diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-07-12 14:22:25 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-07-12 14:22:25 +0200 |
| commit | c3ba65311e2cf4aba8b51cdb6800a5654ef1d060 (patch) | |
| tree | 7f0aa30fc4ab1d0aaec75f08b84cb7f3705d29fa | |
| parent | 456f0fd4279ae727831a80c506a343b8a9aedd90 (diff) | |
fuzzing: improve coverage (#2495)
Fix detection of WebDAV and Gnutella (over HTTP)
Fix detection of z3950
Add two fuzzers to test `ndpi_memmem()` and `ndpi_strnstr()`
Remove some dead code:
* RTP: the same exact check is performed at the very beginning of the
function
* MQTT: use a better helper to exclude the protocol
* Colletd: `ndpi_hostname_sni_set()` never fails
Update pl7m code (fix a Use-of-uninitialized-value error)
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | fuzz/Makefile.am | 28 | ||||
| -rw-r--r-- | fuzz/fuzz_alg_memmem.cpp | 35 | ||||
| -rw-r--r-- | fuzz/fuzz_alg_strnstr.cpp | 18 | ||||
| -rw-r--r-- | fuzz/fuzz_ds_domain_classify.cpp | 3 | ||||
| -rw-r--r-- | src/include/ndpi_private.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/collectd.c | 15 | ||||
| -rw-r--r-- | src/lib/protocols/gnutella.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/mqtt.c | 36 | ||||
| -rw-r--r-- | src/lib/protocols/rtp.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/z3950.c | 2 | ||||
| -rw-r--r-- | src/lib/third_party/src/fuzz/pl7m.c | 2 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/ssh.pcap | bin | 39698 -> 55168 bytes | |||
| -rw-r--r-- | tests/cfgs/default/pcap/webdav.pcap | bin | 2990 -> 25312 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/ssh.pcap.out | 13 | ||||
| -rw-r--r-- | tests/cfgs/default/result/webdav.pcap.out | 25 |
19 files changed, 142 insertions, 63 deletions
diff --git a/.gitignore b/.gitignore index 215324462..924f902b1 100644 --- a/.gitignore +++ b/.gitignore @@ -62,6 +62,8 @@ /fuzz/fuzz_alg_ses_des /fuzz/fuzz_alg_bytestream /fuzz/fuzz_alg_shoco +/fuzz/fuzz_alg_memmem +/fuzz/fuzz_alg_strnstr /fuzz/fuzz_config /fuzz/fuzz_community_id /fuzz/fuzz_serialization diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 655a88cf2..2c7b227b5 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -1,6 +1,6 @@ bin_PROGRAMS = fuzz_process_packet fuzz_ndpi_reader fuzz_ndpi_reader_alloc_fail fuzz_ndpi_reader_payload_analyzer fuzz_quic_get_crypto_data fuzz_config fuzz_community_id fuzz_serialization fuzz_tls_certificate fuzz_dga fuzz_is_stun_udp fuzz_is_stun_tcp #Alghoritms -bin_PROGRAMS += fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_jitter fuzz_alg_ses_des fuzz_alg_crc32_md5 fuzz_alg_bytestream fuzz_alg_shoco +bin_PROGRAMS += fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_jitter fuzz_alg_ses_des fuzz_alg_crc32_md5 fuzz_alg_bytestream fuzz_alg_shoco fuzz_alg_memmem fuzz_alg_strnstr #Data structures bin_PROGRAMS += fuzz_ds_patricia fuzz_ds_ahocorasick fuzz_ds_libcache fuzz_ds_tree fuzz_ds_ptree fuzz_ds_hash fuzz_ds_cmsketch fuzz_ds_bitmap64_fuse fuzz_ds_domain_classify #Third party @@ -223,6 +223,32 @@ fuzz_alg_shoco_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ $(fuzz_alg_shoco_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ +fuzz_alg_memmem_SOURCES = fuzz_alg_memmem.cpp +fuzz_alg_memmem_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) +fuzz_alg_memmem_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS) +fuzz_alg_memmem_LDFLAGS = $(LIBS) +if HAS_FUZZLDFLAGS +fuzz_alg_memmem_CXXFLAGS += $(LIB_FUZZING_ENGINE) +fuzz_alg_memmem_LDFLAGS += $(LIB_FUZZING_ENGINE) +endif +# force usage of CXX for linker +fuzz_alg_memmem_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ + $(fuzz_alg_memmem_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ + +fuzz_alg_strnstr_SOURCES = fuzz_alg_strnstr.cpp +fuzz_alg_strnstr_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) +fuzz_alg_strnstr_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS) +fuzz_alg_strnstr_LDFLAGS = $(LIBS) +if HAS_FUZZLDFLAGS +fuzz_alg_strnstr_CXXFLAGS += $(LIB_FUZZING_ENGINE) +fuzz_alg_strnstr_LDFLAGS += $(LIB_FUZZING_ENGINE) +endif +# force usage of CXX for linker +fuzz_alg_strnstr_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \ + $(fuzz_alg_strnstr_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@ + fuzz_alg_ses_des_SOURCES = fuzz_alg_ses_des.cpp fuzz_common_code.c fuzz_alg_ses_des_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) fuzz_alg_ses_des_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS) diff --git a/fuzz/fuzz_alg_memmem.cpp b/fuzz/fuzz_alg_memmem.cpp new file mode 100644 index 000000000..c8e1e1661 --- /dev/null +++ b/fuzz/fuzz_alg_memmem.cpp @@ -0,0 +1,35 @@ +#include "ndpi_api.h" + +#include "fuzzer/FuzzedDataProvider.