Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix BLE ACL fragmented packet reassembly #34

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix BLE ACL fragmented packet reassembly #34

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 21 additions & 21 deletions mirage/libs/ble.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -899,30 +899,30 @@ def convert(self,packet):
if "hci" in self.interface or "adb" in self.interface:
#packet.show()

# Here, we have a start of fragmented HCI packet (L2CAP length > HCI length)
if packet.type == TYPE_ACL_DATA and packet.PB == 2 and L2CAP_Hdr in packet and packet[L2CAP_Hdr].len > packet[HCI_ACL_Hdr].len:
# store it in the buffer
self.fragmentBuffer = raw(packet)
self.fragmentTotalSize = packet[L2CAP_Hdr].len
# don't return it now, it's not ready
return None

# Here, we have the next fragment (PB = 1)
if packet.type == TYPE_ACL_DATA and packet.PB == 1 and L2CAP_Hdr in packet and len(self.fragmentBuffer) > 0:
# We create the scapy packet before the last fragment
previousPacket = HCI_Hdr(self.fragmentBuffer)
# We concatenate it to the previous fragments
self.fragmentBuffer += raw(packet[L2CAP_Hdr:])
# If we have received all fragments
if len(raw(previousPacket[L2CAP_Hdr:][1:])) + len(raw(packet[L2CAP_Hdr:])) == self.fragmentTotalSize:
# We create the full packet and the execution flow continues to dissect it
packet = HCI_Hdr(self.fragmentBuffer)
new.packet = packet
else:
if packet.type == TYPE_ACL_DATA:
# Here, we have a start of fragmented HCI packet (L2CAP length > HCI length)
if packet.PB == 2 and L2CAP_Hdr in packet and packet[L2CAP_Hdr].len > packet[HCI_ACL_Hdr].len:
# store it in the buffer
self.fragmentBuffer = raw(packet)
self.fragmentTotalSize = packet[L2CAP_Hdr].len
# don't return it now, it's not ready
return None

if packet.type == TYPE_ACL_DATA:
# Here, we have the next fragment (PB = 1)
if packet.PB == 1 and len(self.fragmentBuffer) > 0:
# We create the scapy packet before the last fragment
previousPacket = HCI_Hdr(self.fragmentBuffer)
# We concatenate it to the previous fragments
self.fragmentBuffer += raw(packet[HCI_ACL_Hdr:][1:])
# If we have received all fragments
if len(raw(previousPacket[L2CAP_Hdr:][1:])) + len(raw(packet[HCI_ACL_Hdr:][1:])) == self.fragmentTotalSize:
# We create the full packet and the execution flow continues to dissect it
packet = HCI_Hdr(self.fragmentBuffer)
new.packet = packet
else:
# don't return it now, it's not ready
return None

if ATT_Exchange_MTU_Request in packet:
return BLEExchangeMTURequest(
mtu = packet[ATT_Exchange_MTU_Request].mtu,
Expand Down