Replace complicated TPKT header validation with an helper function (#2201)

* Replace complicated TPKT header validation with an helper function * Move tpkt_verify_hdr function definition to ndpi_utils.c
author: Vladimir Gavrilov <105977161+0xA50C1A1@users.noreply.github.com> 2023-12-10 14:10:50 +0300
committer: GitHub <noreply@github.com> 2023-12-10 12:10:50 +0100
commit: c809e7c0691a77e84036df78067e482700263c71 (patch)
tree: 4644bae2ec2a940491bddae04f2e279068766ccb
parent: f74cf16c361018fc98d796978013df4ca0c6050f (diff)
6 files changed, 35 insertions, 45 deletions
diff --git a/src/lib/ndpi_private.h b/src/lib/ndpi_private.h
index 4b60f1b6f..e45a0aabe 100644
--- a/src/lib/ndpi_private.h
+++ b/src/lib/ndpi_private.h
@@ -417,7 +417,8 @@ u_int32_t make_mining_key(struct ndpi_flow_struct *flow);
 /* Stun */
 int stun_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
 
-
+/* TPKT */
+int tpkt_verify_hdr(const struct ndpi_packet_struct * const packet);
 
 /* Protocols init */
 void init_diameter_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index d6f5b7f60..ff56bb61d 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -3023,3 +3023,11 @@ u_int32_t ndpi_nearest_power_of_two(u_int32_t x) {
   return(x);
 }
 
+/* ******************************************* */
+
+int tpkt_verify_hdr(const struct ndpi_packet_struct * const packet)
+{
+  return ((packet->tcp != NULL) && (packet->payload_packet_len > 4) &&
+          (packet->payload[0] == 3) && (packet->payload[1] == 0) &&
+          (get_u_int16_t(packet->payload,2) == htons(packet->payload_packet_len)));
+}
diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c
index ecab1cac6..14a1ea8bd 100644
--- a/src/lib/protocols/h323.c
+++ b/src/lib/protocols/h323.c
@@ -37,23 +37,18 @@ static void ndpi_int_h323_add_connection(struct ndpi_detection_module_struct *nd
 static void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct,
                              struct ndpi_flow_struct *flow)
 {
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  const struct ndpi_packet_struct * const packet = &ndpi_struct->packet;
   u_int16_t dport = 0, sport = 0;
 
   NDPI_LOG_DBG(ndpi_struct, "search H323\n");
 
   /* TPKT header length + Q.931 header length without IE */
-  if ((packet->payload_packet_len) > 10 && (packet->tcp != NULL)) {
-    if ((packet->payload[0] == 0x03) && 
-        (packet->payload[1] == 0x00) &&
-        (ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len))
-    {
+  if (tpkt_verify_hdr(packet) && (packet->payload_packet_len > 10)) {
       /* Check Q.931 Protocol Discriminator and call reference value length */
       if ((packet->payload[4] == 0x08) && ((packet->payload[5] & 0xF) <= 3)) {
         ndpi_int_h323_add_connection(ndpi_struct, flow);
         return;
       }
-    }
   } else if (packet->udp != NULL) {
     sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest);
     NDPI_LOG_DBG2(ndpi_struct, "calculated dport over udp\n");
diff --git a/src/lib/protocols/iso9506-1-mms.c b/src/lib/protocols/iso9506-1-mms.c
index 30f74f733..e435685a1 100644
--- a/src/lib/protocols/iso9506-1-mms.c
+++ b/src/lib/protocols/iso9506-1-mms.c
@@ -47,9 +47,7 @@ static void ndpi_search_iso9506_1_mms(struct ndpi_detection_module_struct *ndpi_
 
   NDPI_LOG_DBG(ndpi_struct, "search ISO 9506-1 MMS\n");
   
-  if ((packet->payload_packet_len > 60) && (packet->payload[0] == 3) &&
-      (packet->payload[1] == 0) && 
-      (get_u_int16_t(packet->payload, 2) == htons(packet->payload_packet_len)))
+  if ((packet->payload_packet_len > 60) && tpkt_verify_hdr(packet))
   {
     if (current_pkt_from_client_to_server(ndpi_struct, flow)) {
       /* Check COTP and ISO 8327-1 headers */
diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c
index e95c6e853..f641f7690 100644
--- a/src/lib/protocols/rdp.c
+++ b/src/lib/protocols/rdp.c
@@ -41,15 +41,13 @@ static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndp
 
 static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct,
 			    struct ndpi_flow_struct *flow) {
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  const struct ndpi_packet_struct * const packet = &ndpi_struct->packet;
 	
