malformed DHCP runs endless loop

[AvihaiSam]

when running a malformed DHCP packet with DHCP(data) - scapy runs endlessly and increasing memory consumption.

The mechanism is this partial code runs getfield() (in layers/dhcp.py:457) which runa

# fields.py:2059
while s:
    if c is not None:
        if c <= 0:
            break
        c -= 1
    s, v = self.field.getfield(pkt, s)
    val.append(v)

where dhcp's getfield is:

# layers/dhcp.py:192
def getfield(self, pkt, s):
    if not s:
        return None

    prefix = orb(s[0])
    # if prefix is invalid value ( 0 > prefix > 32 ) then break
    if prefix > 32 or prefix < 0:
        warning("Invalid prefix value: %d (0x%x)", prefix, prefix)
        return s, []

    route_len = 5 + (prefix + 7) // 8
    return s[route_len:], self.m2i(pkt, s[:route_len])

and it returns in line 200 with s, [] which causes the same data going in again and again endlessly. each iteration val gets appended with another [] so it looks like [[], [], [], [], [], [], ......, []]

i think you should raise excepion in line 200 instead of return s, []

[evverx]

I think it was fixed in https://github.com/secdev/scapy/commit/9946ef17f5d3783dab966b821c559cd65135fda5.

[AvihaiSam]

I think it was fixed in 9946ef1.

Cool I agree, it sounds like a fix... when would 2.6.0 be official then?

[evverx]

I'm not a scapy maintainer so I can't answer this question but it's being discussed in https://github.com/secdev/scapy/issues/4196. 2.6.0rc1 was already released.

[gpotter2]

when would 2.6.0 be official

Hopefully soon.

Thanks a lot @evverx. Closing