diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-01-12 13:30:43 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-12 13:30:43 +0100 |
| commit | dd8be1fcb11089b22ab5eb7332d5640b4cae80b0 (patch) | |
| tree | 775a44bbbaeced406a3df3931f5d786f7a517e15 /src/lib/protocols | |
| parent | 0aea509e23e0f0bd368f4796dcf0542d5c9108c7 (diff) | |
Fix some warnings reported by CODESonar (#2227)
Remove some unreached/duplicated code.
Add error checking for `atoi()` calls.
About `isdigit()` and similar functions. The warning reported is:
```
Negative Character Value help
isdigit() is invoked here with an argument of signed type char, but only
has defined behavior for int arguments that are either representable
as unsigned char or equal to the value of macro EOF(-1).
Casting the argument to unsigned char will avoid the undefined behavior.
In a number of libc implementations, isdigit() is implemented using lookup
tables (arrays): passing in a negative value can result in a read underrun.
```
Switching to our macros fix that.
Add a check to `check_symbols.sh` to avoid using the original functions
from libc.
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/checkmk.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 12 | ||||
| -rw-r--r-- | src/lib/protocols/kerberos.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/mqtt.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/protobuf.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/tcp_udp.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/telegram.c | 2 |
8 files changed, 11 insertions, 23 deletions
diff --git a/src/lib/protocols/checkmk.c b/src/lib/protocols/checkmk.c index c70e2a478..cfc70f451 100644 --- a/src/lib/protocols/checkmk.c +++ b/src/lib/protocols/checkmk.c @@ -60,7 +60,7 @@ static void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks */ - if (packet->payload_packet_len >= 15 && packet->payload_packet_len < 100 + if (packet->payload_packet_len < 100 && memcmp(packet->payload, "<<<check_mk>>>", 14) == 0) { NDPI_LOG_DBG(ndpi_struct, "Check_MK: Flow detected.\n"); diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 547da36c5..8bef69461 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -253,7 +253,7 @@ static u_int8_t ndpi_grab_dns_name(struct ndpi_packet_struct *packet, hostname_is_valid = 0; - if (isprint(c) == 0) { + if (ndpi_isprint(c) == 0) { _hostname[j++] = '?'; } else { _hostname[j++] = '_'; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 7943c1b15..b0bbd30ca 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -122,7 +122,7 @@ static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_ /* *********************************************** */ static int ndpi_http_is_print(char c) { - if(isprint(c) || (c == '\t') || (c == '\r') || (c == '\n')) + if(ndpi_isprint(c) || (c == '\t') || (c == '\r') || (c == '\n')) return(1); else return(0); @@ -568,11 +568,11 @@ static void ndpi_check_user_agent(struct ndpi_detection_module_struct *ndpi_stru * We assume at least one non alpha char. * e.g. ' ', '-' or ';' ... */ - if (isalpha(ua[i]) == 0) + if (ndpi_isalpha(ua[i]) == 0) { break; } - if (isupper(ua[i]) != 0) + if (isupper((unsigned char)ua[i]) != 0) { upper_case_count++; } @@ -771,7 +771,7 @@ static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_str char buf[16] = { '\0' }; for(i=off, j=0; (i<server_len) && (j<sizeof(buf)-1) - && (isdigit(server[i]) || (server[i] == '.')); i++) + && (ndpi_isdigit(server[i]) || (server[i] == '.')); i++) buf[j++] = server[i]; if(sscanf(buf, "%d.%d.%d", &a, &b, &c) == 3) { @@ -790,7 +790,7 @@ static void ndpi_check_http_server(struct ndpi_detection_module_struct *ndpi_str /* Check server content */ for(i=0; i<server_len; i++) { - if(!isprint(server[i])) { + if(!ndpi_isprint(server[i])) { ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, "Suspicious Agent"); break; } @@ -816,7 +816,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ && (packet->host_line.len > 0)) { int len = packet->http_url_name.len + packet->host_line.len + 1; - if(isdigit(packet->host_line.ptr[0]) + if(ndpi_isdigit(packet->host_line.ptr[0]) && (packet->host_line.len < 21)) ndpi_check_numeric_ip(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len); diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index ae09493b9..7ff120982 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -487,7 +487,7 @@ static void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struc name_offset += 1; if(name_offset < packet->payload_packet_len - 1 && - isprint(packet->payload[name_offset+1]) == 0) /* Isn't printable ? */ + ndpi_isprint(packet->payload[name_offset+1]) == 0) /* Isn't printable ? */ { name_offset++; } diff --git a/src/lib/protocols/mqtt.c b/src/lib/protocols/mqtt.c index b6eff8c4c..c88844a09 100644 --- a/src/lib/protocols/mqtt.c +++ b/src/lib/protocols/mqtt.c @@ -180,18 +180,12 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct, if (pt == PUBLISH) { // payload CAN be zero bytes length (section 3.3.3 of MQTT standard) u_int8_t qos = (u_int8_t) (flags & 0x06); - u_int8_t retain = (u_int8_t) (flags & 0x01); u_int8_t dup = (u_int8_t) (flags & 0x04); if (qos > 2) { // qos values possible are 0,1,2 NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } - if (retain > 1) { // retain flag possible 0,1 - NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH retain\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); - return; - } if (dup > 1) { // dup flag possible 0,1 NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH dup\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); diff --git a/src/lib/protocols/protobuf.c b/src/lib/protocols/protobuf.c index 2ba63670d..003cc2fad 100644 --- a/src/lib/protocols/protobuf.c +++ b/src/lib/protocols/protobuf.c @@ -92,11 +92,6 @@ protobuf_dissect_varint(struct ndpi_packet_struct const * const packet, } } - if (i == 10) - { - return -1; - } - *offset += i + 1; return 0; } diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index f6194c2f7..2f3e37f72 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -56,8 +56,7 @@ void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, st if(packet->iph /* IPv4 Only: we need to support packet->iphv6 at some point */) { proto = ndpi_search_tcp_or_udp_raw(ndpi_struct, flow, - packet->iph ? packet->iph->protocol : - packet->iphv6->ip6_hdr.ip6_un1_nxt, + flow->l4_proto, ntohl(packet->iph->saddr), ntohl(packet->iph->daddr)); diff --git a/src/lib/protocols/telegram.c b/src/lib/protocols/telegram.c index 6d457d45f..8c9d18866 100644 --- a/src/lib/protocols/telegram.c +++ b/src/lib/protocols/telegram.c @@ -75,7 +75,7 @@ static void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struc u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); if(is_telegram_port_range(sport) || is_telegram_port_range(dport)) { - u_int i=0, found = 0; + u_int i, found = 0; for(i=0; i<packet->payload_packet_len; i++) { if(packet->payload[i] == 0xFF) { |