Make some protocols more "big-endian" friendly (#1402)

See #1312
author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2022-01-29 09:18:32 +0100
committer: GitHub <noreply@github.com> 2022-01-29 09:18:32 +0100
commit: 0c70411b1b093279f3d7c09b2b57b491911df84c (patch)
tree: 993145c834d91aae2cd72044ae940f77557cf713 /src/lib
parent: 86b97ffb73edc0965ee1784c8182e715c2d932e3 (diff)
6 files changed, 29 insertions, 26 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 4c118bc03..54f03916d 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4956,7 +4956,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 
       if(ndpi_str->msteams_cache)
 	ndpi_lru_add_to_cache(ndpi_str->msteams_cache,
-			      flow->saddr,
+			      ntohl(flow->saddr),
 			      (flow->last_packet_time_ms / 1000) & 0xFFFF /* 16 bit */);
     }
     break;
@@ -4968,7 +4968,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
        && ndpi_str->msteams_cache) {
       u_int16_t when;
 
-      if(ndpi_lru_find_cache(ndpi_str->msteams_cache, flow->saddr,
+      if(ndpi_lru_find_cache(ndpi_str->msteams_cache, ntohl(flow->saddr),
 			     &when, 0 /* Don't remove it as it can be used for other connections */)) {
 	u_int16_t tdiff = ((flow->last_packet_time_ms /1000) & 0xFFFF) - when;
 
@@ -4978,7 +4978,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 
 	  /* Refresh cache */
 	  ndpi_lru_add_to_cache(ndpi_str->msteams_cache,
-				flow->saddr,
+				ntohl(flow->saddr),
 				(flow->last_packet_time_ms / 1000) & 0xFFFF /* 16 bit */);
 	}
       }
diff --git a/src/lib/protocols/cassandra.c b/src/lib/protocols/cassandra.c
index d790f942a..15b3b0015 100644
--- a/src/lib/protocols/cassandra.c
+++ b/src/lib/protocols/cassandra.c
@@ -115,8 +115,8 @@ void ndpi_search_cassandra(struct ndpi_detection_module_struct *ndpi_struct,
         ndpi_check_valid_cassandra_version(get_u_int8_t(packet->payload, 0)) &&
         ndpi_check_valid_cassandra_flags(get_u_int8_t(packet->payload, 1)) &&
         ndpi_check_valid_cassandra_opcode(get_u_int8_t(packet->payload, 4)) &&
-        get_u_int32_t(packet->payload, 5) <= CASSANDRA_MAX_BODY_SIZE &&
-        get_u_int32_t(packet->payload, 5) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN)) {
+        le32toh(get_u_int32_t(packet->payload, 5)) <= CASSANDRA_MAX_BODY_SIZE &&
+        le32toh(get_u_int32_t(packet->payload, 5)) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN)) {
       ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CASSANDRA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
       return;
     }
diff --git a/src/lib/protocols/mongodb.c b/src/lib/protocols/mongodb.c
index 09e4662d8..5b462cda2 100644
--- a/src/lib/protocols/mongodb.c
+++ b/src/lib/protocols/mongodb.c
@@ -44,7 +44,7 @@ struct mongo_message_header
   uint32_t message_length;
   uint32_t request_id;
   uint32_t response_to;
-  enum mongo_opcodes op_code;
+  uint32_t op_code; /* enum mongo_opcodes */
 };
 
 static void set_mongodb_detected(struct ndpi_detection_module_struct *ndpi_struct,
@@ -78,15 +78,15 @@ static void ndpi_check_mongodb(struct ndpi_detection_module_struct *ndpi_struct,
   /* All MongoDB numbers are in host byte order */
   // mongodb_hdr.message_length = ntohl(mongodb_hdr.message_length);
 
-  if((mongodb_hdr.message_length < 4)
-     || (mongodb_hdr.message_length > 1000000) /* Used to avoid false positives */
+  if((le32toh(mongodb_hdr.message_length) < 4)
+     || (le32toh(mongodb_hdr.message_length) > 1000000) /* Used to avoid false positives */
      ) {
     NDPI_LOG_DBG(ndpi_struct, "Invalid MONGODB length");
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
     return;
   }
 
-  switch(mongodb_hdr.op_code) {
+  switch(le32toh(mongodb_hdr.op_code)) {
   case OP_REPLY:
   case OP_UPDATE:
   case OP_INSERT:
diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c
index 2d3a9b153..83c5d9787 100644
--- a/src/lib/protocols/mysql.c
+++ b/src/lib/protocols/mysql.c
@@ -35,14 +35,16 @@ void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, str
   NDPI_LOG_DBG(ndpi_struct, "search MySQL\n");
 	
   if(packet->tcp) {
-    if(packet->payload_packet_len > 38	//min length
-       && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4	//first 3 bytes are length
-       && get_u_int8_t(packet->payload, 2) == 0x00	//3rd byte of packet length
-       && get_u_int8_t(packet->payload, 3) == 0x00	//packet sequence number is 0 for startup packet
-       && get_u_int8_t(packet->payload, 5) > 0x30	//server version > 0
-       && get_u_int8_t(packet->payload, 5) < 0x39	//server version < 9
-       && get_u_int8_t(packet->payload, 6) == 0x2e	//dot
-       ) {
+    if(packet->payload_packet_len > 38) { //min length
+      u_int32_t length = (packet->payload[2] << 16) + (packet->payload[1] << 8) + packet->payload[0];
+
+      if(length == (u_int32_t)packet->payload_packet_len - 4	//first 3 bytes are length
+         && get_u_int8_t(packet->payload, 2) == 0x00	//3rd byte of packet length
+         && get_u_int8_t(packet->payload, 3) == 0x00	//packet sequence number is 0 for startup packet
+         && get_u_int8_t(packet->payload, 5) > 0x30	//server version > 0
+         && get_u_int8_t(packet->payload, 5) < 0x39	//server version < 9
+         && get_u_int8_t(packet->payload, 6) == 0x2e	//dot
+        ) {
 #if 0
       /* Old code */
       u_int32_t a;
@@ -62,13 +64,14 @@ void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, str
 	}
       }
 #else
-      if(strncmp((const char*)&packet->payload[packet->payload_packet_len-22],
-		 "mysql_", 6) == 0) {
-	NDPI_LOG_INFO(ndpi_struct, "found MySQL\n");
-	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL,  NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-	return;
-      }
+        if(strncmp((const char*)&packet->payload[packet->payload_packet_len-22],
+		   "mysql_", 6) == 0) {
+	  NDPI_LOG_INFO(ndpi_struct, "found MySQL\n");
+	  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL,  NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+	  return;
+        }
 #endif
+      }
     }
   }
 
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 3f9b21fbe..80c2902ca 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -42,9 +42,9 @@ struct stun_packet_header {
 
 u_int32_t get_stun_lru_key(struct ndpi_packet_struct *packet, u_int8_t rev) {
   if(rev)
-    return(packet->iph->daddr + packet->udp->dest);
+    return(ntohl(packet->iph->daddr) + ntohs(packet->udp->dest));
   else
-    return(packet->iph->saddr + packet->udp->source);
+    return(ntohl(packet->iph->saddr) + ntohs(packet->udp->source));
 }
 
 /* ************************************************************ */
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 1eefe2d0f..95ae13b0e 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -978,7 +978,7 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
     } else if(len > 5 /* Minimum block size */) {
       /* Process element as a whole */
       if(content_type == 0x17 /* Application Data */) {
-	u_int32_t block_len   = ntohs((flow->l4.tcp.tls.message.buffer[3] << 16) + (flow->l4.tcp.tls.message.buffer[4] << 8));
+	u_int32_t block_len   = (flow->l4.tcp.tls.message.buffer[3] << 8) + (flow->l4.tcp.tls.message.buffer[4]);
 
 	/* Let's do a quick check to make sure this really looks like TLS */
 	if(block_len < 16384 /* Max TLS block size */)
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2022-01-29 09:18:32 +0100
committer	GitHub <noreply@github.com>	2022-01-29 09:18:32 +0100
commit	0c70411b1b093279f3d7c09b2b57b491911df84c (patch)
tree	993145c834d91aae2cd72044ae940f77557cf713 /src/lib
parent	86b97ffb73edc0965ee1784c8182e715c2d932e3 (diff)