calling getlayer() on packet with SSRR option in ip layer can override ip address in this packet #4174
Description
Brief description
Seems that when getlayer() is called on a sub-layer, the sub-layer is copied, but it keeps referencing the original upper layer object, which is modified by the in4_pseudoheader() function:
(this may also apply to ipv6)
Scapy version
2.5.0
Python version
3.6.9
Operating system
Linux 5.4.0-150-generic
Additional environment information
No response
How to reproduce
#!/usr/bin/env python3
from scapy.all import *
p = Ether(src="de:ad:be:ef:aa:55", dst="ca:fe:00:00:00:00")/IP(src="20.0.0.1",dst="100.0.0.1")/ \
IP(src="20.0.0.1",dst="100.0.0.1", options=[IPOption_SSRR(copy_flag=1, pointer=4, routers=["1.1.1.1", "8.8.8.8"])])/ \
UDP(sport=1111, dport=2222) / VXLAN() / \
Ether(src="de:ad:be:ef:aa:55", dst="ca:fe:00:00:00:00")/IP(src="20.0.0.1",dst="100.0.0.1") / \
TCP()
print("=" * 80)
p.getlayer(2).show()
print("-" * 80)
print("len:", len(p.getlayer(4))) # Here the DST address is corrupted
print("-" * 80)
p.getlayer(2).show()
print("=" * 80)
Actual result
###[ IP ]###
version = 4
ihl = None
tos = 0x0
len = None
id = 1
flags =
frag = 0
ttl = 64
proto = udp
chksum = None
src = 20.0.0.1
dst = 8.8.8.8
\options \
|###[ IP Option Strict Source and Record Route ]###
| copy_flag = 1
| optclass = control
| option = strict_source_route
| length = None
| pointer = 4
| routers = [1.1.1.1, 8.8.8.8]
###[ UDP ]###
sport = 1111
dport = 2222
len = None
chksum = None
Expected result
###[ IP ]###
version = 4
ihl = None
tos = 0x0
len = None
id = 1
flags =
frag = 0
ttl = 64
proto = udp
chksum = None
src = 20.0.0.1
dst = 100.0.0.1
\options \
|###[ IP Option Strict Source and Record Route ]###
| copy_flag = 1
| optclass = control
| option = strict_source_route
| length = None
| pointer = 4
| routers = [1.1.1.1, 8.8.8.8]
###[ UDP ]###
sport = 1111
dport = 2222
len = None
chksum = None
Related resources
No response