STUN: avoid false positives (#1110)

STUN traffic doesn't use multicast addresses
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2021-01-07 10:58:22 +0100
committer: GitHub <noreply@github.com> 2021-01-07 10:58:22 +0100
commit: ec2735694b4b1906658fc96dad2d5a095033559f (patch)
tree: 8cb62b79ef9ace239a7fa73201f15b478e2b870a
parent: 1e2b57bed479f12c5c539d62663e6fa13059eb86 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 8db589182..9c7e3ebe0 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -149,8 +149,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
   u_int16_t msg_type, msg_len;
   int rc;
   
-  /* No need to do ntohl() with 0xFFFFFFFF */
-  if(flow->packet.iph && (flow->packet.iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */)) {
+  if(flow->packet.iph &&
+     ((flow->packet.iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */) ||
+     ((ntohl(flow->packet.iph->daddr) & 0xF0000000) == 0xE0000000 /* A multicast address */))) {
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return(NDPI_IS_NOT_STUN);
   }
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2021-01-07 10:58:22 +0100
committer	GitHub <noreply@github.com>	2021-01-07 10:58:22 +0100
commit	ec2735694b4b1906658fc96dad2d5a095033559f (patch)
tree	8cb62b79ef9ace239a7fa73201f15b478e2b870a
parent	1e2b57bed479f12c5c539d62663e6fa13059eb86 (diff)