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fuzzed_data(data, size); + char dst[256]; + uint8_t *h; + int h_len, needle_len = 0, needle_start = 0; + + /* No real memory allocations involved */ + + /* 1: needle is a subset of haystack */ + + std::vector<uint8_t>haystack = fuzzed_data.ConsumeBytes<uint8_t>(512); + h = haystack.data(); + h_len = haystack.size(); + + if(h_len > 1) { + needle_start = fuzzed_data.ConsumeIntegralInRange(0, h_len - 1); + needle_len = fuzzed_data.ConsumeIntegralInRange(0, h_len - needle_start - 1); + } + ndpi_memmem(h, h_len, &h[needle_start], needle_len); + + /* 2: fully random */ + + std::vector<uint8_t>needle = fuzzed_data.ConsumeBytes<uint8_t>(512); + ndpi_memmem(h, h_len, needle.data(), needle.size()); + + + /* Let use this fuzzer to check also this simple function... */ + ndpi_strlcpy(dst, (const char *)h, sizeof(dst), h_len); + + return 0; +} diff --git a/fuzz/fuzz_alg_strnstr.cpp b/fuzz/fuzz_alg_strnstr.cpp new file mode 100644 index 000000000..1a2bd3d2f --- /dev/null +++ b/fuzz/fuzz_alg_strnstr.cpp @@ -0,0 +1,18 @@ +#include "ndpi_api.h" + +#include "fuzzer/FuzzedDataProvider.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fuzzed_data(data, size); + u_int16_t len; + + /* No real memory allocations involved */ + + len = fuzzed_data.ConsumeIntegral<u_int16_t>(); + std::string haystack = fuzzed_data.ConsumeRandomLengthString(); + std::string needle = fuzzed_data.ConsumeRandomLengthString(); + + ndpi_strnstr(haystack.c_str(), needle.c_str(), len); + + return 0; +} diff --git a/fuzz/fuzz_ds_domain_classify.cpp b/fuzz/fuzz_ds_domain_classify.cpp index a53c8d130..5e068a9fe 100644 --- a/fuzz/fuzz_ds_domain_classify.cpp +++ b/fuzz/fuzz_ds_domain_classify.cpp @@ -30,7 +30,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { for (i = 0; i < num_iteration; i++) { value = fuzzed_data.ConsumeBytesAsString(fuzzed_data.ConsumeIntegral<u_int8_t>()); class_id = fuzzed_data.ConsumeIntegral<u_int16_t>(); - rc = ndpi_domain_classify_add(ndpi_struct, d, class_id, (char*)value.c_str()); + rc = ndpi_domain_classify_add(fuzzed_data.ConsumeBool() ? ndpi_struct : NULL, + d, class_id, (char*)value.c_str()); /* Keep one random entry really added */ if (rc == true && is_added == 0 && fuzzed_data.ConsumeBool()) { diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 12db0d6da..574a68419 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -588,8 +588,6 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc struct ndpi_flow_struct *flow, u_int32_t saddr, u_int32_t daddr); -u_int32_t ip_port_hash_funct(u_int32_t ip, u_int16_t port); - char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen); u_int16_t icmp4_checksum(u_int8_t const * const buf, size_t len); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index b8dc08aab..ad07d0f86 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -7528,12 +7528,6 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s /* ********************************************************************************* */ -u_int32_t ip_port_hash_funct(u_int32_t ip, u_int16_t port) { - return(ip + 3 * port); -} - -/* ********************************************************************************* */ - /* #define BITTORRENT_CACHE_DEBUG */ int search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c index 4e37a0768..3c878e9c9 100644 --- a/src/lib/protocols/collectd.c +++ b/src/lib/protocols/collectd.c @@ -101,11 +101,11 @@ static int ndpi_int_collectd_check_type(u_int16_t block_type) return 1; } -static int ndpi_int_collectd_dissect_hostname(struct ndpi_flow_struct * const flow, - struct ndpi_packet_struct const * const packet, - u_int16_t block_length) +static void ndpi_int_collectd_dissect_hostname(struct ndpi_flow_struct * const