad.payload
-            self._buf = self._buf[x:]
+            return self.recv(x)
         return pkt
 
 

test/regression.uts

@@ -3663,7 +3663,7 @@ class MockSocket(object):
         self.l = [ b'\x00\x00\x00\x01', b'\x00\x00\x00\x02', b'\x00\x00\x00\x03' ]
     def recv(self, x):
         if len(self.l) == 0:
-            raise socket.error(100, 'EOF')
+            return b""
         return self.l.pop(0)
     def fileno(self):
         return -1
@@ -3691,7 +3691,7 @@ assert p.data == 3
 try:
     ss.recv()
     ret = False
-except socket.error:
+except EOFError:
     ret = True
 
 assert ret
@@ -3705,7 +3705,7 @@ class MockSocket(object):
         self.l = [ b'\x00\x00\x00\x01\x00\x00\x00\x02', b'\x00\x00\x00\x03\x00\x00\x00\x04' ]
     def recv(self, x):
         if len(self.l) == 0:
-            raise socket.error(100, 'EOF')
+            return b""
         return self.l.pop(0)
     def fileno(self):
         return -1
@@ -3735,7 +3735,7 @@ assert p.data == 4
 try:
     ss.recv()
     ret = False
-except socket.error:
+except EOFError:
     ret = True
 
 assert ret
@@ -3749,7 +3749,7 @@ class MockSocket(object):
         self.l = [ b'\x00\x00', b'\x00\x01', b'\x00\x00\x00', b'\x02', b'\x00\x00', b'\x00', b'\x03' ]
     def recv(self, x):
         if len(self.l) == 0:
-            raise socket.error(100, 'EOF')
+            return b""
         return self.l.pop(0)
     def fileno(self):
         return -1
@@ -3768,40 +3768,22 @@ class TestPacket(Packet):
 s = MockSocket()
 ss = SSLStreamSocket(s, basecls=TestPacket)
 
-try:
-    p = ss.recv()
-    ret = False
-except:
-    ret = True
-
-assert ret
 p = ss.recv()
 assert p.data == 1
-try:
-    p = ss.recv()
-    ret = False
-except:
-    ret = True
 
-assert ret
 p = ss.recv()
 assert p.data == 2
-try:
-    p = ss.recv()
-    ret = False
-except:
-    ret = True
 
-assert ret
+p = ss.recv()
+assert p.data == 3
+
 try:
-    p = ss.recv()
+    ss.recv()
     ret = False
-except:
+except EOFError:
     ret = True
 
 assert ret
-p = ss.recv()
-assert p.data == 3
 
 
 ############