Added memory check in patricia tree

Improved AFP dissection Updated DHCP test results
author: Luca Deri <deri@ntop.org> 2016-12-05 13:58:43 +0100
committer: Luca Deri <deri@ntop.org> 2016-12-05 13:58:43 +0100
commit: 22ee4392158fcbd94b4f4111832e28503b07e615 (patch)
tree: 98f4d0486267aacd641b65d94ad2bea0e729c9d2 /src/lib/protocols
parent: 582f5e0f72ec1c2afe0a99333f5b9941f22de659 (diff)
1 files changed, 41 insertions, 29 deletions
diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c
index 74b98b8d0..1a5914fc9 100644
--- a/src/lib/protocols/afp.c
+++ b/src/lib/protocols/afp.c
@@ -2,7 +2,7 @@
  * afp.c
  *
  * Copyright (C) 2009-2011 by ipoque GmbH
- * Copyright (C) 2011-15 - ntop.org
+ * Copyright (C) 2011-16 - ntop.org
  *
  * This file is part of nDPI, an open source deep packet inspection
  * library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -27,6 +27,12 @@
 
 #ifdef NDPI_PROTOCOL_AFP
 
+struct afpHeader {
+  u_int8_t flags, command;
+  u_int16_t requestId;
+  u_int32_t dataOffset, length, reserved;
+};
+
 static void ndpi_int_afp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AFP, NDPI_PROTOCOL_UNKNOWN);
@@ -36,36 +42,42 @@ static void ndpi_int_afp_add_connection(struct ndpi_detection_module_struct *ndp
 void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct *packet = &flow->packet;
-  //  struct ndpi_id_struct *src = flow->src;
-  //  struct ndpi_id_struct *dst = flow->dst;
-  
-  /*
-   * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol
-   * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks
-   */
-  if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) &&
-      get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 &&
-      get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
-      get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) {
-
-    NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI OpenSession detected.\n");
-    ndpi_int_afp_add_connection(ndpi_struct, flow);
-    return;
-  }
 
-  /*
-   * detection of GetStatus command of DSI protocol
-   */
-  if (packet->payload_packet_len >= 18 && get_u_int16_t(packet->payload, 0) == htons(0x0003) &&
-      get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 &&
-      get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
-      get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0f00)) {
-
-    NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI GetStatus detected.\n");
-    ndpi_int_afp_add_connection(ndpi_struct, flow);
-    return;
-  }
+  if (packet->payload_packet_len >= sizeof(struct afpHeader)) {
+    struct afpHeader *h = (struct afpHeader*)packet->payload;
+
+    if(packet->payload_packet_len > 128) {
+      /*
+	When we transfer a large data chunk, unless we have observed
+	the initial connection, we need to discard these packets
+	as they are not an indication that this flow is not AFP	
+      */
+      return;
+    }
 
+    /*
+     * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol
+     * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks
+     */
+    if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) &&
+	get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 &&
+	get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
+	get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) {
+
+      NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI OpenSession detected.\n");
+      ndpi_int_afp_add_connection(ndpi_struct, flow);
+      return;
+    }
+
+    if((h->flags <= 1)
+       && ((h->command >= 1) && (h->command <= 8))
+       && (h->reserved == 0)
+       && (packet->payload_packet_len >= (sizeof(struct afpHeader)+ntohl(h->length)))) {
+      NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI detected.\n");
+      ndpi_int_afp_add_connection(ndpi_struct, flow);
+      return;
+    }
+  }
 
   NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP excluded.\n");
   NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AFP);
author	Luca Deri <deri@ntop.org>	2016-12-05 13:58:43 +0100
committer	Luca Deri <deri@ntop.org>	2016-12-05 13:58:43 +0100
commit	22ee4392158fcbd94b4f4111832e28503b07e615 (patch)
tree	98f4d0486267aacd641b65d94ad2bea0e729c9d2 /src/lib/protocols
parent	582f5e0f72ec1c2afe0a99333f5b9941f22de659 (diff)