Some 802.11 Control Frames do not have the correct number of address fields in their MAC header.

[wfast01]

Brief description

802.11 Control frame (type 1) subtypes 4, 5, and 6 (Beam Forming Report Poll, VHT NDP Announcement, and Control Frame Extension) are not generated with the correct number of address fields in their MAC header. These subtypes (per the 802.11 2016 specification) should all have both Address 1 and Address 2 fields present. For the case of the DMG DTS control frame (type 1, subtype 6, control frame extension 6) Address 1, Address 2, and Address 3 fields should be present. Currently SCAPY generates all of these frame types with only the Address 1 field present.

The script to generate this issue, its output to console (show()), and the generated pcap file are attached in a zip file.
missing_addr.zip

Scapy version

2.4.5

Python version

3.8.10

Operating system

Ubuntu 20.04.5 LTS

Additional environment information

No response

How to reproduce

Run the following script to produce the issue (python3 -c “import missing_addr; missing_addr.missing_addr()”). This script generates "Beam Forming Report Poll" and "VHT NDP Announcement" control frames. Although the addr2 field is supplied, the output pcap files are malformed because of the missing addr2 field.

Actual result

The output of the pkt.show() in the missing_addr.py script outputs the "Beam Forming Report Poll" and "VHT NDP Announcement" control frames generated without addr2 even though it was supplied to Dot11.

The pcap file confirms that the frames are malformed and missing addr2.

Expected result

802.11 Control frame (type 1) subtypes 4, 5, and 6 (Beam Forming Report Poll, VHT NDP Announcement, and Control Frame Extension) should all have both Address 1 and Address 2 fields present. For the case of the DMG DTS control frame (type 1, subtype 6, control frame extension 6) Address 1, Address 2, and Address 3 fields should be present.

The issue seems to be in the SCAPY Dot11 class between lines 711 and 727. Lines 715-716 limits the Address 2 field to packets in type 1 (control frame) subtype 8,9,10,11,14, and 15 - the subtypes should be expanded to include subtypes 4, 5, and 6. Line 720 limits the address 3 field to types 0 and 2 – this should be expanded to include type 1, subtype 6, control frame extension 6 (DMG DTS).

Related resources

Here are the 802.11 2016 references to the frame format and associated address fields for the control frames mentioned above.

[stryngs]

You've just solved or explain a related "bug" for me @wfast01 -- #3793. Good job! Curious where this goes.

Highly important these changes follow IEEE specs to a T in these regards.

[stryngs]

@wfast01 Are you going to submit a PR?

[wfast01]

Yes. It may take a few days due to my end-of-the-year workload. Currently I am putting together a test harness that generates each of the 802.11 2016 frames listed in Table 9-1 so I can verify the number of address fields, their content, and their placement in the MAC header.