Fix BLE ACL fragmented packet reassembly

RCayre / mirage

Mirage is a powerful and modular framework dedicated to the security analysis of wireless communications.

https://homepages.laas.fr/rcayre/mirage-documentation

MIT License

245 stars 42 forks source link

Fix BLE ACL fragmented packet reassembly #34

Open omicronns opened 1 year ago

omicronns commented 1 year ago

I believe there was a bug in BLE packet reassembly. Current code assumed L2CAP_Hdr will be after HCI_ACL_Hdr in incoming packet fragments, but this is not true. In the next fragments there can be any data which only sometimes will be interpreted by scapy as L2CAP. According to Wireshark's dissector actual fragment data starts after HCI_ACL_Hdr which I extracted using HCI_ACL_Hdr:][1:].

Also both reassembly if statements can be pulled into the conditional immediately after them.

vdechef commented 1 year ago

I just stumbled on the same problem, and got to the same conclusion. Then I found your PR. Thanks for this. This should be integrated in master.