DCE/RPC: defragment should happen after integrity check/decryption

gpotter2 · gpotter2 · commit 9833f3b81f8f · 2025-02-12T00:10:59.000+01:00
diff --git a/scapy/layers/dcerpc.py b/scapy/layers/dcerpc.py
@@ -2618,24 +2618,24 @@ def _up_pkt(self, pkt):
     # Since the connection-oriented transport guarantees sequentiality, the receiver
     # will always receive the fragments in order.
 
-    def _defragment(self, pkt):
+    def _defragment(self, pkt, body=None):
         """
         Function to defragment DCE/RPC packets.
         """
         uid = pkt.call_id
         if pkt.pfc_flags.PFC_FIRST_FRAG and pkt.pfc_flags.PFC_LAST_FRAG:
             # Not fragmented
-            return pkt
+            return body
         if pkt.pfc_flags.PFC_FIRST_FRAG or uid in self.frags:
             # Packet is fragmented
-            self.frags[uid] += pkt[DceRpc5].payload.payload.original
+            if body is None:
+                body = pkt[DceRpc5].payload.payload.original
+            self.frags[uid] += body
             if pkt.pfc_flags.PFC_LAST_FRAG:
-                pkt[DceRpc5].payload.remove_payload()
-                pkt[DceRpc5].payload /= self.frags[uid]
-                return pkt
+                return self.frags[uid]
         else:
             # Not fragmented
-            return pkt
+            return body
 
     def _fragment(self, pkt):
         """
@@ -2660,12 +2660,6 @@ def _fragment(self, pkt):
     # Similarly the signature output SHOULD be ignored.
 
     def in_pkt(self, pkt):
-        # Defragment
-        pkt = self._defragment(pkt)
-        if not pkt:
-            return
-        # Get opnum and options
-        opnum, opts = self._up_pkt(pkt)
         # Check for encrypted payloads
         body = None
         if conf.raw_layer in pkt.payload:
@@ -2787,6 +2781,13 @@ def in_pkt(self, pkt):
                 if pkt.vt_trailer:
                     vtlen = len(pkt.vt_trailer)
                     body, pkt.vt_trailer = body[:-vtlen], body[-vtlen:]
+        # Defragment
+        if body:
+            body = self._defragment(pkt, body)
+            if not body:
+                return
+        # Get opnum and options
+        opnum, opts = self._up_pkt(pkt)
         # Try to parse the payload
         if opnum is not None and self.rpc_bind_interface:
             # use opnum to parse the payload