flow, + struct ndpi_packet_struct const * const packet, + u_int16_t block_length) { - return (ndpi_hostname_sni_set(flow, &packet->payload[4], block_length, NDPI_HOSTNAME_NORM_ALL) == NULL); + ndpi_hostname_sni_set(flow, &packet->payload[4], block_length, NDPI_HOSTNAME_NORM_ALL); } static int ndpi_int_collectd_dissect_username(struct ndpi_flow_struct * const flow, @@ -184,11 +184,8 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc return; } - if (hostname_length > 0 && - ndpi_int_collectd_dissect_hostname(flow, packet, hostname_length) != 0) - { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid collectd Header"); - } + if (hostname_length > 0) + ndpi_int_collectd_dissect_hostname(flow, packet, hostname_length); ndpi_int_collectd_add_connection(ndpi_struct, flow); } diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 94e1dc2ef..1e0f307eb 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -103,8 +103,10 @@ static void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struc || (memcmp(packet->payload, "GET /uri-res/", 13) == 0))) { c = 8; while (c < (packet->payload_packet_len - 9)) { - if (packet->payload[c] == '?') + if (packet->payload[c] == '?') { + c++; break; + } c++; } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index bfb47f514..c57ed8441 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -1086,12 +1086,18 @@ static struct l_string { STATIC_STRING_L("DELETE "), STATIC_STRING_L("CONNECT "), STATIC_STRING_L("PROPFIND "), + STATIC_STRING_L("PROPPATCH "), + STATIC_STRING_L("MKCOL "), + STATIC_STRING_L("MOVE "), + STATIC_STRING_L("COPY "), + STATIC_STRING_L("LOCK "), + STATIC_STRING_L("UNLOCK "), STATIC_STRING_L("REPORT "), STATIC_STRING_L("RPC_CONNECT "), STATIC_STRING_L("RPC_IN_DATA "), STATIC_STRING_L("RPC_OUT_DATA ") }; -static const char *http_fs = "CDGHOPR"; +static const char *http_fs = "CDGHLMOPRU"; static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct) { diff --git a/src/lib/protocols/mqtt.c b/src/lib/protocols/mqtt.c index ea2390d37..535cd02b1 100644 --- a/src/lib/protocols/mqtt.c +++ b/src/lib/protocols/mqtt.c @@ -93,7 +93,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &ndpi_struct->packet; if (flow->packet_counter > 10) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -105,20 +105,20 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, packet->payload_packet_len); if (packet->payload_packet_len < 2) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } // we extract the remaining length rl = get_var_int(&packet->payload[1], packet->payload_packet_len - 1, &rl_len); if (rl < 0) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. invalid length!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } NDPI_LOG_DBG(ndpi_struct, "Mqtt: msg_len %d\n", (unsigned long long)rl); if (packet->payload_packet_len != rl + 1 + rl_len) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. maximum packet size exceeded!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } // we extract the packet type @@ -126,7 +126,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG2(ndpi_struct,"====>>>> Mqtt packet type: [%d]\n",pt); if ((pt == 0) || (pt == 15)) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. invalid packet type!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } // we extract the flags @@ -137,12 +137,12 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, (pt == PUBCOMP) || (pt == SUBACK) || (pt == UNSUBACK) || (pt == PINGREQ) || (pt == PINGRESP) || (pt == DISCONNECT)) && (flags > 0)) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Flag combination flag!=0\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } if (((pt == PUBREL) || (pt == SUBSCRIBE) || (pt == UNSUBSCRIBE)) && (flags != 2)) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Flag combination flag!