From cd3502f875af6352d8a9e0abb85dac99ae3b9502 Mon Sep 17 00:00:00 2001 From: h3nnes Date: Sun, 31 May 2026 13:49:32 +0200 Subject: [PATCH] Add bounds checks for truncated DLF packet parsing When parsing DLF log files, packets can be shorter than expected due to capture truncation (logged as 'Packet length mismatch' warnings). Without bounds checks, these produce crashes: - ValueError from bitstring when reading a zero-length slice - struct.error when unpacking from a buffer that is too short - struct.error when writing oversized packets to pcap Fix by adding guards before each fixed-size read in: - parse_lte_mac_subpkt_v49: TB common info (16B), SDU info (3B), pdcp_grp (4B) - parse_lte_mac_subpkt_v1_ul_transport_block: UL TB headers (12B/14B) - PcapWriter.write_pkt: skip packets exceeding IPv4 max payload (65507B) --- src/scat/parsers/qualcomm/diagltelogparser.py | 10 ++++++++++ src/scat/writers/pcapwriter.py | 3 +++ 2 files changed, 13 insertions(+) diff --git a/src/scat/parsers/qualcomm/diagltelogparser.py b/src/scat/parsers/qualcomm/diagltelogparser.py index d8e38fe..1186987 100644 --- a/src/scat/parsers/qualcomm/diagltelogparser.py +++ b/src/scat/parsers/qualcomm/diagltelogparser.py @@ -690,10 +690,14 @@ def parse_lte_mac_subpkt_v1_ul_transport_block(self, pkt_header, subpkt_hdr, sub subpkt_pos = 1 for j in range(n_samples): if subpkt_hdr.version == 0x01: + if subpkt_pos + 12 > len(subpkt_body): + break subpkt_mac_ul_tb = subpkt_mac_ul_tb_struct._make(struct.unpack(' len(subpkt_body): + break subpkt_mac_ul_tb = subpkt_mac_ul_tb_struct_v2._make(struct.unpack(' len(pkt_body): + break subpkt_tb = subpkt_tb_common_info._make(struct.unpack(' len(pkt_body): + break mac_common_info_bits = bitstring.Bits(pkt_body[pos:pos+3][::-1]) is_mce = mac_common_info_bits[0:1].uint lcid = mac_common_info_bits[1:7].uint @@ -831,6 +839,8 @@ def parse_lte_mac_subpkt_v49(self, pkt_header, pkt_body: bytes, args: dict, is_d for k in range(num_pdcp_grp): has_more = 1 while has_more == 1: + if pos + 4 > len(pkt_body): + break pdcp_grp_bits = bitstring.Bits(pkt_body[pos:pos+4][::-1]) has_more = pdcp_grp_bits[0:1].uint pos += 4 diff --git a/src/scat/writers/pcapwriter.py b/src/scat/writers/pcapwriter.py index 4e04f1a..79d48ac 100644 --- a/src/scat/writers/pcapwriter.py +++ b/src/scat/writers/pcapwriter.py @@ -29,6 +29,9 @@ def __enter__(self): return self def write_pkt(self, sock_content: bytes, port: int, radio_id: int=0, ts: datetime.datetime = datetime.datetime.now()) -> None: + max_payload = 65535 - 8 - 20 # max UDP payload fitting in IPv4 + if len(sock_content) > max_payload: + return pcap_hdr = struct.pack('