Why are 14 bytes of random data appended to a raw ethernet frame?

1k views Asked by At

I'm sending a raw Ethernet frame to the loopback interface (Linux ubuntu 4.15.0-34-generic) with the following python code:

from scapy.all import *
pkt = Ether(dst="aa:aa:aa:aa:aa:aa", src="00:ff:00:ff:00:ff", type=0x6666) / ("A"*50)
sendp(pkt, iface="lo")

(We use a custom Ethernet type 0x6666, but using the packet length (50) as specified by the Ethernet II frame format has the same outcome)

I would expect to see a packet of length 14+50=64 bytes on the receiver (or in Wireshark). Instead, I'm seeing a packet of 14+50+14=78 bytes. The content of the added 14 bytes are seemingly random (or likely data from a reused buffer which was not zeroed).

As an example, the following Wireshark outputs are from two consecutive invocations of the code above:

0000 aa aa aa aa aa aa 00 ff 00 ff 00 ff 66 66 41 41 ............ffAA 0010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0040 00 00 00 00 00 00 10 00 00 00 00 00 00 00 ..............

0000 aa aa aa aa aa aa 00 ff 00 ff 00 ff 66 66 41 41 ............ffAA 0010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0040 22 20 68 6f 73 74 6e 61 6d 65 3d 3f 20 61 " hostname=? a

I'm curious why the 14 bytes are added (since the packet is longer than the required 64 bytes for an Ethernet packet it's not a padding issue)? And how it's possible to get rid of the 14 extra bytes in this example?

2

There are 2 answers

1
Neil Hellfeldt On BEST ANSWER

The bellow commit to the kernel is what caused the regression that original poster mentioned.

Description: packet: in packet_snd start writing at link layer allocation

GIT SHA: c6026847a0a1198e4d0b200da6666cb1056b12fe

https://lore.kernel.org/patchwork/patch/899678/

There are a couple options for a solution.

1) Downgrade to 4.15.0-32-generic or before

2) Download source for the current kernel and remove that patch and compile with out it.

3) Report it to the lkml and wait for them to fix it.

The above patch mentioned it is for RAW packets as well but it does not check the size before appending more bytes to see if it needs to append any bytes. minimum total packet size should be 64 bytes.

EDIT: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/packet/af_packet.c?h=v4.19-rc5

shows that the above patch is no longer in the current kernel and kernel.org this is now a ubuntu problem.

EDIT2: ubuntu 4.15.0-36.39 in the git tree no longer has the patch that showed up in 33. so ubuntu should at some point fix this problem.

1
Neil On

I have also seen this 4.15.0-33-generic is where it first showed up.

4.15.0-32-generic does not have the problem and its not specifically, the ethernet driver since I tried a usb ethernet also to make sure.