diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-07-12 14:22:25 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-07-12 14:22:25 +0200 |
| commit | c3ba65311e2cf4aba8b51cdb6800a5654ef1d060 (patch) | |
| tree | 7f0aa30fc4ab1d0aaec75f08b84cb7f3705d29fa /src/lib/protocols | |
| parent | 456f0fd4279ae727831a80c506a343b8a9aedd90 (diff) | |
fuzzing: improve coverage (#2495)
Fix detection of WebDAV and Gnutella (over HTTP)
Fix detection of z3950
Add two fuzzers to test `ndpi_memmem()` and `ndpi_strnstr()`
Remove some dead code:
* RTP: the same exact check is performed at the very beginning of the
function
* MQTT: use a better helper to exclude the protocol
* Colletd: `ndpi_hostname_sni_set()` never fails
Update pl7m code (fix a Use-of-uninitialized-value error)
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/collectd.c | 15 | ||||
| -rw-r--r-- | src/lib/protocols/gnutella.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/mqtt.c | 36 | ||||
| -rw-r--r-- | src/lib/protocols/rtp.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/z3950.c | 2 |
7 files changed, 34 insertions, 37 deletions
diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c index 4e37a0768..3c878e9c9 100644 --- a/src/lib/protocols/collectd.c +++ b/src/lib/protocols/collectd.c @@ -101,11 +101,11 @@ static int ndpi_int_collectd_check_type(u_int16_t block_type) return 1; } -static int ndpi_int_collectd_dissect_hostname(struct ndpi_flow_struct * const flow, - struct ndpi_packet_struct const * const packet, - u_int16_t block_length) +static void ndpi_int_collectd_dissect_hostname(struct ndpi_flow_struct * const flow, + struct ndpi_packet_struct const * const packet, + u_int16_t block_length) { - return (ndpi_hostname_sni_set(flow, &packet->payload[4], block_length, NDPI_HOSTNAME_NORM_ALL) == NULL); + ndpi_hostname_sni_set(flow, &packet->payload[4], block_length, NDPI_HOSTNAME_NORM_ALL); } static int ndpi_int_collectd_dissect_username(struct ndpi_flow_struct * const flow, @@ -184,11 +184,8 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc return; } - if (hostname_length > 0 && - ndpi_int_collectd_dissect_hostname(flow, packet, hostname_length) != 0) - { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid collectd Header"); - } + if (hostname_length > 0) + ndpi_int_collectd_dissect_hostname(flow, packet, hostname_length); ndpi_int_collectd_add_connection(ndpi_struct, flow); } diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 94e1dc2ef..1e0f307eb 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -103,8 +103,10 @@ static void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struc || (memcmp(packet->payload, "GET /uri-res/", 13) == 0))) { c = 8; while (c < (packet->payload_packet_len - 9)) { - if (packet->payload[c] == '?') + if (packet->payload[c] == '?') { + c++; break; + } c++; } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index bfb47f514..c57ed8441 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -1086,12 +1086,18 @@ static struct l_string { STATIC_STRING_L("DELETE "), STATIC_STRING_L("CONNECT "), STATIC_STRING_L("PROPFIND "), + STATIC_STRING_L("PROPPATCH "), + STATIC_STRING_L("MKCOL "), + STATIC_STRING_L("MOVE "), + STATIC_STRING_L("COPY "), + STATIC_STRING_L("LOCK "), + STATIC_STRING_L("UNLOCK "), STATIC_STRING_L("REPORT "), STATIC_STRING_L("RPC_CONNECT "), STATIC_STRING_L("RPC_IN_DATA "), STATIC_STRING_L("RPC_OUT_DATA ") }; -static const char *http_fs = "CDGHOPR"; +static const char *http_fs = "CDGHLMOPRU"; static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct) { diff --git a/src/lib/protocols/mqtt.c b/src/lib/protocols/mqtt.c index ea2390d37..535cd02b1 100644 --- a/src/lib/protocols/mqtt.c +++ b/src/lib/protocols/mqtt.c @@ -93,7 +93,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &ndpi_struct->packet; if (flow->packet_counter > 10) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -105,20 +105,20 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, packet->payload_packet_len); if (packet->payload_packet_len < 2) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } // we extract the remaining length rl = get_var_int(&packet->payload[1], packet->payload_packet_len - 1, &rl_len); if (rl < 0) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. invalid length!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } NDPI_LOG_DBG(ndpi_struct, "Mqtt: msg_len %d\n", (unsigned long long)rl); if (packet->payload_packet_len != rl + 1 + rl_len) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. maximum packet size exceeded!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } // we extract the packet type @@ -126,7 +126,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG2(ndpi_struct,"====>>>> Mqtt packet type: [%d]\n",pt); if ((pt == 0) || (pt == 15)) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. invalid packet type!