   NDPI_LOG_DBG(ndpi_struct, "search RDP\n");
 
   if (packet->tcp != NULL) {
     if(packet->payload_packet_len > 13 &&
-       /* TPKT */
-       packet->payload[0] == 0x03 && packet->payload[1] == 0x00 &&
-       ntohs(*(uint16_t *)&packet->payload[2]) == packet->payload_packet_len &&
+       tpkt_verify_hdr(packet) &&
        /* COTP */
        packet->payload[4] == packet->payload_packet_len - 5) {
 
diff --git a/src/lib/protocols/s7comm.c b/src/lib/protocols/s7comm.c
index 45ecfd3f5..49bc26f84 100644
--- a/src/lib/protocols/s7comm.c
+++ b/src/lib/protocols/s7comm.c
@@ -40,39 +40,29 @@ static void ndpi_search_s7comm(struct ndpi_detection_module_struct *ndpi_struct,
 
   NDPI_LOG_DBG(ndpi_struct, "search S7comm\n");
 
-  if (packet->tcp) {
-    u_int16_t sport = ntohs(packet->tcp->source);
-    u_int16_t dport = ntohs(packet->tcp->dest);
-
-    /* S7Comm uses a default TPKT port 102 */
-    if (((sport == TPKT_PORT) || (dport == TPKT_PORT)) &&
-        (packet->payload_packet_len > 17)) /* TPKT+COTP+S7Comm header lengths */
-    {
-      if ((packet->payload[0] == 0x03) && (packet->payload[1] == 0x00) &&
-          (ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len))
+  if (tpkt_verify_hdr(packet) && (packet->payload_packet_len > 17) &&
+      ((packet->tcp->source == htons(TPKT_PORT)) ||
+       (packet->tcp->dest == htons(TPKT_PORT))))
+  {
+    if (packet->payload[7] == S7COMM_PLUS_MAGIC_BYTE) {
+      const u_int16_t trail_byte_offset = packet->payload_packet_len - 4;
+      if (packet->payload[trail_byte_offset] == S7COMM_PLUS_MAGIC_BYTE) {
+        NDPI_LOG_INFO(ndpi_struct, "found S7CommPlus\n");
+        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_S7COMM_PLUS, 
+                                   NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+        return;
+      } 
+    } else if (packet->payload[7] == S7COMM_MAGIC_BYTE) {
+      if (((packet->payload[8] <= 0x03) || (packet->payload[8] == 0x07)) &&
+          (get_u_int16_t(packet->payload, 9) == 0))
       {
-          if (packet->payload[7] == S7COMM_PLUS_MAGIC_BYTE) {
-            const u_int16_t trail_byte_offset = packet->payload_packet_len - 4;
-            if (packet->payload[trail_byte_offset] == S7COMM_PLUS_MAGIC_BYTE)
-            {
-              NDPI_LOG_INFO(ndpi_struct, "found S7CommPlus\n");
-              ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_S7COMM_PLUS, 
-                                         NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-              return;
-            }
-          } else if (packet->payload[7] == S7COMM_MAGIC_BYTE) {
-            if (((packet->payload[8] <= 0x03) || (packet->payload[8] == 0x07)) &&
-                (get_u_int16_t(packet->payload, 9) == 0))
-            {
-              NDPI_LOG_INFO(ndpi_struct, "found S7Comm\n");
-              ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_S7COMM, 
-                                         NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-              return;
-            }
-          }
-	  return;
+        NDPI_LOG_INFO(ndpi_struct, "found S7Comm\n");
+        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_S7COMM, 
+                                   NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+        return;
       }
     }
+    return;
   }
 
   NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
author	Vladimir Gavrilov <105977161+0xA50C1A1@users.noreply.github.com>	2023-12-10 14:10:50 +0300
committer	GitHub <noreply@github.com>	2023-12-10 12:10:50 +0100
commit	c809e7c0691a77e84036df78067e482700263c71 (patch)
tree	4644bae2ec2a940491bddae04f2e279068766ccb
parent	f74cf16c361018fc98d796978013df4ca0c6050f (diff)