diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2022-03-01 13:28:28 +0100 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2022-03-02 12:07:51 +0100 |
| commit | d7657dd1d41a5f8ec5ce0fc53a9a91b48472dfce (patch) | |
| tree | c6d1500792b187e8997277391b80e7035ae53376 /src | |
| parent | 61a3c2eb5b3cac0f36a1bfadc5261b7694d3bfab (diff) | |
Add ICMP checksum check and set risk if mismatch detected.add/icmp-tunnel-chksm-risk
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_main.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 6 | ||||
| -rw-r--r-- | src/lib/ndpi_utils.c | 27 |
3 files changed, 34 insertions, 0 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index 9029265bb..fe8a3816c 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -151,6 +151,7 @@ extern "C" { int ndpi_is_printable_string(char * const str, size_t len); #define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy > 7.0f) float ndpi_entropy(u_int8_t const * const buf, size_t len); + u_int16_t ndpi_calculate_icmp4_checksum(u_int8_t const * const buf, size_t len); void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str); u_int8_t is_a_common_alpn(struct ndpi_detection_module_struct *ndpi_str, const char *alpn_to_check, u_int alpn_to_check_len); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 335cccba2..8b654e2de 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3030,6 +3030,12 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str, if (NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(flow->entropy) != 0) { ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_ENTROPY); } + + struct ndpi_icmphdr * const icmphdr = (struct ndpi_icmphdr *)packet->payload; + u_int16_t chksm = ndpi_calculate_icmp4_checksum(packet->payload, packet->payload_packet_len); + if (icmphdr->checksum != chksm) { + ndpi_set_risk(ndpi_str, flow, NDPI_MALFORMED_PACKET); + } } } } diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 8cbc2e2df..26bd348cb 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -2295,6 +2295,33 @@ float ndpi_entropy(u_int8_t const * const buf, size_t len) { return entropy; } +/* ******************************************************************** */ + +u_int16_t ndpi_calculate_icmp4_checksum(u_int8_t const * const buf, size_t len) { + u_int16_t const * sbuf = (u_int16_t *)buf; + u_int32_t checksum = 0; + + /* + * The first two bytes of the icmp header are required. + * The next two bytes is the checksum, which we want to ignore. + */ + checksum += *sbuf++; len -= 2; /* icmp->type, icmp->code */ + sbuf++; len -= 2; /* icmp->checksum */ + + for (; len > 1; len -= 2) { + checksum += *sbuf++; + } + + if (len == 1) { + checksum += *(u_int8_t *)sbuf; + } + + checksum = (checksum >> 16) + (checksum & 0xFFFF); + checksum += (checksum >> 16); + + return ~checksum; +} + /* ******************************************* */ char* ndpi_get_flow_name(struct ndpi_flow_struct *flow) { |