Fixed a bug in the STUN dissector courtesy of Asher Yermiyahu

Fixed a bug in the NetFlow dissector that caused flows to be wrongly decoded as Netflow
Updated test results for starcraft and whatsapp

1 files changed, 89 insertions, 5 deletions

diff --git a/src/lib/protocols/netflow.c b/src/lib/protocols/netflow.c
index 31d679765..30bb898f2 100644
--- a/src/lib/protocols/netflow.c
+++ b/src/lib/protocols/netflow.c
@@ -30,6 +30,73 @@ extern int gettimeofday(struct timeval * tp, struct timezone * tzp);
 #define do_gettimeofday(a) gettimeofday(a, NULL)
 #endif
 
+struct flow_ver1_rec {
+  u_int32_t srcaddr;    /* Source IP Address */
+  u_int32_t dstaddr;    /* Destination IP Address */
+  u_int32_t nexthop;    /* Next hop router's IP Address */
+  u_int16_t input;      /* Input interface index */
+  u_int16_t output;     /* Output interface index */
+  u_int32_t dPkts;      /* Packets sent in Duration */
+  u_int32_t dOctets;    /* Octets sent in Duration */
+  u_int32_t first;      /* SysUptime at start of flow */
+  u_int32_t last;       /* and of last packet of the flow */
+  u_int16_t srcport;    /* TCP/UDP source port number (.e.g, FTP, Telnet, etc.,or equivalent) */
+  u_int16_t dstport;    /* TCP/UDP destination port number (.e.g, FTP, Telnet, etc.,or equivalent) */
+  u_int16_t pad;        /* pad to word boundary */
+  u_int8_t  proto;      /* IP protocol, e.g., 6=TCP, 17=UDP, etc... */
+  u_int8_t  tos;        /* IP Type-of-Service */
+  u_int8_t  pad2[7];    /* pad to word boundary */
+};
+
+struct flow_ver5_rec {
+  u_int32_t srcaddr;    /* Source IP Address */
+  u_int32_t dstaddr;    /* Destination IP Address */
+  u_int32_t nexthop;    /* Next hop router's IP Address */
+  u_int16_t input;      /* Input interface index */
+  u_int16_t output;     /* Output interface index */
+  u_int32_t dPkts;      /* Packets sent in Duration (milliseconds between 1st
+			   & last packet in this flow)*/
+  u_int32_t dOctets;    /* Octets sent in Duration (milliseconds between 1st
+			   & last packet in  this flow)*/
+  u_int32_t first;      /* SysUptime at start of flow */
+  u_int32_t last;       /* and of last packet of the flow */
+  u_int16_t srcport;    /* TCP/UDP source port number (.e.g, FTP, Telnet, etc.,or equivalent) */
+  u_int16_t dstport;    /* TCP/UDP destination port number (.e.g, FTP, Telnet, etc.,or equivalent) */
+  u_int8_t pad1;        /* pad to word boundary */
+  u_int8_t tcp_flags;   /* Cumulative OR of tcp flags */
+  u_int8_t proto;        /* IP protocol, e.g., 6=TCP, 17=UDP, etc... */
+  u_int8_t tos;         /* IP Type-of-Service */
+  u_int16_t src_as;     /* source peer/origin Autonomous System */
+  u_int16_t dst_as;     /* dst peer/origin Autonomous System */
+  u_int8_t src_mask;    /* source route's mask bits */
+  u_int8_t dst_mask;    /* destination route's mask bits */
+  u_int16_t pad2;       /* pad to word boundary */
+};
+
+struct flow_ver7_rec {
+  u_int32_t srcaddr;    /* Source IP Address */
+  u_int32_t dstaddr;    /* Destination IP Address */
+  u_int32_t nexthop;    /* Next hop router's IP Address */
+  u_int16_t input;      /* Input interface index */
+  u_int16_t output;     /* Output interface index */
+  u_int32_t dPkts;      /* Packets sent in Duration */
+  u_int32_t dOctets;    /* Octets sent in Duration */
+  u_int32_t first;      /* SysUptime at start of flow */
+  u_int32_t last;       /* and of last packet of the flow */
+  u_int16_t srcport;    /* TCP/UDP source port number (.e.g, FTP, Telnet, etc.,or equivalent) */
+  u_int16_t dstport;    /* TCP/UDP destination port number (.e.g, FTP, Telnet, etc.,or equivalent) */
+  u_int8_t  flags;      /* Shortcut mode(dest only,src only,full flows*/
+  u_int8_t  tcp_flags;  /* Cumulative OR of tcp flags */
+  u_int8_t  proto;      /* IP protocol, e.g., 6=TCP, 17=UDP, etc... */
+  u_int8_t  tos;        /* IP Type-of-Service */
+  u_int16_t dst_as;     /* dst peer/origin Autonomous System */
+  u_int16_t src_as;     /* source peer/origin Autonomous System */
+  u_int8_t  dst_mask;   /* destination route's mask bits */
+  u_int8_t  src_mask;   /* source route's mask bits */
+  u_int16_t pad2;       /* pad to word boundary */
+  u_int32_t router_sc;  /* Router which is shortcut by switch */
+};
+
 static void ndpi_check_netflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct *packet = &flow->packet;
@@ -41,19 +108,36 @@ static void ndpi_check_netflow(struct ndpi_detection_module_struct *ndpi_struct,
   if((packet->udp != NULL) && (payload_len >= 24)) {
     u_int16_t version = (packet->payload[0] << 8) + packet->payload[1], uptime_offset;
     u_int32_t when, *_when;
-    u_int16_t n = (packet->payload[2] << 8) + packet->payload[3];
+    u_int16_t n = (packet->payload[2] << 8) + packet->payload[3], expected_len = 0;
 
     switch(version) {
     case 1:
     case 5:
     case 7:
     case 9:
-      {      
-	u_int16_t num_flows = n;
+      if((n == 0) || (n > 30))
+	return;
+
+      switch(version) {
+      case 1:
+	expected_len = n * sizeof(struct flow_ver1_rec) + 16 /* header */;
+	break;
+      case 5:
+	expected_len = n * sizeof(struct flow_ver5_rec) + 24 /* header */;
+	break;
+      case 7:
+	expected_len = n * sizeof(struct flow_ver7_rec) + 24 /* header */;
+	break;
+      case 9:
+	/* We need to check the template */
+	break;
+      }
 
-	if((num_flows == 0) || (num_flows > 30))
-	  return;
+      if((expected_len > 0) && (expected_len != payload_len)) {
+	NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_NETFLOW);
+	return;
       }
+
       uptime_offset = 8;
       break;
     case 10: /* IPFIX */