dns: fix EDNS0ClientSubnet address truncation for non-octet-aligned prefix lengths

When source_plen is set to a value whose ceil(plen/8) byte count exceeds
the number of non-zero bytes in the address (e.g. source_plen=23 for
101.132.0.0), _pack_subnet incorrectly stripped the trailing zero byte,
producing a 2-byte address instead of the required 3 bytes.

Per RFC 7871, the ADDRESS field MUST be truncated to ceil(source_plen/8)
bytes. Fix _pack_subnet to accept an optional plen parameter and apply
RFC-compliant truncation when it is provided. i2m and i2len now pass
pkt.source_plen so the correct byte count is used during packet building.

Fixes: #4942

Author: T3pp31

scapy/layers/dns.py

@@ -558,9 +558,16 @@ def m2i(self, pkt, x):
         x = x[: operator.floordiv(self.af_length, 8)]
         return inet_ntop(self.af_familly, x)
 
-    def _pack_subnet(self, subnet):
-        # type: (bytes) -> bytes
+    def _pack_subnet(self, subnet, plen=None):
+        # type: (bytes, Optional[int]) -> bytes
         packed_subnet = inet_pton(self.af_familly, plain_str(subnet))
+        if plen is not None:
+            # RFC 7871: ADDRESS MUST be truncated to the number of bits
+            # indicated by SOURCE PREFIX-LENGTH, padded with 0 bits to the
+            # end of the last octet needed.  Use ceil(plen / 8) bytes.
+            num_bytes = operator.floordiv(plen + 7, 8)
+            return packed_subnet[:num_bytes]
+        # When prefix length is not known, strip trailing zero bytes.
         for i in list(range(operator.floordiv(self.af_length, 8)))[::-1]:
             if packed_subnet[i] != 0:
                 i += 1
@@ -571,21 +578,23 @@ def i2m(self, pkt, x):
         # type: (Optional[Packet], Optional[Union[str, Net]]) -> bytes
         if x is None:
             return self.af_default
+        plen = getattr(pkt, 'source_plen', None)
         try:
-            return self._pack_subnet(x)
+            return self._pack_subnet(x, plen)
         except (OSError, socket.error):
             pkt.family = 2
-            return ClientSubnetv6("", "")._pack_subnet(x)
+            return ClientSubnetv6("", "")._pack_subnet(x, plen)
 
     def i2len(self, pkt, x):
         # type: (Packet, Any) -> int
         if x is None:
             return 1
+        plen = getattr(pkt, 'source_plen', None)
         try:
-            return len(self._pack_subnet(x))
+            return len(self._pack_subnet(x, plen))
         except (OSError, socket.error):
             pkt.family = 2
-            return len(ClientSubnetv6("", "")._pack_subnet(x))
+            return len(ClientSubnetv6("", "")._pack_subnet(x, plen))
 
 
 class ClientSubnetv6(ClientSubnetv4):

test/scapy/layers/dns_edns0.uts

@@ -154,6 +154,35 @@ assert raw(d) == raw_d
 d = DNSRROPT(raw_d)
 assert EDNS0ClientSubnet in d.rdata[0] and d.rdata[0].family == 2 and d.rdata[0].address == "2001:db8::"
 
+= source_plen with trailing-zero address byte (GH #4942)
+# RFC 7871: ADDRESS must be truncated to ceil(source_plen/8) bytes.
+# For source_plen=23, ceil(23/8)=3 bytes are required even when the
+# 3rd byte is 0x00 (101.132.0.0 -> 0x65 0x84 0x00).
+
+b = EDNS0ClientSubnet(source_plen=23, address='101.132.0.0')
+raw_b = raw(b)
+# optlen must be 7 (4 fixed bytes + 3 address bytes)
+assert raw_b == b'\x00\x08\x00\x07\x00\x01\x17\x00\x65\x84\x00', repr(raw_b)
+
+b2 = EDNS0ClientSubnet(raw_b)
+assert b2.source_plen == 23
+assert b2.address == '101.132.0.0'
+
+= source_plen with non-zero last byte (sanity check)
+# For source_plen=24 on 10.20.30.0, exactly 3 bytes are needed.
+b = EDNS0ClientSubnet(source_plen=24, address='10.20.30.0')
+raw_b = raw(b)
+assert raw_b == b'\x00\x08\x00\x07\x00\x01\x18\x00\x0a\x14\x1e', repr(raw_b)
+b2 = EDNS0ClientSubnet(raw_b)
+assert b2.source_plen == 24
+assert b2.address == '10.20.30.0'
+
+= source_plen=0 produces empty address
+b = EDNS0ClientSubnet(source_plen=0, address='0.0.0.0')
+raw_b = raw(b)
+# optlen == 4 (no address bytes), source_plen=0
+assert raw_b == b'\x00\x08\x00\x04\x00\x01\x00\x00', repr(raw_b)
+
 
 + EDNS0 - Cookie