QUIC: fix small bugs in size calculation (#4685)

gpotter2 · web-flow · commit 874abdccae65 · 2025-03-09T16:37:38.000+01:00
diff --git a/scapy/layers/quic.py b/scapy/layers/quic.py
@@ -35,6 +35,7 @@
     MultipleTypeField,
     ShortField,
     StrLenField,
+    ThreeBytesField,
 )
 
 # Typing imports
@@ -80,9 +81,9 @@ def addfield(self, pkt: Packet, s: bytes, val: Optional[int]):
         elif val < 0x4000:
             return s + struct.pack("!H", val | 0x4000)
         elif val < 0x40000000:
-            return s + struct.pack("!I", val | 0x40000000)
+            return s + struct.pack("!I", val | 0x80000000)
         else:
-            return s + struct.pack("!Q", val | 0x4000000000000000)
+            return s + struct.pack("!Q", val | 0xC000000000000000)
 
     def getfield(self, pkt: Packet, s: bytes) -> Tuple[bytes, int]:
         length = (s[0] & 0xC0) >> 6
@@ -185,7 +186,7 @@ class QUIC_Version(QUIC):
         IntField("Version", 0),
         FieldLenField("DstConnIDLen", None, length_of="DstConnID", fmt="B"),
         StrLenField("DstConnID", "", length_from=lambda pkt: pkt.DstConnIDLen),
-        FieldLenField("SrcConnIDLen", None, length_of="DstConnID", fmt="B"),
+        FieldLenField("SrcConnIDLen", None, length_of="SrcConnID", fmt="B"),
         StrLenField("SrcConnID", "", length_from=lambda pkt: pkt.SrcConnIDLen),
         FieldListField("SupportedVersions", [], IntField("", 0)),
     ]
@@ -195,9 +196,34 @@ class QUIC_Version(QUIC):
 
 QuicPacketNumberField = lambda name, default: MultipleTypeField(
     [
-        (ByteField(name, default), lambda pkt: pkt.PacketNumberLen == 0),
-        (ShortField(name, default), lambda pkt: pkt.PacketNumberLen == 1),
-        (IntField(name, default), lambda pkt: pkt.PacketNumberLen == 2),
+        (
+            ByteField(name, default),
+            (
+                lambda pkt: pkt.PacketNumberLen == 0,
+                lambda _, val: val < 0x100,
+            ),
+        ),
+        (
+            ShortField(name, default),
+            (
+                lambda pkt: pkt.PacketNumberLen == 1,
+                lambda _, val: val < 0x10000,
+            ),
+        ),
+        (
+            ThreeBytesField(name, default),
+            (
+                lambda pkt: pkt.PacketNumberLen == 2,
+                lambda _, val: val < 0x1000000,
+            ),
+        ),
+        (
+            IntField(name, default),
+            (
+                lambda pkt: pkt.PacketNumberLen == 3,
+                lambda _, val: val < 0x100000000,
+            ),
+        ),
     ],
     ByteField(name, default),
 )
@@ -213,7 +239,7 @@ def i2m(self, pkt, x):
                 return 0
             elif PacketNumber < 0x10000:
                 return 1
-            elif PacketNumber < 0x100000000:
+            elif PacketNumber < 0x1000000:
                 return 2
             else:
                 return 3
diff --git a/test/scapy/layers/quic.uts b/test/scapy/layers/quic.uts
@@ -42,9 +42,76 @@ assert pkt.DstConnID == b"c_cid"
 assert pkt.SrcConnID == b"s_cid"
 assert pkt.PacketNumber == 1
 
-= QUIC - Build Client Initial Packet
+= QUIC - QuicPacketNumberField / QuicPacketNumberBitFieldLenField - variable lengths
 
