search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
13.37k stars 3.56k forks source link

DNS.py: No more data to parse. Offset is bigger than length of buffer. #1632

Open emdete opened 11 months ago

emdete commented 11 months ago

Configuration

impacket version: 0.11.0 Python version: 3.11 Target OS: Linux

Debug Output With Command String

code example:

dns = DNS(buffer)
print(dns.get_questions())

exception stack trace:

Traceback (most recent call last):
  File "../main.py", line 20, in lean_dns
    print(dns.get_questions())
          ^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dns.py", line 277, in get_questions
    return self.__get_questions()[0]
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dns.py", line 285, in __get_questions
    offset, qname = self.parseCompressedMessage(data, offset)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dns.py", line 338, in parseCompressedMessage
    offset, unnamed = self.parseCompressedMessage(buf, offset)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/dns.py", line 318, in parseCompressedMessage
    raise Exception("No more data to parse. Offset is bigger than length of buffer.")
Exception: No more data to parse. Offset is bigger than length of buffer.

PCAP

this is an example for a package in question:

b'\x00<\xe7E\x81\x80\x00\x01\x00\x01\x00\x00\x00\x01\x04live\x06github\x03com\x00\x00\x01\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x00;\x00\x04\x8cRq\x19\x00\x00)\x04\xd0\x00\x00\x80\x00\x00\x00'

Explanation

i write a program to snoop traffic via pcap. the dns traffic is decoded using impacket and most requests are decoded correctly. Sometimes the buffer cant be decoded with that shown error.

emdete commented 11 months ago

this is strange: i noticed that there are two garbage bytes in the beginning. if i skip these bytes decoding works fine. i got that buffer from the pcap library and that happens with TCP only, not with DNS via UDP. probably my fault, but what am i missing?

hidd3ncod3s commented 11 months ago

https://datatracker.ietf.org/doc/html/rfc7766#section-8

emdete commented 11 months ago

is there a proper way to let impacket handle this? how?