=2\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed first stage of identification\n"); @@ -151,7 +151,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, (pt == PUBREC) || (pt == PUBCOMP) || (pt == UNSUBACK)) { if (packet->payload_packet_len != 4) { // these packets are always 4 bytes long NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Length < 4 \n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { NDPI_LOG_INFO(ndpi_struct, "found Mqtt CONNACK/PUBACK/PUBREL/PUBREC/PUBCOMP/UNSUBACK\n"); @@ -162,7 +162,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, if ((pt == PINGREQ) || (pt == PINGRESP) || (pt == DISCONNECT)) { if (packet->payload_packet_len != 2) { // these packets are always 2 bytes long NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Length <2 \n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { NDPI_LOG_INFO(ndpi_struct, "found Mqtt PING/PINGRESP/DISCONNECT\n"); @@ -183,25 +183,25 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t dup = (u_int8_t) (flags & 0x08) >> 3; if (qos > 2) { // qos values possible are 0,1,2 NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } if (qos == 0) { if (dup != 0) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 and dup combination\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } if (packet->payload_packet_len < 5) { // at least topic (3Bytes + 2Bytes fixed header) NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 size\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } } if ((qos == 1) || (qos == 2)) { if (packet->payload_packet_len < 7 ) { // at least topic + pkt identifier (3Bytes + 2Bytes + 2Bytes fixed header) NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos1&2\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } } @@ -212,7 +212,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, if (pt == SUBSCRIBE) { if (packet->payload_packet_len < 8) { // at least one topic+filter is required in the payload NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid SUBSCRIBE\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { NDPI_LOG_INFO(ndpi_struct, "found Mqtt SUBSCRIBE\n"); @@ -223,7 +223,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, if (pt == SUBACK ) { if (packet->payload_packet_len <5 ) { // must have at least a response code NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid SUBACK\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { NDPI_LOG_INFO(ndpi_struct, "found Mqtt SUBACK\n"); @@ -234,7 +234,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, if (pt == UNSUBSCRIBE) { if (packet->payload_packet_len < 7) { // at least a topic NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid UNSUBSCRIBE\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { NDPI_LOG_INFO(ndpi_struct, "found Mqtt UNSUBSCRIBE\n"); @@ -242,9 +242,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, return; } } - NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed third stage of identification"); - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + /* We already checked every possible values of pt: we are never here */ } /** * Entry point for the ndpi library diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index e05d0ee89..deaff776b 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -235,9 +235,6 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, NDPI_EXCLUDE_PROTO(ndpi_struct, flow); NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); } - } else if(flow->packet_counter > 3) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); } } } diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index fb5e200b8..fcb5db055 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -71,9 +71,6 @@ typedef struct { static void ssh_analyze_signature_version(struct ndpi_flow_struct *flow, char *str_to_check, u_int8_t is_client_signature) { - - if(str_to_check == NULL) return; - u_int i; u_int8_t obsolete_ssh_version = 0; const ssh_pattern ssh_servers_strings[] = diff --git a/src/lib/protocols/z3950.c b/src/lib/protocols/z3950.c index 96ae80560..92eed01b0 100644 --- a/src/lib/protocols/z3950.c +++ b/src/lib/protocols/z3950.c @@ -42,7 +42,7 @@ static int z3950_parse_sequences(struct ndpi_packet_struct const * const packet, pdu_type = packet->payload[0] & 0x1F; - if(((pdu_type < 20) || (pdu_type > 36)) && ((pdu_type < 43) || (pdu_type > 48))) + if((pdu_type < 20) || ((pdu_type > 36) && ((pdu_type < 43) || (pdu_type > 48)))) return(-1); while(cur_sequences++ < max_sequences) { diff --git a/src/lib/third_party/src/fuzz/pl7m.c b/src/lib/third_party/src/fuzz/pl7m.c index d3c507283..bf502b642 100644 --- a/src/lib/third_party/src/fuzz/pl7m.c +++ b/src/lib/third_party/src/fuzz/pl7m.c @@ -284,7 +284,7 @@ static int dissect_l2(int datalink_type, struct m_pkt *p) break; case DLT_PPI: - if (data_len < l2_offset + 4) + if (data_len < l2_offset + 8) return -1; header_length = le16toh(*(u_int16_t *)&data[l2_offset + 2]); dlt = le32toh(*(u_int32_t *)&data[l2_offset + 4]); diff --git a/tests/cfgs/default/pcap/ssh.pcap b/tests/cfgs/default/pcap/ssh.pcap Binary files differindex 7331a7e39..c20f5d9b0 100644 --- a/tests/cfgs/default/pcap/ssh.pcap +++ b/tests/cfgs/default/pcap/ssh.pcap diff --git a/tests/cfgs/default/pcap/webdav.pcap b/tests/cfgs/default/pcap/webdav.pcap Binary files differindex 22808ee7f..f4e88cb0c 100644 --- a/tests/cfgs/default/pcap/webdav.pcap +++ b/tests/cfgs/default/pcap/webdav.pcap diff --git a/tests/cfgs/default/result/ssh.pcap.out b/tests/cfgs/default/result/ssh.pcap.out index 1cf904f05..47970cdc0 100644 --- a/tests/cfgs/default/result/ssh.pcap.out +++ b/tests/cfgs/default/result/ssh.pcap.out @@ -1,6 +1,6 @@ -DPI Packets (TCP): 10 (10.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 1 (1.00 diss/flow) +DPI Packets (TCP): 19 (9.50 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 22 (11.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) @@ -16,11 +16,12 @@ Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia protocols: 4/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -SSH 258 35546 1 +SSH 295 44977 2 -Acceptable 258 35546 1 +Acceptable 295 44977 2 1 TCP 172.16.238.1:58395 <-> 172.16.238.168:22 [proto: 92/SSH][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: RemoteAccess/12][159 pkts/15615 bytes <-> 99 pkts/19931 bytes][Goodput ratio: 33/67][248.48 sec][Hostname/SNI: SSH-2.0-OpenSSH_5.3][bytes ratio: -0.121 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1846/2934 166223/166224 14794/19692][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 98/201 970/1346 83/283][Risk: ** SSH Obsolete Cli Vers/Cipher **** SSH Obsolete Ser Vers/Cipher **][Risk Score: 150][Risk Info: Found cipher arcfour128 / Found cipher arcfour128][HASSH-C: 21B457A327CE7A2D4FCE5EF2C42400BD][Server: SSH-2.0-OpenSSH_5.6][HASSH-S: B1C6C0D56317555B85C7005A3DE29325][Plen Bins: 2,76,12,2,3,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0] + 2 TCP 127.0.0.1:58496 <-> 127.0.0.1:8000 [proto: 92/SSH][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: RemoteAccess/12][20 pkts/5598 bytes <-> 17 pkts/3833 bytes][Goodput ratio: 76/71][2.18 sec][Hostname/SNI: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11][bytes ratio: 0.187 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 119/162 1760/1760 424/463][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 280/225 1602/1098 437/270][Risk: ** Known Proto on Non Std Port **** SSH Obsolete Ser Vers/Cipher **][Risk Score: 100][Risk Info: Found cipher arcfour128][HASSH-C: C11B200866CF918393E62EA25D851D90][Server: SSH-2.0-APACHE-SSHD-2.5.0][HASSH-S: CA6DD86B2D9A44E4A3F1A55C53E6B0FA][Plen Bins: 13,4,42,4,4,0,0,0,0,0,0,4,4,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,4,0,0,0,0,0,4] diff --git a/tests/cfgs/default/result/webdav.pcap.out b/tests/cfgs/default/result/webdav.pcap.out index 69e6c02e1..fb80f684f 100644 --- a/tests/cfgs/default/result/webdav.pcap.out +++ b/tests/cfgs/default/result/webdav.pcap.out @@ -1,6 +1,6 @@ -DPI Packets (TCP): 6 (6.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 15 (15.00 diss/flow) +DPI Packets (TCP): 41 (5.12 pkts/flow) +Confidence DPI : 8 (flows) +Num dissector calls: 120 (15.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache stun: 0/0/0 (insert/search/found) @@ -10,17 +10,24 @@ LRU cache msteams: 0/0/0 (insert/search/found) Automa host: 0/0 (search/found) Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) -Automa risk mask: 1/0 (search/found) +Automa risk mask: 8/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 16/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 2/0 (search/found) +Patricia protocols: 16/0 (search/found) Patricia protocols IPv6: 0/0 (search/found) -WebDAV 14 2742 1 +WebDAV 92 22025 8 -Acceptable 14 2742 1 +Acceptable 92 22025 8 - 1 TCP 10.24.8.189:50652 <-> 104.156.149.6:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Collaborative/15][7 pkts/727 