From 0c923da588ad6b0655df8d4b4aa71bab3b4a6fa5 Mon Sep 17 00:00:00 2001
From: Sergio de Paula <sergio.paula@dsr-corporation.com>
Date: Mon, 8 Jan 2024 02:37:10 -0300
Subject: [PATCH] [RF4CE] Fix for RF4CE NWK heuristics

RF4CE NWK heuristics should not attempt to verify the command ID from a command frame type when security is enabled, since in such case the command ID will be encrypted
---
 epan/dissectors/packet-rf4ce-nwk.c | 34 ++++++++++++++++++------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/epan/dissectors/packet-rf4ce-nwk.c b/epan/dissectors/packet-rf4ce-nwk.c
index 3fc85ebe5c..a3883246ea 100644
--- a/epan/dissectors/packet-rf4ce-nwk.c
+++ b/epan/dissectors/packet-rf4ce-nwk.c
@@ -628,6 +628,7 @@ static gboolean dissect_rf4ce_nwk_heur(tvbuff_t *tvb, packet_info *pinfo, proto_
     guint length = tvb_captured_length(tvb);
     guint8 fcf;
     guint8 frame_type;
+    guint8 security_enabled;
     guint8 reserved;
     guint8 profile_id;
     guint16 vendor_id;
@@ -641,6 +642,7 @@ static gboolean dissect_rf4ce_nwk_heur(tvbuff_t *tvb, packet_info *pinfo, proto_
         }
         fcf = tvb_get_guint8(tvb, 0);
         frame_type = fcf & RF4CE_NWK_FCF_FRAME_TYPE_MASK;
+        security_enabled = fcf & RF4CE_NWK_FCF_SECURITY_MASK;
         reserved = (fcf & RF4CE_NWK_FCF_RESERVED_MASK) >> 5;
 
         switch (frame_type)
@@ -703,22 +705,26 @@ static gboolean dissect_rf4ce_nwk_heur(tvbuff_t *tvb, packet_info *pinfo, proto_
             {
                 return FALSE;
             }
-            command_id = tvb_get_guint8(tvb, 5);
-            switch (command_id)
+            /* If security is enabled, the command ID will be encrypted */
+            if (!security_enabled)
             {
-                case RF4CE_NWK_CMD_DISCOVERY_REQ:
-                case RF4CE_NWK_CMD_DISCOVERY_RSP:
-                case RF4CE_NWK_CMD_PAIR_REQ:
-                case RF4CE_NWK_CMD_PAIR_RSP:
-                case RF4CE_NWK_CMD_UNPAIR_REQ:
-                case RF4CE_NWK_CMD_KEY_SEED:
-                case RF4CE_NWK_CMD_PING_REQ:
-                case RF4CE_NWK_CMD_PING_RSP:
-                    /* Allowed command IDs */
-                    break;
+                command_id = tvb_get_guint8(tvb, 5);
+                switch (command_id)
+                {
+                    case RF4CE_NWK_CMD_DISCOVERY_REQ:
+                    case RF4CE_NWK_CMD_DISCOVERY_RSP:
+                    case RF4CE_NWK_CMD_PAIR_REQ:
+                    case RF4CE_NWK_CMD_PAIR_RSP:
+                    case RF4CE_NWK_CMD_UNPAIR_REQ:
+                    case RF4CE_NWK_CMD_KEY_SEED:
+                    case RF4CE_NWK_CMD_PING_REQ:
+                    case RF4CE_NWK_CMD_PING_RSP:
+                        /* Allowed command IDs */
+                        break;
 
-                default:
-                    return FALSE;
+                    default:
+                        return FALSE;
+                }
             }
         }
         col_set_str(pinfo->cinfo, COL_PROTOCOL, "RF4CE NWK");