Check NBT packet length before full Scapy dissection

Parse the 4-byte NBT header to get the payload length before
attempting full packet dissection. This fixes two issues:

1. Incomplete packets (TCP fragmentation) are handled cleanly
   by returning 0, without hitting the exception path at all.

2. Malformed packets now consume exactly their declared size
   (nbt_length + 4) instead of len(data), which could eat the
   start of the next valid packet in the same TCP segment.

Author: micheloosterhof

modules/python/dionaea/smb/smb.py

@@ -439,6 +439,15 @@ def _process_doublepulsar_payload(self):
         os.unlink(fp.name)
 
     def handle_io_in(self, data: bytes) -> int:
+        # Need at least the NBT header (4 bytes) to determine packet length
+        if len(data) < 4:
+            return 0
+
+        # Parse NBT length from header before full dissection
+        nbt_length = ((data[1] & 0x01) << 16) | (data[2] << 8) | data[3]
+        if len(data) < nbt_length + 4:
+            return 0
+
         try:
             p = NBTSession(data, _ctx=self)
         except Exception as e:
@@ -448,11 +457,7 @@ def handle_io_in(self, data: bytes) -> int:
                 len(data),
                 data[:16].hex() if data else "empty",
             )
-            return len(data)
-
-        if len(data) < (p.LENGTH + 4):
-            # we probably do not have the whole packet yet -> return 0
-            return 0
+            return nbt_length + 4
 
         if p.TYPE == 0x81:
             self.send(NBTSession(TYPE=0x82).build())