 from scapy.layers.quic import *
 
-pkt = QUIC_Initial(PacketNumberLen=3, DstConnID=b'p\xa2\x8e@\x96\xc5}\xd0\xff\xb6\xc3\xd8\x1b\xcaR', SrcConnID=b'\xf7\x10Q', PacketNumber=116)
-assert bytes(pkt) == b'\xc3\x00\x00\x00\x01\x0fp\xa2\x8e@\x96\xc5}\xd0\xff\xb6\xc3\xd8\x1b\xcaR\x0f\xf7\x10Q\x00\x00t'
+pkt = QUIC_Initial(DstConnID=b'p\xa2\x8e@\x96\xc5}\xd0\xff\xb6\xc3\xd8\x1b\xcaR', SrcConnID=b'\xf7\x10Q', PacketNumber=0xFF)
+assert bytes(pkt) == b'\xc0\x00\x00\x00\x01\x0fp\xa2\x8e@\x96\xc5}\xd0\xff\xb6\xc3\xd8\x1b\xcaR\x03\xf7\x10Q\x00\x00\xff'
+pkt = QUIC_Initial(bytes(pkt))
+assert pkt.DstConnIDLen == 15
+assert pkt.SrcConnIDLen == 3
+assert pkt.PacketNumberLen == 0
+assert pkt.PacketNumber == 0xFF
+
+pkt = QUIC_Initial(DstConnID=b'p\xa2\x8e@\x96\xc5}\xd0\xff\xb6\xc3\xd8\x1b\xcaR', SrcConnID=b'\xf7\x10Q', PacketNumber=0xFFFF)
+assert bytes(pkt) == b'\xc1\x00\x00\x00\x01\x0fp\xa2\x8e@\x96\xc5}\xd0\xff\xb6\xc3\xd8\x1b\xcaR\x03\xf7\x10Q\x00\x00\xff\xff'
+pkt = QUIC_Initial(bytes(pkt))
+assert pkt.PacketNumberLen == 1
+assert pkt.PacketNumber == 0xFFFF
+
+pkt = QUIC_Initial(DstConnID=b'p\xa2\x8e@\x96\xc5}\xd0\xff\xb6\xc3\xd8\x1b\xcaR', SrcConnID=b'\xf7\x10Q', PacketNumber=0xFFFFFF)
+assert bytes(pkt) == b'\xc2\x00\x00\x00\x01\x0fp\xa2\x8e@\x96\xc5}\xd0\xff\xb6\xc3\xd8\x1b\xcaR\x03\xf7\x10Q\x00\x00\xff\xff\xff'
+pkt = QUIC_Initial(bytes(pkt))
+assert pkt.PacketNumberLen == 2
+assert pkt.PacketNumber == 0xFFFFFF
+
+pkt = QUIC_Initial(DstConnID=b'p\xa2\x8e@\x96\xc5}\xd0\xff\xb6\xc3\xd8\x1b\xcaR', SrcConnID=b'\xf7\x10Q', PacketNumber=0xFFFFFFFF)
+assert bytes(pkt) == b'\xc3\x00\x00\x00\x01\x0fp\xa2\x8e@\x96\xc5}\xd0\xff\xb6\xc3\xd8\x1b\xcaR\x03\xf7\x10Q\x00\x00\xff\xff\xff\xff'
+pkt = QUIC_Initial(bytes(pkt))
+assert pkt.PacketNumberLen == 3
+assert pkt.PacketNumber == 0xFFFFFFFF
+
+= QUIC - QuicPacketNumberField / QuicPacketNumberBitFieldLenField - Out of range
+
+import struct
+from scapy.layers.quic import *
+
+try:
+    pkt = QUIC_Initial(PacketNumber=0xFFFFFFFFFF)
+    bytes(pkt)
+    assert False, "QUIC Packet Number length should fail"
+except struct.error:
+    pass
+
+= QUIC - QuicVarIntField - variable lengths
+
+from scapy.layers.quic import *
+
+pkt = QUIC_Initial(Length=1)
+assert bytes(pkt) == b'\xc0\x00\x00\x00\x01\x00\x00\x00\x01\x00'
+assert QUIC_Initial(bytes(pkt)).Length == 1
+
+pkt = QUIC_Initial(Length=1 << 9)
+assert bytes(pkt) == b'\xc0\x00\x00\x00\x01\x00\x00\x00B\x00\x00'
+assert QUIC_Initial(bytes(pkt)).Length == 1 << 9
+
+pkt = QUIC_Initial(Length=1 << 17)
+assert bytes(pkt) == b'\xc0\x00\x00\x00\x01\x00\x00\x00\x80\x02\x00\x00\x00'
+assert QUIC_Initial(bytes(pkt)).Length == 1 << 17
+
+pkt = QUIC_Initial(Length=4611686018427387903)
+assert bytes(pkt) == b'\xc0\x00\x00\x00\x01\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x00'
+assert QUIC_Initial(bytes(pkt)).Length == 4611686018427387903
+
+= QUIC - QuicVarIntField - Out of range
+
+import struct
+from scapy.layers.quic import *
+
+try:
+    pkt = QUIC_Initial(Length=0xFFFFFFFFFFFFFFFF)
+    bytes(pkt)
+    assert False, "QUIC Variable length should fail"
+except struct.error:
+    pass
diff --git a/test/scapy/layers/tls/tls13.uts b/test/scapy/layers/tls/tls13.uts
@@ -1281,7 +1281,7 @@ tp = TLS_Ext_QUICTransportParameters(params=[
 actual = tp.build()
 
 # the expected data is extracted from the ClientHello above
-expect = bytes.fromhex("0039004601015388030145460401409896800501400f42400601400f42400701400f424008014064090140640a01030b01190c000f142173071905d778f98e367b8ad8eeb526484e8f5d")
+expect = bytes.fromhex("0039004601015388030145460401809896800501800f42400601800f42400701800f424008014064090140640a01030b01190c000f142173071905d778f98e367b8ad8eeb526484e8f5d")
 
 assert actual == expect
 
