nDPI now detect RCE injections via PCRE instead Intel Hyperscan - BUGGY, DOES NOT COMPILE

author: MrTiz9 <tiziano.marra@pm.me> 2020-01-30 15:08:26 +0100
committer: MrTiz9 <tiziano.marra@pm.me> 2020-01-30 15:08:26 +0100
commit: 5c8c2d843afc38f6246c678ea41e81b1a88bcf17 (patch)
tree: b2637201942fbd9c1d78e09d4f4aa5e27176cf11 /src/lib/ndpi_utils.c
parent: ea957687e1f9444baa69d0b2b041c1b8cf70b2f6 (diff)
1 files changed, 51 insertions, 58 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index c7ea25aee..b86e66bfb 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1214,100 +1214,93 @@ static int ndpi_is_xss_injection(char* query) {
 
 /* ********************************** */
 
-#ifdef HAVE_HYPERSCAN
-
-static void free_hyperscan(struct ndpi_detection_module_struct *ndpi_str,
-                           hs_compile_error_t *compile_err)
-{
-  if (ndpi_str) {
-    struct hs *hs = (struct hs*)ndpi_str->hyperscan;
-
-    if(hs) {
-      hs_free_scratch(hs->scratch);
-      hs_free_database(hs->database);
-      ndpi_free(hs);
-    }
-
-    ndpi_free(ndpi_str);
-  }
-
-  if (compile_err) {
-    hs_free_compile_error(compile_err);
-  }
-}
-
-/* ********************************** */
+#ifdef HAVE_PCRE
 
 static void ndpi_compile_rce_regex() {
-  hs_compile_error_t *compile_err;
+  const char *pcreErrorStr;
+  int pcreErrorOffset;
 
   for(int i = 0; i < N_RCE_REGEX; i++) {
-    struct ndpi_detection_module_struct *ndpi_str =
-        ndpi_malloc(sizeof(struct ndpi_detection_module_struct));
-
-    ndpi_str->hyperscan = (void*)ndpi_malloc(sizeof(struct hs));
+    comp_rx[i] = (struct pcre_struct*)ndpi_malloc(sizeof(struct pcre_struct));
 
-    if(!ndpi_str->hyperscan) {
-      free_hyperscan(ndpi_str, NULL);
-      return;
-    }
-
-    comp_rx[i] = (struct hs*)ndpi_str->hyperscan;
+    comp_rx[i]->compiled = pcre_compile(rce_regex[i], 0, &pcreErrorStr,
+                                        &pcreErrorOffset, NULL);
 
-    if (hs_compile(rce_regex[i], HS_FLAG_DOTALL, HS_MODE_BLOCK, NULL,
-        &comp_rx[i]->database, &compile_err) != HS_SUCCESS)
-    {
+    if(comp_rx[i]->compiled == NULL) {
       #ifdef DEBUG
-      NDPI_LOG_ERR(ndpi_str, "ERROR: Unable to compile pattern \"%s\": %s\n",
-                   rce_regex[i], compile_err->message);
+      NDPI_LOG_ERR(ndpi_str, "ERROR: Could not compile '%s': %s\n", rce_regex[i],
+                   pcreErrorStr);
       #endif
 
       continue;
     }
 
-    comp_rx[i]->scratch = NULL;
+    comp_rx[i]->optimized = pcre_study(comp_rx[i]->compiled, 0, &pcreErrorStr);
 
-    if(hs_alloc_scratch(comp_rx[i]->database, &comp_rx[i]->scratch) != HS_SUCCESS) {
+    if(pcreErrorStr != NULL) {
       #ifdef DEBUG
-      NDPI_LOG_ERR(ndpi_str, "ERROR: Unable to allocate hyperscan scratch space\n");
+      NDPI_LOG_ERR(ndpi_str, "ERROR: Could not study '%s': %s\n", rce_regex[i],
+                   pcreErrorStr);
       #endif
 
       continue;
     }
   }
 
-  free_hyperscan(NULL, compile_err);
+  free((void *)pcreErrorStr);
 }
 
-/* ********************************** */
-
 static int ndpi_is_rce_injection(char* query) {
   if (!initialized_comp_rx) {
     ndpi_compile_rce_regex();
     initialized_comp_rx = 1;
   }
 
-  hs_error_t status;
+  int pcreExecRet;
+  int subStrVec[30];
 
   for(int i = 0; i < N_RCE_REGEX; i++) {
     unsigned int length = strlen(query);
 
-    status = hs_scan(comp_rx[i]->database, query, length, 0, comp_rx[i]->scratch,
-                     NULL, (void *)rce_regex[i]);
+    pcreExecRet = pcre_exec(comp_rx[i]->compiled,
+                            comp_rx[i]->optimized,
+                            query,
+                            length,
+                            0,
+                            0,
+                            subStrVec,
+                            30);
 
-    if (status == HS_SUCCESS) {
+    if (pcreExecRet >= 0) {
       return 1;
     }
-    else if(status == HS_SCAN_TERMINATED) {
-      continue;
-    }
+    #ifdef DEBUG
     else {
-      #ifdef DEBUG
-      NDPI_LOG_ERR(ndpi_str, "ERROR: Unable to scan input buffer\n");
-      #endif
-
-      continue;
+      switch(pcreExecRet) {
+        case PCRE_ERROR_NOMATCH:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: String did not match the pattern\n");
+          break;
+        case PCRE_ERROR_NULL:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: Something was null\n");
+          break;
+        case PCRE_ERROR_BADOPTION:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: A bad option was passed\n");
+          break;
+        case PCRE_ERROR_BADMAGIC:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: Magic number bad (compiled re corrupt?)\n");
+          break;
+        case PCRE_ERROR_UNKNOWN_NODE:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: Something kooky in the compiled re\n");
+          break;
+        case PCRE_ERROR_NOMEMORY:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: Ran out of memory\n");
+          break;
+        default:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: Unknown error\n");
+          break;
+      }
     }
+    #endif
   }
 
   size_t ushlen = sizeof(ush_commands) / sizeof(ush_commands[0]);
@@ -1368,7 +1361,7 @@ ndpi_url_risk ndpi_validate_url(char *url) {
 	    rc = ndpi_url_possible_xss;
 	  else if(ndpi_is_sql_injection(decoded))
 	    rc = ndpi_url_possible_sql_injection;
-#ifdef HAVE_HYPERSCAN
+#ifdef HAVE_PCRE
 	  else if(ndpi_is_rce_injection(decoded))
 	    rc = ndpi_url_possible_rce_injection;
 #endif
author	MrTiz9 <tiziano.marra@pm.me>	2020-01-30 15:08:26 +0100
committer	MrTiz9 <tiziano.marra@pm.me>	2020-01-30 15:08:26 +0100
commit	5c8c2d843afc38f6246c678ea41e81b1a88bcf17 (patch)
tree	b2637201942fbd9c1d78e09d4f4aa5e27176cf11 /src/lib/ndpi_utils.c
parent	ea957687e1f9444baa69d0b2b041c1b8cf70b2f6 (diff)