Fix writes to `flow->protos` union fields (#1354)

We can write to `flow->protos` only after a proper classification. This issue has been found in Kerberos, DHCP, HTTP, STUN, IMO, FTP, SMTP, IMAP and POP code. There are two kinds of fixes: * write to `flow->protos` only if a final protocol has been detected * move protocol state out of `flow->protos` The hard part is to find, for each protocol, the right tradeoff between memory usage and code complexity. Handle Kerberos like DNS: if we find a request, we set the protocol and an extra callback to further parsing the reply. For all the other protocols, move the state out of `flow->protos`. This is an issue only for the FTP/MAIL stuff. Add DHCP Class Identification value to the output of ndpiReader and to the Jason serialization. Extend code coverage of fuzz tests. Close #1343 Close #1342
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2021-11-15 16:20:57 +0100
committer: GitHub <noreply@github.com> 2021-11-15 16:20:57 +0100
commit: afc2b641eb9cf5035b5147e78030bafe0b40dd87 (patch)
tree: 99cf853d219ae6004819d2564f4cabd29c487cf6 /src/include
parent: da47357762746c7fc5c537b575b5b56f252320a5 (diff)
1 files changed, 33 insertions, 40 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index a57988feb..06bb4b4ae 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -788,6 +788,9 @@ struct ndpi_flow_udp_struct {
 
   /* NDPI_PROTOCOL_RDP */
   u_int8_t rdp_to_srv[3], rdp_from_srv[3], rdp_to_srv_pkts, rdp_from_srv_pkts;   
+
+  /* NDPI_PROTOCOL_IMO */
+  u_int8_t imo_last_one_byte_pkt, imo_last_byte;
 };
 
 /* ************************************************** */
@@ -1248,6 +1251,7 @@ struct ndpi_flow_struct {
     u_int8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */
     u_int16_t response_status_code; /* 200, 404, etc. */
     u_char detected_os[32]; /* Via HTTP/QUIC User-Agent */
+    u_char nat_ip[24]; /* Via HTTP X-Forwarded-For */
   } http;
 
   /*
@@ -1260,6 +1264,17 @@ struct ndpi_flow_struct {
     u_int16_t pktbuf_maxlen, pktbuf_currlen;
   } kerberos_buf;
 
+  struct {
+    u_int8_t num_udp_pkts, num_binding_requests;
+    u_int16_t num_processed_pkts;
+  } stun;
+
+  /* TODO: something clever to save memory */
+  struct {
+    u_int8_t auth_found:1, auth_failed:1, auth_tls:1, auth_done:1, _pad:4;
+    char username[32], password[16];
+  } ftp_imap_pop_smtp;
+
   union {
     /* the only fields useful for nDPI and ntopng */
     struct {
@@ -1278,39 +1293,31 @@ struct ndpi_flow_struct {
     } kerberos;
 
     struct {
-      struct {
-        char ssl_version_str[12];
-	u_int16_t ssl_version, server_names_len;
-	char client_requested_server_name[256], /* SNI hostname length: RFC 4366 */
+      char ssl_version_str[12];
+      u_int16_t ssl_version, server_names_len;
+      char client_requested_server_name[256]; /* SNI hostname length: RFC 4366 */
+      char
 	  *server_names, *alpn, *tls_supported_versions, *issuerDN, *subjectDN;
-	u_int32_t notBefore, notAfter;
-	char ja3_client[33], ja3_server[33];
-	u_int16_t server_cipher;
-	u_int8_t sha1_certificate_fingerprint[20];
-	u_int8_t hello_processed:1, subprotocol_detected:1, _pad:6;
+      u_int32_t notBefore, notAfter;
+      char ja3_client[33], ja3_server[33];
+      u_int16_t server_cipher;
+      u_int8_t sha1_certificate_fingerprint[20];
+      u_int8_t hello_processed:1, subprotocol_detected:1, _pad:6;
 
 #ifdef TLS_HANDLE_SIGNATURE_ALGORITMS
-	/* Under #ifdef to save memory for those who do not need them */
-	u_int8_t num_tls_signature_algorithms;
-	u_int16_t client_signature_algorithms[MAX_NUM_TLS_SIGNATURE_ALGORITHMS];
+      /* Under #ifdef to save memory for those who do not need them */
+      u_int8_t num_tls_signature_algorithms;
+      u_int16_t client_signature_algorithms[MAX_NUM_TLS_SIGNATURE_ALGORITHMS];
 #endif
 
-	struct tls_heuristics browser_heuristics;
-
-	struct {
-	  u_int16_t cipher_suite;
-	  char *esni;
-	} encrypted_sni;
-	ndpi_cipher_weakness server_unsafe_cipher;
-      } tls_quic;
+      struct tls_heuristics browser_heuristics;
 
       struct {
-		    u_int8_t num_udp_pkts, num_binding_requests;
-        u_int16_t num_processed_pkts;
-      } stun;
-
-      /* We can have STUN over SSL/TLS thus they need to live together */
-    } tls_quic_stun;
+        u_int16_t cipher_suite;
+        char *esni;
+      } encrypted_sni;
+      ndpi_cipher_weakness server_unsafe_cipher;
+    } tls_quic;
 
     struct {
       char client_signature[48], server_signature[48];
@@ -1318,10 +1325,6 @@ struct ndpi_flow_struct {
     } ssh;
 
     struct {
-      u_int8_t last_one_byte_pkt, last_byte;
-    } imo;
-
-    struct {
       u_int8_t username_detected:1, username_found:1,
 	password_detected:1, password_found:1,
 	_pad:4;
@@ -1334,16 +1337,6 @@ struct ndpi_flow_struct {
     } ubntac2;
 
     struct {
-      /* Via HTTP X-Forwarded-For */
-      u_char nat_ip[24];
-    } http;
-
-    struct {
-      u_int8_t auth_found:1, auth_failed:1, auth_tls:1, auth_done:1, _pad:4;
-      char username[32], password[16];
-    } ftp_imap_pop_smtp;
-
-    struct {
       /* Bittorrent hash */
       u_char hash[20];
     } bittorrent;
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2021-11-15 16:20:57 +0100
committer	GitHub <noreply@github.com>	2021-11-15 16:20:57 +0100
commit	afc2b641eb9cf5035b5147e78030bafe0b40dd87 (patch)
tree	99cf853d219ae6004819d2564f4cabd29c487cf6 /src/include
parent	da47357762746c7fc5c537b575b5b56f252320a5 (diff)