Fix USERDATA PDU header size (10 bytes, not 12)

USERDATA PDUs use a 10-byte header without error_class/error_code,
while ACK/ACK_DATA use 12-byte headers. This was causing "Data section
extends beyond PDU" errors when parsing USERDATA responses from real PLCs.

Changes:
- s7protocol.py: parse_response() now detects PDU type and uses correct
  header size (10 bytes for USERDATA, 12 bytes for ACK/ACK_DATA)
- server/__init__.py: Build USERDATA responses with 10-byte header
- client.py: Check for errors in data section return_code for USERDATA
  responses (errors are in data section, not header)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: gijzelaerr

snap7/client.py

@@ -1297,10 +1297,16 @@ def read_szl(self, ssl_id: int, index: int = 0) -> S7SZL:
         response_data = conn.receive_data()
         response = self.protocol.parse_response(response_data)
 
-        # Check for errors
+        # Check for errors in header (for ACK/ACK_DATA)
         if response.get("error_code", 0) != 0:
             raise RuntimeError(f"Read SZL failed with error: {response['error_code']}")
 
+        # Check for errors in data section (for USERDATA - return_code != 0xFF means error)
+        data_info = response.get("data", {})
+        return_code = data_info.get("return_code", 0xFF) if isinstance(data_info, dict) else 0xFF
+        if return_code != 0xFF:
+            raise RuntimeError(f"Read SZL failed with return code: {return_code:#02x}")
+
         # Parse SZL response
         szl_result = self.protocol.parse_read_szl_response(response)
 

snap7/s7protocol.py

@@ -1162,12 +1162,28 @@ def parse_response(self, pdu: bytes) -> Dict[str, Any]:
         Returns:
             Parsed response data
         """
-        if len(pdu) < 12:
+        if len(pdu) < 10:
             raise S7ProtocolError("PDU too short for S7 response header")
 
-        # Parse S7 response header (includes error class and error code)
-        header = struct.unpack(">BBHHHHBB", pdu[:12])
-        protocol_id, pdu_type, reserved, sequence, param_len, data_len, error_class, error_code = header
+        # First peek at PDU type to determine header size
+        pdu_type = pdu[1]
+
+        if pdu_type == S7PDUType.USERDATA:
+            # USERDATA PDUs have a 10-byte header (no error_class/error_code in header)
+            if len(pdu) < 10:
+                raise S7ProtocolError("PDU too short for USERDATA header")
+            header = struct.unpack(">BBHHHH", pdu[:10])
+            protocol_id, pdu_type, reserved, sequence, param_len, data_len = header
+            error_class = 0
+            error_code = 0
+            offset = 10
+        else:
+            # ACK/ACK_DATA PDUs have a 12-byte header (with error_class/error_code)
+            if len(pdu) < 12:
+                raise S7ProtocolError("PDU too short for ACK/ACK_DATA header")
+            header = struct.unpack(">BBHHHHBB", pdu[:12])
+            protocol_id, pdu_type, reserved, sequence, param_len, data_len, error_class, error_code = header
+            offset = 12
 
         if protocol_id != 0x32:
             raise S7ProtocolError(f"Invalid protocol ID: {protocol_id:#02x}")
@@ -1185,8 +1201,6 @@ def parse_response(self, pdu: bytes) -> Dict[str, Any]:
             "error_code": (error_class << 8) | error_code,
         }
 
-        offset = 12
-
         # Parse parameters if present
         if param_len > 0:
             if offset + param_len > len(pdu):

snap7/server/__init__.py

@@ -1980,20 +1980,18 @@ def _build_userdata_error_response(self, request: Dict[str, Any], error_code: in
             0x00,  # Reserved
         )
 
-        # Data section: return code only
-        data_section = struct.pack(">BB", (error_code >> 8) & 0xFF, error_code & 0xFF)
+        # Data section: return code only (error code in transport format)
+        data_section = struct.pack(">BBH", (error_code >> 8) & 0xFF, 0x00, 0)
 
-        # Build S7 header with error bytes
+        # Build S7 header for USERDATA (10 bytes, no error_class/error_code in header)
         header = struct.pack(
-            ">BBHHHHBB",
+            ">BBHHHH",
             0x32,  # Protocol ID
             S7PDUType.USERDATA,  # PDU type
             0x0000,  # Reserved
             request.get("sequence", 0),  # Sequence
             len(param_data),  # Parameter length
             len(data_section),  # Data length
-            (error_code >> 8) & 0xFF,  # Error class
-            error_code & 0xFF,  # Error code
         )
 
         return header + param_data + data_section
@@ -2031,17 +2029,15 @@ def _build_userdata_success_response(self, request: Dict[str, Any], userdata_par
         # Data section: return code (0xFF = success) + data
         data_section = struct.pack(">BBH", 0xFF, 0x09, len(data)) + data
 
-        # Build S7 header
+        # Build S7 header for USERDATA (10 bytes, no error_class/error_code in header)
         header = struct.pack(
-            ">BBHHHHBB",
+            ">BBHHHH",
             0x32,  # Protocol ID
             S7PDUType.USERDATA,  # PDU type
             0x0000,  # Reserved
             request.get("sequence", 0),  # Sequence
             len(param_data),  # Parameter length
             len(data_section),  # Data length
-            0x00,  # Error class (success)
-            0x00,  # Error code (success)
         )
 
         return header + param_data + data_section