Fix defragment6 (bug #4228) (#4631)

guedou · shapaz · web-flow · commit 027f4d436eb2 · 2025-04-21T23:58:42.000+02:00
* Fixed fragment data size in IPv6 defragmentation

* Support IPv6.plen=None in defragment6

* Use the known size

* Unit test added

---------

Co-authored-by: shapaz &lt;47742533+shapaz@users.noreply.github.com&gt;
diff --git a/scapy/layers/inet6.py b/scapy/layers/inet6.py
@@ -1188,13 +1188,17 @@ def defragment6(packets):
 
     # regenerate the fragmentable part
     fragmentable = b""
+    frag_hdr_len = 8
     for p in res:
         q = p[IPv6ExtHdrFragment]
         offset = 8 * q.offset
         if offset != len(fragmentable):
             warning("Expected an offset of %d. Found %d. Padding with XXXX" % (len(fragmentable), offset))  # noqa: E501
+        frag_data_len = p[IPv6].plen
+        if frag_data_len is not None:
+            frag_data_len -= frag_hdr_len
         fragmentable += b"X" * (offset - len(fragmentable))
-        fragmentable += raw(q.payload)
+        fragmentable += raw(q.payload)[:frag_data_len]
 
     # Regenerate the unfragmentable part.
     q = res[0].copy()
diff --git a/test/scapy/layers/inet6.uts b/test/scapy/layers/inet6.uts
@@ -1904,6 +1904,11 @@ pkts = fragment6(IPv6()/IPv6ExtHdrFragment()/UDP(dport=42, sport=42)/Raw(load="A
 pkts = [IPv6(raw(p)) for p in pkts]
 assert defragment6(pkts).plen == 1508
 
+= defragment6 - discard payload
+pkt = Ether() / IPv6() / ICMPv6EchoRequest(data='b'*100)
+frags = fragment6(pkt, 100)
+pkt = defragment6(Ether(raw(frag / Padding(b'a' * 8))) for frag in frags)
+assert b'a' not in pkt.data
 
 ############
 ############