bytes <-> 7 pkts/2015 bytes][Goodput ratio: 46/81][5.07 sec][Hostname/SNI: 104.156.149.6][bytes ratio: -0.470 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/8 67/20 24/9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 104/288 223/1107 75/390][URL: 104.156.149.6/webdav][StatusCode: 301][Content-Type: text/html][Server: Apache/2.4.52 (Ubuntu)][User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 10][Risk Info: Found host 104.156.149.6][PLAIN TEXT (PROPFIND /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.16.173:35612 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][8 pkts/1196 bytes <-> 4 pkts/2599 bytes][Goodput ratio: 55/89][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.370 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/26 13/27 28/28 13/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 150/650 572/1614 167/640][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (MKCOL /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25] + 2 TCP 192.168.16.173:47726 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1136 bytes <-> 4 pkts/2468 bytes][Goodput ratio: 59/89][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.370 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/26 16/26 28/27 13/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 162/617 575/1483 177/592][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (PROPFIND /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0] + 3 TCP 10.24.8.189:50652 <-> 104.156.149.6:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Collaborative/15][7 pkts/727 bytes <-> 7 pkts/2015 bytes][Goodput ratio: 46/81][5.07 sec][Hostname/SNI: 104.156.149.6][bytes ratio: -0.470 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/8 67/20 24/9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 104/288 223/1107 75/390][URL: 104.156.149.6/webdav][StatusCode: 301][Content-Type: text/html][Server: Apache/2.4.52 (Ubuntu)][User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 10][Risk Info: Found host 104.156.149.6][PLAIN TEXT (PROPFIND /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 192.168.16.173:57432 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1138 bytes <-> 4 pkts/1246 bytes][Goodput ratio: 59/78][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.045 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/27 16/28 28/28 13/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 163/312 576/845 177/318][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (PROPPATCH /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 TCP 192.168.16.173:47436 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1132 bytes <-> 4 pkts/1246 bytes][Goodput ratio: 58/78][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.048 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/26 16/26 27/27 13/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 162/312 573/845 176/318][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (UNLOCK /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 192.168.16.173:41714 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1128 bytes <-> 4 pkts/1246 bytes][Goodput ratio: 58/78][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/25 16/26 27/27 13/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 161/312 571/845 175/318][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (MOVE /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 TCP 192.168.16.173:47432 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1128 bytes <-> 4 pkts/1246 bytes][Goodput ratio: 58/78][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/25 16/26 27/27 13/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 161/312 571/845 175/318][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (LOCK /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 8 TCP 192.168.16.173:55974 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1128 bytes <-> 4 pkts/1246 bytes][Goodput ratio: 58/78][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/26 16/27 28/28 13/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 161/312 571/845 175/318][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (COPY /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |