Introduced fix on TLS for discarding traffic out of sequence that might invalidate dissection

1 files changed, 38 insertions, 10 deletions

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 4b7e3e31f..8b70dc44d 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -113,7 +113,8 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st
 void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct,
 				struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &flow->packet;
-
+  u_int avail_bytes;
+  
   /* TCP */
 #ifdef DEBUG_TLS_MEMORY
   printf("[TLS Mem] Handling TCP/TLS flow [payload_len: %u][buffer_len: %u][direction: %u]\n",
@@ -135,7 +136,8 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct
 #endif
   }
 
-  u_int avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used;
+  avail_bytes = flow->l4.tcp.tls.message.buffer_len - flow->l4.tcp.tls.message.buffer_used;
+  
   if(avail_bytes < packet->payload_packet_len) {
     u_int new_len = flow->l4.tcp.tls.message.buffer_len + packet->payload_packet_len;
     void *newbuf  = ndpi_realloc(flow->l4.tcp.tls.message.buffer,
@@ -152,14 +154,37 @@ void ndpi_search_tls_tcp_memory(struct ndpi_detection_module_struct *ndpi_struct
   }
 
   if(packet->payload_packet_len > 0 && avail_bytes >= packet->payload_packet_len) {
-    memcpy(&flow->l4.tcp.tls.message.buffer[flow->l4.tcp.tls.message.buffer_used],
-	   packet->payload, packet->payload_packet_len);
-
-    flow->l4.tcp.tls.message.buffer_used += packet->payload_packet_len;
+    u_int8_t ok = 0;
+    
+    if(flow->l4.tcp.tls.message.next_seq[packet->packet_direction] != 0) {
+      if(ntohl(packet->tcp->seq) == flow->l4.tcp.tls.message.next_seq[packet->packet_direction])
+	ok = 1;
+    } else
+      ok = 1;
+
+    if(ok) {
+      memcpy(&flow->l4.tcp.tls.message.buffer[flow->l4.tcp.tls.message.buffer_used],
+	     packet->payload, packet->payload_packet_len);
+      
+      flow->l4.tcp.tls.message.buffer_used += packet->payload_packet_len;
 #ifdef DEBUG_TLS_MEMORY
-    printf("[TLS Mem] Copied data to buffer [%u/%u bytes]\n",
-	   flow->l4.tcp.tls.message.buffer_used, flow->l4.tcp.tls.message.buffer_len);
+      printf("[TLS Mem] Copied data to buffer [%u/%u bytes][direction: %u][tcp_seq: %u][next: %u]\n",
+	     flow->l4.tcp.tls.message.buffer_used, flow->l4.tcp.tls.message.buffer_len,
+	     packet->packet_direction,
+	     ntohl(packet->tcp->seq), 
+	     ntohl(packet->tcp->seq)+packet->payload_packet_len);
 #endif
+
+      flow->l4.tcp.tls.message.next_seq[packet->packet_direction] = ntohl(packet->tcp->seq)+packet->payload_packet_len;
+    } else {
+#ifdef DEBUG_TLS_MEMORY
+      printf("[TLS Mem] Skipping packet [%u bytes][direction: %u][tcp_seq: %u][expected next: %u]\n",
+	     flow->l4.tcp.tls.message.buffer_len,
+	     packet->packet_direction,
+	     ntohl(packet->tcp->seq), 
+	     ntohl(packet->tcp->seq)+packet->payload_packet_len);
+#endif      
+    }
   }
 }
 
@@ -428,7 +453,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 
 		  /* The check "len > sizeof(dNSName) - 1" will be always false. If we add it,
 		     the compiler is smart enough to detect it and throws a warning */
-		  if(len == 0 /* Looks something went wrong */)
+		  if((len == 0 /* Looks something went wrong */)
+		     || ((i+len) >  packet->payload_packet_len))
 		    break;
 
 		  strncpy(dNSName, (const char*)&packet->payload[i], len);
@@ -437,7 +463,9 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi
 		  cleanupServerName(dNSName, len);
 
 #if DEBUG_TLS
-		  printf("[TLS] dNSName %s [%s]\n", dNSName, flow->protos.stun_ssl.ssl.client_requested_server_name);
+		  printf("[TLS] dNSName %s [%s][len: %u][leftover: %d]\n", dNSName,
+			 flow->protos.stun_ssl.ssl.client_requested_server_name, len,
+			 packet->payload_packet_len-i-len);
 #endif
 		  if(matched_name == 0) {
 		    if(flow->protos.stun_ssl.ssl.client_requested_server_name[0] == '\0')