Fix GTP payload length computation (#3822)

Reducing length of 'length' field along with 'ietype' and 'CR_flag+instance'
secdev · Feb 6, 2024 · 18d4c30 · 18d4c30
1 parent a0d2d9d
commit 18d4c30
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/scapy/contrib/gtp.py b/scapy/contrib/gtp.py
@@ -451,7 +451,7 @@ def post_build(self, p, pay):
                 tmp_len = len(p)
                 if isinstance(self.payload, conf.padding_layer):
                     tmp_len += len(self.payload.load)
-                p = p[:1] + struct.pack("!H", tmp_len - 2) + p[3:]
+                p = p[:1] + struct.pack("!H", tmp_len - 4) + p[3:]
         return p + pay
 
 

diff --git a/test/contrib/gtp_v2.uts b/test/contrib/gtp_v2.uts
@@ -16,8 +16,11 @@ gtp.dport == 2123 and gtp.seq == 12345 and gtp.gtp_type == 1 and gtp.T == 0
 = GTPV2CreateSessionRequest, basic instantiation
 gtp = IP() / UDP(dport=2123) / \
     GTPHeader(gtp_type="create_session_req", teid=2807, seq=12345) / \
-    GTPV2CreateSessionRequest()
-gtp.dport == 2123 and gtp.teid == 2807 and gtp.seq == 12345
+    GTPV2CreateSessionRequest(IE_list=[IE_IMSI(IMSI=b'001030000000356'),IE_APN(APN=b'super')])
+
+assert gtp.dport == 2123 and gtp.teid == 2807 and gtp.seq == 12345
+ie = gtp.IE_list[1]
+assert ie.APN == b"super"
 
 = GTPV2EchoRequest, dissection
 h = "333333333333222222222222810080c808004588002937dd0000fd1115490a2a00010a2a0002084b084b00152d0e4001000900000100030001000daa000000003f1f382f"