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } // we extract the flags @@ -137,12 +137,12 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, (pt == PUBCOMP) || (pt == SUBACK) || (pt == UNSUBACK) || (pt == PINGREQ) || (pt == PINGRESP) || (pt == DISCONNECT)) && (flags > 0)) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Flag combination flag!=0\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } if (((pt == PUBREL) || (pt == SUBSCRIBE) || (pt == UNSUBSCRIBE)) && (flags != 2)) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Flag combination flag!=2\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed first stage of identification\n"); @@ -151,7 +151,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, (pt == PUBREC) || (pt == PUBCOMP) || (pt == UNSUBACK)) { if (packet->payload_packet_len != 4) { // these packets are always 4 bytes long NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Length < 4 \n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { NDPI_LOG_INFO(ndpi_struct, "found Mqtt CONNACK/PUBACK/PUBREL/PUBREC/PUBCOMP/UNSUBACK\n"); @@ -162,7 +162,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, if ((pt == PINGREQ) || (pt == PINGRESP) || (pt == DISCONNECT)) { if (packet->payload_packet_len != 2) { // these packets are always 2 bytes long NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Length <2 \n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { NDPI_LOG_INFO(ndpi_struct, "found Mqtt PING/PINGRESP/DISCONNECT\n"); @@ -183,25 +183,25 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t dup = (u_int8_t) (flags & 0x08) >> 3; if (qos > 2) { // qos values possible are 0,1,2 NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } if (qos == 0) { if (dup != 0) { NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 and dup combination\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } if (packet->payload_packet_len < 5) { // at least topic (3Bytes + 2Bytes fixed header) NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 size\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } } if ((qos == 1) || (qos == 2)) { if (packet->payload_packet_len < 7 ) { // at least topic + pkt identifier (3Bytes + 2Bytes + 2Bytes fixed header) NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos1&2\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } } @@ -212,7 +212,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, if (pt == SUBSCRIBE) { if (packet->payload_packet_len < 8) { // at least one topic+filter is required in the payload NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid SUBSCRIBE\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { NDPI_LOG_INFO(ndpi_struct, "found Mqtt SUBSCRIBE\n"); @@ -223,7 +223,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, if (pt == SUBACK ) { if (packet->payload_packet_len <5 ) { // must have at least a response code NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid SUBACK\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { NDPI_LOG_INFO(ndpi_struct, "found Mqtt SUBACK\n"); @@ -234,7 +234,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, if (pt == UNSUBSCRIBE) { if (packet->payload_packet_len < 7) { // at least a topic NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid UNSUBSCRIBE\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { NDPI_LOG_INFO(ndpi_struct, "found Mqtt UNSUBSCRIBE\n"); @@ -242,9 +242,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, return; } } - NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed third stage of identification"); - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + /* We already checked every possible values of pt: we are never here */ } /** * Entry point for the ndpi library diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index e05d0ee89..deaff776b 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -235,9 +235,6 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, NDPI_EXCLUDE_PROTO(ndpi_struct, flow); NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); } - } else if(flow->packet_counter > 3) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); } } } diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index fb5e200b8..fcb5db055 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -71,9 +71,6 @@ typedef struct { static void ssh_analyze_signature_version(struct ndpi_flow_struct *flow, char *str_to_check, u_int8_t is_client_signature) { - - if(str_to_check == NULL) return; - u_int i; u_int8_t obsolete_ssh_version = 0; const ssh_pattern ssh_servers_strings[] = diff --git a/src/lib/protocols/z3950.c b/src/lib/protocols/z3950.c index 96ae80560..92eed01b0 100644 --- a/src/lib/protocols/z3950.c +++ b/src/lib/protocols/z3950.c @@ -42,7 +42,7 @@ static int z3950_parse_sequences(struct ndpi_packet_struct const * const packet, pdu_type = packet->payload[0] & 0x1F; - if(((pdu_type < 20) || (pdu_type > 36)) && ((pdu_type < 43) || (pdu_type > 48))) + if((pdu_type < 20) || ((pdu_type > 36) && ((pdu_type < 43) || (pdu_type > 48)))) return(-1); while(cur_sequences++ < max_sequences) { |