dot15d4: prevent dissection of encrypted payloads as upper layers

T3pp31 · T3pp31 · commit 65e9d39db9cc · 2026-04-14T23:28:39.000+09:00
When sec_sc_seclevel &gt;= 4 (ENC, ENC-MIC-*), the payload after
aux_sec_header is encrypted and must not be passed to upper layer
dissectors (SixLoWPAN, ZigBee, etc.). Add encrypted payload checks
to guess_payload_class() in Dot15d4Data, Dot15d4Beacon, and
Dot15d4Cmd.
diff --git a/scapy/layers/dot15d4.py b/scapy/layers/dot15d4.py
@@ -240,6 +240,10 @@ class Dot15d4Data(Packet):
     ]
 
     def guess_payload_class(self, payload):
+        # Encrypted payloads (sec_sc_seclevel >= 4) cannot be dissected further
+        if self.aux_sec_header is not None and \
+                self.aux_sec_header.sec_sc_seclevel >= 4:
+            return conf.raw_layer
         # TODO: See how it's done in wireshark:
         # https://github.com/wireshark/wireshark/blob/93c60b3b7c801dddd11d8c7f2a0ea4b7d02d700a/epan/dissectors/packet-ieee802154.c#L2061  # noqa: E501
         # it's too magic to me
@@ -309,6 +313,13 @@ class Dot15d4Beacon(Packet):
         # TODO beacon payload
     ]
 
+    def guess_payload_class(self, payload):
+        # Encrypted payloads (sec_sc_seclevel >= 4) cannot be dissected further
+        if self.aux_sec_header is not None and \
+                self.aux_sec_header.sec_sc_seclevel >= 4:
+            return conf.raw_layer
+        return Packet.guess_payload_class(self, payload)
+
     def mysummary(self):
         return self.sprintf("802.15.4 Beacon ( %Dot15d4Beacon.src_panid%:%Dot15d4Beacon.src_addr% ) assocPermit(%Dot15d4Beacon.sf_assocpermit%) panCoord(%Dot15d4Beacon.sf_pancoord%)")  # noqa: E501
 
@@ -348,6 +359,10 @@ def mysummary(self):
     # command frame payloads are complete: DataReq, PANIDConflictNotify, OrphanNotify, BeaconReq don't have any payload  # noqa: E501
     # Although BeaconReq can have an optional ZigBee Beacon payload (implemented in ZigBeeBeacon)  # noqa: E501
     def guess_payload_class(self, payload):
+        # Encrypted payloads (sec_sc_seclevel >= 4) cannot be dissected further
+        if self.aux_sec_header is not None and \
+                self.aux_sec_header.sec_sc_seclevel >= 4:
+            return conf.raw_layer
         if self.cmd_id == 1:
             return Dot15d4CmdAssocReq
         elif self.cmd_id == 2:
diff --git a/test/scapy/layers/dot15d4.uts b/test/scapy/layers/dot15d4.uts
@@ -377,6 +377,18 @@ assert pkt2[Dot15d4Cmd].aux_sec_header is not None
 assert pkt2[Dot15d4Cmd].aux_sec_header.sec_sc_seclevel == 5
 assert pkt2[Dot15d4Cmd].aux_sec_header.sec_sc_keyidmode == 1
 
+= Dot15d4 Data with encrypted payload (seclevel >= 4) stays Raw
+
+# Given: a Data frame with seclevel=4 (ENC) and trailing encrypted bytes
+pkt = Dot15d4(fcf_frametype=1, fcf_security=1, fcf_destaddrmode=2, fcf_srcaddrmode=2) / Dot15d4Data(dest_panid=0x1234, dest_addr=0xFFFF, src_panid=0x1234, src_addr=0x0001, aux_sec_header=Dot15d4AuxSecurityHeader(sec_sc_seclevel=4, sec_sc_keyidmode=1, sec_keyid_keyindex=0x01)) / Raw(b'\xaa\xbb\xcc\xdd')
+# When: packet is serialized and re-dissected
+pkt2 = Dot15d4(raw(pkt))
+# Then: encrypted payload must not be dissected as SixLoWPAN/ZigBee
+assert pkt2[Dot15d4Data].aux_sec_header.sec_sc_seclevel == 4
+assert Raw in pkt2
+from scapy.layers.sixlowpan import SixLoWPAN
+assert SixLoWPAN not in pkt2
+
 = Dot15d4 Beacon without aux_sec_header (fcf_security=0)
 
 # Given: raw bytes for a Dot15d4 Beacon frame with fcf_security=0
