diff options
| author | Luca Deri <deri@ntop.org> | 2020-06-26 22:37:52 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2020-06-26 22:37:52 +0200 |
| commit | 8566288e43d0097f7739f1a9fc3eaa0631853ae6 (patch) | |
| tree | 021b026ed94b94aaadf04aca97bf7253372e5eff /src/lib/protocols | |
| parent | 8de62c6d34cbcd9419f82143aab39aeda0400dde (diff) | |
Added malformed packet risk support
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/dhcp.c | 10 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 19 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 9 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 12 |
4 files changed, 31 insertions, 19 deletions
diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index f40a8138c..5bf2a122c 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -89,8 +89,10 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru u_int8_t len = ndpi_min(dhcp->options[i+1] /* len as found in the packet */, dhcp_options_size - (i+2) /* 1 for the type and 1 for the value */); - if(len == 0) break; - + if(len == 0) + break; + + #ifdef DHCP_DEBUG NDPI_LOG_DBG2(ndpi_struct, "[DHCP] Id=%d [len=%d]\n", id, len); #endif @@ -150,8 +152,8 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru } -void init_dhcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ +void init_dhcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("DHCP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_DHCP, ndpi_search_dhcp_udp, diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 897fb1e4b..5e6d01d69 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -104,9 +104,11 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, /* 0x8000 RESPONSE */ else if((dns_header->flags & FLAGS_MASK) == 0x8000) *is_query = 0; - else + else { + NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET); return(1 /* invalid */); - + } + if(*is_query) { /* DNS Request */ if((dns_header->num_queries > 0) && (dns_header->num_queries <= NDPI_MAX_DNS_REQUESTS) @@ -125,16 +127,18 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, } else x++; } - } else + } else { + NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET); return(1 /* invalid */); + } } else { /* DNS Reply */ flow->protos.dns.reply_code = dns_header->flags & 0x0F; if((dns_header->num_queries > 0) && (dns_header->num_queries <= NDPI_MAX_DNS_REQUESTS) /* Don't assume that num_queries must be zero */ - && (((dns_header->num_answers > 0) && (dns_header->num_answers <= NDPI_MAX_DNS_REQUESTS)) - || ((dns_header->authority_rrs > 0) && (dns_header->authority_rrs <= NDPI_MAX_DNS_REQUESTS)) - || ((dns_header->additional_rrs > 0) && (dns_header->additional_rrs <= NDPI_MAX_DNS_REQUESTS))) + && ((((dns_header->num_answers > 0) && (dns_header->num_answers <= NDPI_MAX_DNS_REQUESTS)) + || ((dns_header->authority_rrs > 0) && (dns_header->authority_rrs <= NDPI_MAX_DNS_REQUESTS)) + || ((dns_header->additional_rrs > 0) && (dns_header->additional_rrs <= NDPI_MAX_DNS_REQUESTS)))) ) { /* This is a good reply: we dissect it both for request and response */ @@ -213,8 +217,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, (s_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN); } - } else - return(1 /* invalid */); + } } /* Valid */ diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7d54d1470..dd6d39c88 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -594,7 +594,9 @@ static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *nd packet->payload_packet_len); /* Check first char */ - if(!packet->payload_packet_len || !strchr(http_fs,packet->payload[0])) return 0; + if(!packet->payload_packet_len || !strchr(http_fs,packet->payload[0])) + return 0; + /** FIRST PAYLOAD PACKET FROM CLIENT **/ @@ -1011,9 +1013,10 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_mod, struct ndpi_flow_struct *flow) { - if(!flow) + if(!flow) { + NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET); return(NDPI_HTTP_METHOD_UNKNOWN); - else + } else return(flow->http.method); } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index b2cf1f23c..c9b2d0ee2 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -508,14 +508,18 @@ int processCertificate(struct ndpi_detection_module_struct *ndpi_struct, packet->payload[3], packet->payload[4], packet->payload[5]); #endif - if((packet->payload_packet_len != (length + 4)) || (packet->payload[1] != 0x0)) + if((packet->payload_packet_len != (length + 4)) || (packet->payload[1] != 0x0)) { + NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET); return(-1); /* Invalid length */ - + } + certificates_length = (packet->payload[4] << 16) + (packet->payload[5] << 8) + packet->payload[6]; - if((packet->payload[4] != 0x0) || ((certificates_length+3) != length)) + if((packet->payload[4] != 0x0) || ((certificates_length+3) != length)) { + NDPI_SET_BIT(flow->risk, NDPI_MALFORMED_PACKET); return(-2); /* Invalid length */ - + } + if(!flow->l4.tcp.tls.srv_cert_fingerprint_ctx) { if((flow->l4.tcp.tls.srv_cert_fingerprint_ctx = (void*)ndpi_malloc(sizeof(SHA1_CTX))) == NULL) return(-3); /* Not enough memory */ |