Fix bug if DNS compression gives an offset of exactly 46 (secdev#4688)

* Remove orb() usage

* Fix bug if DNS pointer was exactly 46

Author: gpotter2

scapy/layers/dns.py

@@ -29,7 +29,7 @@
 from scapy.ansmachine import AnsweringMachine
 from scapy.base_classes import Net, ScopedIP
 from scapy.config import conf
-from scapy.compat import orb, raw, chb, bytes_encode, plain_str
+from scapy.compat import raw, chb, bytes_encode, plain_str
 from scapy.error import log_runtime, warning, Scapy_Exception
 from scapy.packet import Packet, bind_layers, Raw
 from scapy.fields import (
@@ -199,9 +199,12 @@ def dns_get_str(s, full=None, _ignore_compression=False):
 
 
 def _is_ptr(x):
-    return b"." not in x and (
-        (x and orb(x[-1]) == 0) or
-        (len(x) >= 2 and (orb(x[-2]) & 0xc0) == 0xc0)
+    """
+    Heuristic to guess if bytes are an encoded DNS pointer.
+    """
+    return (
+        (x and x[-1] == 0) or
+        (len(x) >= 2 and (x[-2] & 0xc0) == 0xc0)
     )
 
 
@@ -396,7 +399,7 @@ def m2i(self, pkt, s):
         # RDATA contains a list of strings, each are prepended with
         # a byte containing the size of the following string.
         while tmp_s:
-            tmp_len = orb(tmp_s[0]) + 1
+            tmp_len = tmp_s[0] + 1
             if tmp_len > len(tmp_s):
                 log_runtime.info(
                     "DNS RR TXT prematured end of character-string "
@@ -559,7 +562,7 @@ def _pack_subnet(self, subnet):
         # type: (bytes) -> bytes
         packed_subnet = inet_pton(self.af_familly, plain_str(subnet))
         for i in list(range(operator.floordiv(self.af_length, 8)))[::-1]:
-            if orb(packed_subnet[i]) != 0:
+            if packed_subnet[i] != 0:
                 i += 1
                 break
         return packed_subnet[:i]
@@ -699,9 +702,9 @@ def bitmap2RRlist(bitmap):
             log_runtime.info("bitmap too short (%i)", len(bitmap))
             return
 
-        window_block = orb(bitmap[0])  # window number
+        window_block = bitmap[0]  # window number
         offset = 256 * window_block  # offset of the Resource Record
-        bitmap_len = orb(bitmap[1])  # length of the bitmap in bytes
+        bitmap_len = bitmap[1]  # length of the bitmap in bytes
 
         if bitmap_len <= 0 or bitmap_len > 32:
             log_runtime.info("bitmap length is no valid (%i)", bitmap_len)
@@ -713,7 +716,7 @@ def bitmap2RRlist(bitmap):
         for b in range(len(tmp_bitmap)):
             v = 128
             for i in range(8):
-                if orb(tmp_bitmap[b]) & v:
+                if tmp_bitmap[b] & v:
                     # each of the RR is encoded as a bit
                     RRlist += [offset + b * 8 + i]
                 v = v >> 1

test/scapy/layers/dns.uts

@@ -440,7 +440,15 @@ data = b'\xac\x81\x81\x80\x00\x01\x00\x06\x00\r\x00\x00\x04mqtt\x0bweatherflow\x
 
 p = DNS(data)
 cmp = p.compress()
-assert len(cmp) == len(data)
+assert bytes(cmp) == data
+
+= DNS - dns_compress with pointer b'\xc0.'
+
+data = b'\x00\x02\x81\x00\x00\x01\x00\x03\x00\x00\x00\x00\x05forms\x06office\x03com\x00\x00\x01\x00\x01\xc0\x0c\x00\x05\x00\x01\x00\x00\x01\x1b\x00&\x05forms\x06office\x03com\x06b-0039\x08b-msedge\x03net\x00\xc0.\x00\x05\x00\x01\x00\x00\x00\xdf\x00\x02\xc0?\xc0?\x00\x01\x00\x01\x00\x00\x00\xdf\x00\x04\rk\x06\xc2'
+
+p = DNS(data)
+cmp = p.compress()
+assert bytes(cmp) == data
 
 = DNS - dns_encode edge cases