Fixed false positive with STUN detection

author: Luca Deri <deri@ntop.org> 2019-09-26 22:18:56 +0200
committer: Luca Deri <deri@ntop.org> 2019-09-26 22:18:56 +0200
commit: 194cdcf581f7d405fca191f99eedcb734e68f5ec (patch)
tree: a036e2621388401274edd0a6695d79b118ff7f17 /src/lib
parent: 7de9fd7170ab66e18580e536b32fd7de9849032a (diff)
1 files changed, 26 insertions, 24 deletions
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index cef2a1b31..448062f47 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -157,9 +157,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 
     if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) {
       flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
-      return NDPI_IS_STUN;
+      return(NDPI_IS_STUN);
     } else
-      return NDPI_IS_NOT_STUN;
+      return(NDPI_IS_NOT_STUN);
   }
 
   if((strncmp((const char*)payload, (const char*)"RSP/", 4) == 0)
@@ -168,9 +168,11 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
     goto udp_stun_found;
   }
 
-  msg_type = ntohs(h->msg_type);
-  msg_len = ntohs(h->msg_len);
+  msg_type = ntohs(h->msg_type), msg_len = ntohs(h->msg_len);
 
+  if(msg_type == 0)
+    return(NDPI_IS_NOT_STUN);  
+  
   /* https://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml */
   if ((msg_type & 0x3EEF) > 0x000B && msg_type != 0x0800) {
 #ifdef DEBUG_STUN
@@ -195,12 +197,12 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
           if (payload_length == total_len) {
             /* This is DTLS and the only protocol we know behaves like this is signal */
             flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
-            return NDPI_IS_STUN;
+            return(NDPI_IS_STUN);
           }
       }
     }
 
-    return NDPI_IS_NOT_STUN;
+    return(NDPI_IS_NOT_STUN);
   }
 
 #if 0
@@ -236,7 +238,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 #endif
 
       flow->guessed_host_protocol_id = proto;
-      return NDPI_IS_STUN;
+      return(NDPI_IS_STUN);
     } else {
 #ifdef DEBUG_LRU
       printf("[LRU] NOT FOUND %u\n", key);
@@ -258,7 +260,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 
     if (!msg_len) {
       /* flow->protos.stun_ssl.stun.num_udp_pkts++; */
-      return NDPI_IS_NOT_STUN; /* This to keep analyzing STUN instead of giving up */
+      return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */
     }
   }
 
@@ -271,11 +273,11 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 
   if((payload[0] == 0x80 && payload_length < 512 && ((msg_len+20) <= payload_length))) {
     flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
-    return NDPI_IS_STUN; /* This is WhatsApp Call */
+    return(NDPI_IS_STUN); /* This is WhatsApp Call */
   } else if((payload[0] == 0x90) && (((msg_len+11) == payload_length) ||
                 (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) {
     flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
-    return NDPI_IS_STUN; /* This is WhatsApp Call */
+    return(NDPI_IS_STUN); /* This is WhatsApp Call */
   }
 
   if (payload[0] != 0x80 && (msg_len + 20) > payload_length)
@@ -322,7 +324,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
         switch(attribute) {
 	case 0x0103:
           flow->guessed_host_protocol_id = NDPI_PROTOCOL_ZOOM;
-          return NDPI_IS_STUN;
+          return(NDPI_IS_STUN);
 	  break;
 	  
         case 0x4000:
@@ -330,7 +332,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
         case 0x4002:
           /* These are the only messages apparently whatsapp voice can use */
           flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
-          return NDPI_IS_STUN;
+          return(NDPI_IS_STUN);
           break;
 
         case 0x0014: /* Realm */
@@ -352,10 +354,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 
             if (strstr((char*) flow->host_server_name, "google.com") != NULL) {
                 flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
-                return NDPI_IS_STUN;
+                return(NDPI_IS_STUN);
             } else if (strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) {
               flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
-              return NDPI_IS_STUN;
+              return(NDPI_IS_STUN);
             }
           }
         }
@@ -365,14 +367,14 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
           if (msg_type == 0x0001) {
             if ((msg_len == 100) || (msg_len == 104)) {
               flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER;
-              return NDPI_IS_STUN;
+              return(NDPI_IS_STUN);
             } else if(msg_len == 76) {
 #if 0
               if(1) {
                 flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
-                return NDPI_IS_NOT_STUN; /* This case is found also with signal traffic */
+                return(NDPI_IS_NOT_STUN); /* This case is found also with signal traffic */
               } else
-                return NDPI_IS_STUN;
+                return(NDPI_IS_STUN);
 #endif
             }
           }
@@ -389,7 +391,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
             printf("==> Skype found\n");
 #endif
             flow->guessed_host_protocol_id = NDPI_PROTOCOL_SKYPE_CALL;
-            return NDPI_IS_STUN;
+            return(NDPI_IS_STUN);
           }
 
           break;
@@ -410,7 +412,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 #endif
 
           flow->guessed_host_protocol_id = NDPI_PROTOCOL_SKYPE_CALL;
-          return NDPI_IS_STUN;
+          return(NDPI_IS_STUN);
           break;
 
         case 0x8070: /* Implementation Version */
@@ -422,13 +424,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 #endif
 
             flow->guessed_host_protocol_id = NDPI_PROTOCOL_SKYPE_CALL;
-            return NDPI_IS_STUN;
+            return(NDPI_IS_STUN);
           }
           break;
 
         case 0xFF03:
           flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
-          return NDPI_IS_STUN;
+          return(NDPI_IS_STUN);
           break;
 
         default:
@@ -444,15 +446,15 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
       goto udp_stun_found;
     } else if(msg_type == 0x0800) {
       flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
-      return NDPI_IS_STUN;
+      return(NDPI_IS_STUN);
     }
   }
 
   if ((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) {
     flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
-    return NDPI_IS_STUN;
+    return(NDPI_IS_STUN);
   } else
-    return NDPI_IS_NOT_STUN;
+    return(NDPI_IS_NOT_STUN);
 
 udp_stun_found:
   flow->protos.stun_ssl.stun.num_processed_pkts++;
author	Luca Deri <deri@ntop.org>	2019-09-26 22:18:56 +0200
committer	Luca Deri <deri@ntop.org>	2019-09-26 22:18:56 +0200
commit	194cdcf581f7d405fca191f99eedcb734e68f5ec (patch)
tree	a036e2621388401274edd0a6695d79b118ff7f17 /src/lib
parent	7de9fd7170ab66e18580e536b32fd7de9849032a (diff)