Fuzzing empty data creates an arbitrary number of bytes

[GCHQDeveloper147]

Brief description

Calling fuzz() on a 0-byte Raw data item creates a value that is no longer 0 bytes long - from experimentation, it can be at least 1100 bytes. This occurs regardless of whether the Raw is on its own or as part of a larger packet.

Scapy version

2.5.0

Python version

3.9.16

Operating system

CentOS Stream 8

Additional environment information

No response

How to reproduce

from scapy.all import (Ether, IP, Raw, RandString, fuzz)

dat = Raw(RandString(size = 10))
df  = bytes(fuzz(dat))
print(f"Non-empty: initial data = {len(dat)}B, fuzzed = {len(df)}B")

dat2 = Raw(RandString(size = 0))
df2  = bytes(fuzz(dat2))
print(f"Empty: initial data = {len(dat2)}B, fuzzed = {len(df2)}B")

pkt_ether = Ether()/IP()
pkt_raw = Raw(RandString(size = 0))
pkt_packet = pkt_ether/pkt_raw
pkt_fuzz = bytes(fuzz(pkt_packet))
print(f"Full packet: ethernet header = {len(pkt_ether)}B, raw data = {len(pkt_raw)}B, fuzzed = {len(pkt_fuzz)}B")

Actual result

# > Non-empty: initial data = 10B, fuzzed = 10B
# > Empty: initial data = 0B, fuzzed = 567B
# > Full packet: ethernet/IP header = 34B, raw data = 0B, fuzzed = 327B

Expected result

In the case of non-empty values, fuzz maintains the input length. This should presumably also be the case if we have 0B to fuzz, e.g.:

# > Non-empty: initial data = 10B, fuzzed = 10B
# > Empty: initial data = 0B, fuzzed = 0B
# > Full packet: ethernet/IP header = 34B, raw data = 0B, fuzzed = 34B

Related resources

No response