xref: /openbsd-src/regress/sys/netinet/frag/frag_overtail.py (revision 647ac4014c7881606258ecf2ee637195df4c98ac) 
1*647ac401Sbluhm#!/usr/local/bin/python3
23fe81ad4Sbluhm
3*647ac401Sbluhmprint("ping fragment that overlaps the second fragment with its tail")
43fe81ad4Sbluhm
53fe81ad4Sbluhm#           |----|
63fe81ad4Sbluhm#      |XXXX|
73fe81ad4Sbluhm# |---------|
83fe81ad4Sbluhm
93fe81ad4Sbluhmimport os
103fe81ad4Sbluhmfrom addr import *
113fe81ad4Sbluhmfrom scapy.all import *
123fe81ad4Sbluhm
133fe81ad4Sbluhmpid=os.getpid()
143fe81ad4Sbluhmeid=pid & 0xffff
15*647ac401Sbluhmpayload=b"ABCDEFGHIJKLMNOP"
16*647ac401Sbluhmdummy=b"01234567"
173fe81ad4Sbluhmpacket=IP(src=LOCAL_ADDR, dst=REMOTE_ADDR)/ \
183fe81ad4Sbluhm    ICMP(type='echo-request', id=eid)/payload
193fe81ad4Sbluhmfrag=[]
203fe81ad4Sbluhmfid=pid & 0xffff
213fe81ad4Sbluhmfrag.append(IP(src=LOCAL_ADDR, dst=REMOTE_ADDR, proto=1, id=fid,
22*647ac401Sbluhm    frag=2)/bytes(packet)[36:44])
233fe81ad4Sbluhmfrag.append(IP(src=LOCAL_ADDR, dst=REMOTE_ADDR, proto=1, id=fid,
247cd47444Sbluhm    frag=1, flags='MF')/dummy)
253fe81ad4Sbluhmfrag.append(IP(src=LOCAL_ADDR, dst=REMOTE_ADDR, proto=1, id=fid,
26*647ac401Sbluhm    flags='MF')/bytes(packet)[20:36])
273fe81ad4Sbluhmeth=[]
283fe81ad4Sbluhmfor f in frag:
293fe81ad4Sbluhm	eth.append(Ether(src=LOCAL_MAC, dst=REMOTE_MAC)/f)
303fe81ad4Sbluhm
313fe81ad4Sbluhmif os.fork() == 0:
323fe81ad4Sbluhm	time.sleep(1)
333fe81ad4Sbluhm	sendp(eth, iface=LOCAL_IF)
343fe81ad4Sbluhm	os._exit(0)
353fe81ad4Sbluhm
363fe81ad4Sbluhmans=sniff(iface=LOCAL_IF, timeout=3, filter=
373fe81ad4Sbluhm    "ip and src "+REMOTE_ADDR+" and dst "+LOCAL_ADDR+" and icmp")
383fe81ad4Sbluhmfor a in ans:
393fe81ad4Sbluhm	if a and a.type == ETH_P_IP and \
403fe81ad4Sbluhm	    a.payload.proto == 1 and \
413fe81ad4Sbluhm	    a.payload.frag == 0 and a.payload.flags == 0 and \
423fe81ad4Sbluhm	    icmptypes[a.payload.payload.type] == 'echo-reply':
433fe81ad4Sbluhm		id=a.payload.payload.id
44*647ac401Sbluhm		print("id=%#x" % (id))
453fe81ad4Sbluhm		if id != eid:
46*647ac401Sbluhm			print("WRONG ECHO REPLY ID")
473fe81ad4Sbluhm			exit(2)
483fe81ad4Sbluhm		data=a.payload.payload.payload.load
49*647ac401Sbluhm		print("payload=%s" % (data))
503fe81ad4Sbluhm		if data == payload:
513fe81ad4Sbluhm			exit(0)
52*647ac401Sbluhm		print("PAYLOAD!=%s" % (payload))
533fe81ad4Sbluhm		exit(1)
54*647ac401Sbluhmprint("NO ECHO REPLY")
553fe81ad4Sbluhmexit(2)
56