Fixed some invalid TLS guesses

author: Luca Deri <deri@ntop.org> 2021-08-17 19:04:07 +0200
committer: Luca Deri <deri@ntop.org> 2021-08-17 19:04:07 +0200
commit: 821f4c924945496f4ef6f943669b5be621d56381 (patch)
tree: 4b7e6ebdd7daa32e0a54864b8de848f527fc4583 /src/lib/protocols/tls.c
parent: a2ea67152c63f28b75b639196681dc0ad7b1030e (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index ecd5f177e..67909fc87 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -918,10 +918,14 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 
 	processed += packet->payload_packet_len;
       }
-    } else {
+    } else if(len > 5 /* Minimum block size */) {
       /* Process element as a whole */
       if(content_type == 0x17 /* Application Data */) {
-	ndpi_looks_like_tls(ndpi_struct, flow);
+	u_int32_t block_len   = ntohs((flow->l4.tcp.tls.message.buffer[3] << 16) + (flow->l4.tcp.tls.message.buffer[4] << 8));
+
+	/* Let's do a quick check to make sure this really looks like TLS */
+	if(block_len < 16384 /* Max TLS block size */)
+	  ndpi_looks_like_tls(ndpi_struct, flow);
 
 	if(flow->l4.tcp.tls.certificate_processed) {
 	  if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow)
author	Luca Deri <deri@ntop.org>	2021-08-17 19:04:07 +0200
committer	Luca Deri <deri@ntop.org>	2021-08-17 19:04:07 +0200
commit	821f4c924945496f4ef6f943669b5be621d56381 (patch)
tree	4b7e6ebdd7daa32e0a54864b8de848f527fc4583 /src/lib/protocols/tls.c
parent	a2ea67152c63f28b75b639196681dc0ad7b1030e (diff)