Added memory check in patricia tree

Improved AFP dissection
Updated DHCP test results

5 files changed, 49 insertions, 35 deletions

diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c
index 74b98b8d0..1a5914fc9 100644
--- a/src/lib/protocols/afp.c
+++ b/src/lib/protocols/afp.c
@@ -2,7 +2,7 @@
  * afp.c
  *
  * Copyright (C) 2009-2011 by ipoque GmbH
- * Copyright (C) 2011-15 - ntop.org
+ * Copyright (C) 2011-16 - ntop.org
  *
  * This file is part of nDPI, an open source deep packet inspection
  * library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -27,6 +27,12 @@
 
 #ifdef NDPI_PROTOCOL_AFP
 
+struct afpHeader {
+  u_int8_t flags, command;
+  u_int16_t requestId;
+  u_int32_t dataOffset, length, reserved;
+};
+
 static void ndpi_int_afp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AFP, NDPI_PROTOCOL_UNKNOWN);
@@ -36,36 +42,42 @@ static void ndpi_int_afp_add_connection(struct ndpi_detection_module_struct *ndp
 void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct *packet = &flow->packet;
-  //  struct ndpi_id_struct *src = flow->src;
-  //  struct ndpi_id_struct *dst = flow->dst;
-  
-  /*
-   * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol
-   * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks
-   */
-  if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) &&
-      get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 &&
-      get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
-      get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) {
-
-    NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI OpenSession detected.\n");
-    ndpi_int_afp_add_connection(ndpi_struct, flow);
-    return;
-  }
 
-  /*
-   * detection of GetStatus command of DSI protocol
-   */
-  if (packet->payload_packet_len >= 18 && get_u_int16_t(packet->payload, 0) == htons(0x0003) &&
-      get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 &&
-      get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
-      get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0f00)) {
-
-    NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI GetStatus detected.\n");
-    ndpi_int_afp_add_connection(ndpi_struct, flow);
-    return;
-  }
+  if (packet->payload_packet_len >= sizeof(struct afpHeader)) {
+    struct afpHeader *h = (struct afpHeader*)packet->payload;
+
+    if(packet->payload_packet_len > 128) {
+      /*
+	When we transfer a large data chunk, unless we have observed
+	the initial connection, we need to discard these packets
+	as they are not an indication that this flow is not AFP	
+      */
+      return;
+    }
 
+    /*
+     * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol
+     * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks
+     */
+    if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) &&
+	get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 &&
+	get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
+	get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) {
+
+      NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI OpenSession detected.\n");
+      ndpi_int_afp_add_connection(ndpi_struct, flow);
+      return;
+    }
+
+    if((h->flags <= 1)
+       && ((h->command >= 1) && (h->command <= 8))
+       && (h->reserved == 0)
+       && (packet->payload_packet_len >= (sizeof(struct afpHeader)+ntohl(h->length)))) {
+      NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI detected.\n");
+      ndpi_int_afp_add_connection(ndpi_struct, flow);
+      return;
+    }
+  }
 
   NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP excluded.\n");
   NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AFP);
diff --git a/src/lib/third_party/src/ndpi_patricia.c b/src/lib/third_party/src/ndpi_patricia.c
index aa750bebc..c9c052314 100644
--- a/src/lib/third_party/src/ndpi_patricia.c
+++ b/src/lib/third_party/src/ndpi_patricia.c
@@ -821,6 +821,8 @@ ndpi_patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
   }
   else {
     glue = (patricia_node_t*)ndpi_calloc(1, sizeof *glue);
+
+    if(!glue) return(NULL);
     glue->bit = differ_bit;
     glue->prefix = NULL;
     glue->parent = node->parent;
diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out
index 9b9c87039..4a715d515 100644
--- a/tests/result/1kxun.pcap.out
+++ b/tests/result/1kxun.pcap.out
@@ -36,7 +36,7 @@ Lync	2	132	1
 	19	UDP [fe80::4568:efbc:40b1:1346]:5355 <-> [ff02::1:3]:57148 [proto: 154/LLMNR][2 pkts/176 bytes][Host: kevin-pc]
 	20	UDP 192.168.3.95:51451 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes][Host: 小佛專機]
 	21	UDP 192.168.5.44:51389 <-> 239.255.255.250:1900 [proto: 12/SSDP][13 pkts/2275 bytes]
-	22	UDP 192.168.119.1:67 <-> 192.168.5.16:68 [proto: 18/DHCP][4 pkts/1368 bytes]
+	22	UDP 192.168.119.1:67 <-> 192.168.5.16:68 [proto: 18/DHCP][4 pkts/1368 bytes][Host: macbook-air]
 	23	UDP 192.168.5.41:55593 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/68 bytes][Host: kevin-pc]
 	24	UDP 192.168.101.33:55485 <-> 239.255.255.250:1900 [proto: 12/SSDP][10 pkts/1750 bytes]
 	25	UDP 192.168.3.236:56043 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes][Host: isatap]
@@ -68,7 +68,7 @@ Lync	2	132	1
 	51	TCP 192.168.115.8:49606 <-> 106.185.35.110:80 [proto: 7.218/HTTP.1kxun][50 pkts/35747 bytes][Host: jp.kankan.1kxun.mobi]
 	52	UDP [fe80::f65c:89ff:fe89:e607]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][1 pkts/98 bytes]
 	53	UDP [fe80::e98f:bae2:19f7:6b0f]:5355 <-> [ff02::1:3]:58779 [proto: 154/LLMNR][2 pkts/184 bytes][Host: 小佛專機]
-	54	UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][4 pkts/1368 bytes]
+	54	UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][4 pkts/1368 bytes][Host: shen]
 	55	UDP 59.120.208.218:50151 <-> 255.255.255.255:1947 [proto: 218/1kxun][2 pkts/164 bytes]
 	56	UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:49735 [proto: 154/LLMNR][2 pkts/178 bytes][Host: wangs-ltw]
 	57	TCP 192.168.115.8:49612 <-> 183.131.48.145:80 [proto: 218/1kxun][14 pkts/2295 bytes][Host: 183.131.48.145]
@@ -122,8 +122,8 @@ Lync	2	132	1
 	105	UDP 192.168.3.236:65496 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes][Host: wangs-ltw]
 	106	TCP 192.168.115.8:49581 <-> 64.233.189.128:80 [proto: 7/HTTP][3 pkts/176 bytes]
 	107	UDP 192.168.119.1:67 <-> 255.255.255.255:68 [proto: 18/DHCP][14 pkts/4788 bytes]
-	108	UDP 192.168.5.9:68 <-> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes]
-	109	UDP 192.168.5.41:68 <-> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes]
+	108	UDP 192.168.5.9:68 <-> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes][Host: joanna-pc]
+	109	UDP 192.168.5.41:68 <-> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes][Host: kevin-pc]
 	110	UDP [fe80::beee:7bff:fe0c:b3de]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][4 pkts/392 bytes]
 	111	UDP [fe80::e034:7be:d8f9:6197]:5355 <-> [ff02::1:3]:62756 [proto: 154/LLMNR][1 pkts/91 bytes][Host: charming-pc]
 	112	UDP 59.120.208.212:32768 <-> 255.255.255.255:1947 [proto: 218/1kxun][1 pkts/82 bytes]
diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out
index 5cb93061d..6ac5f31b9 100644
--- a/tests/result/whatsapp_login_call.pcap.out
+++ b/tests/result/whatsapp_login_call.pcap.out
@@ -44,7 +44,7 @@ WhatsAppVoice	706	91156	4
 	30	UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.119/STUN.Facebook][5 pkts/676 bytes]
 	31	TCP 192.168.2.4:49173 <-> 93.186.135.82:80 [proto: 7/HTTP][3 pkts/198 bytes]
 	32	TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/SSL][3 pkts/198 bytes]
-	33	UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][10 pkts/3420 bytes]
+	33	UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][10 pkts/3420 bytes][Host: lucas-imac]
 	34	UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 189/WhatsAppVoice][464 pkts/52920 bytes]
 	35	TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][180 pkts/24874 bytes]
 	36	UDP 192.168.2.1:57621 <-> 192.168.2.255:57621 [proto: 156/Spotify][3 pkts/258 bytes]
diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out
index 13c56555a..6f873ed4a 100644
--- a/tests/result/whatsapp_login_chat.pcap.out
+++ b/tests/result/whatsapp_login_chat.pcap.out
@@ -9,7 +9,7 @@ Spotify	1	86	1
 	2	UDP [fe80::189c:c31b:1298:224]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][1 pkts/111 bytes]
 	3	UDP 192.168.2.1:53 <-> 192.168.2.4:61697 [proto: 5.142/DNS.WhatsApp][2 pkts/280 bytes][Host: e12.whatsapp.net]
 	4	TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][44 pkts/21371 bytes]
-	5	UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][6 pkts/2052 bytes]
+	5	UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][6 pkts/2052 bytes][Host: lucas-imac]
 	6	TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][30 pkts/2963 bytes]
 	7	UDP 192.168.2.1:57621 <-> 192.168.2.255:57621 [proto: 156/Spotify][1 pkts/86 bytes]
 	8	TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 140/Apple][6 pkts/2095 bytes]