mistaken msglen in MQTTPublish message

[ZodiacLyu]

Brief description

I noticed that the StrLenField of value in MQTTPublish packets is defined as

StrLenField("value", "",
                    length_from=lambda pkt: (pkt.underlayer.len -
                                             pkt.length - 2)),

However, if the QoS of the publish message is 1 or 2, because of the field of msgid, I guess it should be pkt.underlayer.len - pkt.length - 4, as I met this problem when I was trying to parse a packet that contains two MQTT Publish messages.

I tried to fix it with codes as followed. Perhaps it could help.

StrLenField("value", "",
                    length_from=lambda pkt: pkt.underlayer.len -pkt.length - 2 if pkt.underlayer.QOS == 0 
                                            else pkt.underlayer.len -pkt.length - 4)

Scapy version

2.4.5

Python version

3.8

Operating system

Win11

Additional environment information

No response

How to reproduce

Sniff a packet with two MQTT Publish messages......

Actual result

No response

Expected result

No response

Related resources

No response

[guedou]

Could you share a packet that triggers this behavior?

[ZodiacLyu]

Could you share a packet that triggers this behavior?

If a client disconnects to the MQTT broker with unacknowledged PUBLISH messages and connects to the broker with CLEANSESSION=0, the broker will send the duplicate PUBLISH messages at the same time, which will be packaged in a single TCP packet.
I tried to simulate such packet with the codes below:

p1 = MQTT(
            QOS=1
        ) / MQTTPublish(
            topic=topicC,
            msgid=1234,
            value="msg1"
        )
p2 = MQTT(
            QOS=1
        ) / MQTTPublish(
            topic=topicC,
            msgid=1235,
            value="msg2"
        )
socket.send(raw(p1)+raw(p2))

And then I use sniff() function to capture the packet:

The first 2 bytes of p2 are charged into publish value of p1.