Protobuf: fix false positives (#2428)

author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2024-05-09 15:38:06 +0200
committer: GitHub <noreply@github.com> 2024-05-09 15:38:06 +0200
commit: 2e7fc82e55d0f6c84745da993864ad81423bc5ea (patch)
tree: 479e00606c789823fa7e396bd2219d4310ad42a7 /src
parent: 18e03a26ca781490f06bfdbd34628614fcb65ca9 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/lib/protocols/protobuf.c b/src/lib/protocols/protobuf.c
index 003cc2fad..9f50e5c31 100644
--- a/src/lib/protocols/protobuf.c
+++ b/src/lib/protocols/protobuf.c
@@ -201,7 +201,7 @@ static void ndpi_search_protobuf(struct ndpi_detection_module_struct *ndpi_struc
         if (packet->payload_packet_len < offset + sizeof(uint32_t))
         {
           NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-          break;
+          return;
         }
 #ifdef DEBUG_PROTOBUF
         union {
@@ -226,7 +226,9 @@ static void ndpi_search_protobuf(struct ndpi_detection_module_struct *ndpi_struc
          (unsigned long long int)protobuf_elements,
          (unsigned long long int)protobuf_len_elements);
 #endif
-  if ((protobuf_elements >= PROTOBUF_REQUIRED_ELEMENTS && protobuf_len_elements > 0)
+  if ((protobuf_elements >= PROTOBUF_REQUIRED_ELEMENTS && protobuf_len_elements > 0 &&
+       /* (On UDP) this packet might be also a RTP/RTCP one. Wait for the next one */
+       (flow->packet_counter > 1 || flow->l4_proto == IPPROTO_TCP || flow->l4.udp.rtp_stage == 0))
       || (flow->packet_counter >= PROTOBUF_MIN_PACKETS && protobuf_elements >= PROTOBUF_MIN_ELEMENTS))
   {
 #ifdef DEBUG_PROTOBUF
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2024-05-09 15:38:06 +0200
committer	GitHub <noreply@github.com>	2024-05-09 15:38:06 +0200
commit	2e7fc82e55d0f6c84745da993864ad81423bc5ea (patch)
tree	479e00606c789823fa7e396bd2219d4310ad42a7 /src
parent	18e03a26ca781490f06bfdbd34628614fcb65ca9 (diff)