LDAP: rewrite dissection (#1649)

author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2022-07-08 12:50:46 +0200
committer: GitHub <noreply@github.com> 2022-07-08 12:50:46 +0200
commit: 510517126a63f828754826b5bcfc4b4d1d3791d4 (patch)
tree: dde2ceb664d81a87770c1b669ec36c89ee2c0e26 /src
parent: 9b958769738c2b63f195d1ee2d112206704cce7e (diff)
4 files changed, 73 insertions, 95 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index 614d0aed4..0069d987a 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -165,6 +165,8 @@ extern "C" {
   char *ndpi_hostname_sni_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len);
   char *ndpi_user_agent_set(struct ndpi_flow_struct *flow, const u_int8_t *value, size_t value_len);
 
+  int ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_len, u_int16_t *value_len);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 15b71caf1..ce1911743 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2704,3 +2704,39 @@ u_int8_t ndpi_check_flow_risk_exceptions(struct ndpi_detection_module_struct *nd
   
   return(0);
 }
+
+/* ******************************************* */
+
+int ndpi_asn1_ber_decode_length(const unsigned char *payload, int payload_len, u_int16_t *value_len)
+{
+  unsigned int value, i;
+
+  if(payload_len <= 0)
+    return -1;
+
+  /* Malformed */
+  if(payload[0] == 0xFF)
+    return -1;
+
+  /* Definite, short */
+  if(payload[0] <= 0x80) {
+    *value_len = 1;
+    return payload[0];
+  }
+  /* Indefinite, unsupported */
+  if((payload[0] & 0x7F) == 0)
+    return -1;
+
+  *value_len = payload[0] & 0x7F;
+  /* We support only 4 additional length octets */
+  if(*value_len > 4 ||
+     payload_len <= *value_len + 1)
+    return -1;
+
+  value = 0;
+  for (i = 1; i <= *value_len; i++) {
+    value |= (unsigned int)payload[i] << ((*value_len) - i) * 8;
+  }
+  (*value_len) += 1;
+  return value;
+}
diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c
index 176bb2eab..ab2a58e14 100644
--- a/src/lib/protocols/kerberos.c
+++ b/src/lib/protocols/kerberos.c
@@ -41,50 +41,20 @@ static int krb_decode_asn1_length(struct ndpi_detection_module_struct *ndpi_stru
                                   size_t * const kasn1_offset)
 {
   struct ndpi_packet_struct * const packet = &ndpi_struct->packet;
-  unsigned char length_octet;
   int length;
+  u_int16_t value_len;
 
-  length_octet = packet->payload[*kasn1_offset];
+  length = ndpi_asn1_ber_decode_length(&packet->payload[*kasn1_offset],
+				       packet->payload_packet_len - *kasn1_offset,
+				       &value_len);
 
-  if (length_octet == 0xFF)
+  if (length == -1 ||
+      packet->payload_packet_len < *kasn1_offset + value_len + length)
   {
-    /* Malformed Packet */
     return -1;
   }
 
-  if ((length_octet & 0x80) == 0)
-  {
-    /* Definite, short */
-    length = length_octet & 0x7F;
-    (*kasn1_offset)++;
-  } else {
-    /* Definite, long or indefinite (not support by this implementation) */
-    if ((length_octet & 0x7F) == 0)
-    {
-      /* indefinite, unsupported */
-      return -1;
-    }
-
-    length_octet &= 0x7F;
-    if (length_octet > 4 /* We support only 4 additional length octets. */ ||
-        packet->payload_packet_len <= *kasn1_offset + length_octet + 1)
-    {
-      return -1;
-    }
-
-    int i = 1;
-    length = 0;
-    for (; i <= length_octet; ++i)
-    {
-      length |= (unsigned int)packet->payload[*kasn1_offset + i] << (length_octet - i) * 8;
-    }
-    *kasn1_offset += i;
-  }
-
-  if (packet->payload_packet_len < *kasn1_offset + length)
-  {
-    return -1;
-  }
+  *kasn1_offset += value_len;
 
   return length;
 }
diff --git a/src/lib/protocols/ldap.c b/src/lib/protocols/ldap.c
index 3462d07b8..70c9c072f 100644
--- a/src/lib/protocols/ldap.c
+++ b/src/lib/protocols/ldap.c
@@ -37,65 +37,35 @@ static void ndpi_int_ldap_add_connection(struct ndpi_detection_module_struct *nd
 
 void ndpi_search_ldap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
-	struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  int length;
+  u_int16_t length_len = 0, msg_id_len;
+  u_int8_t op;
 	
-	NDPI_LOG_DBG(ndpi_struct, "search ldap\n");
-
-	if (packet->payload_packet_len >= 14 && packet->payload[0] == 0x30) {
-
-		// simple type
-		if (packet->payload[1] == 0x0c && packet->payload_packet_len == 14 &&
-			packet->payload[packet->payload_packet_len - 1] == 0x00 && packet->payload[2] == 0x02) {
-
-			if (packet->payload[3] == 0x01 &&
-				(packet->payload[5] == 0x60 || packet->payload[5] == 0x61) && packet->payload[6] == 0x07) {
-				NDPI_LOG_INFO(ndpi_struct, "found ldap simple type 1\n");
-				ndpi_int_ldap_add_connection(ndpi_struct, flow);
-				return;
-			}
-
-			if (packet->payload[3] == 0x02 &&
-				(packet->payload[6] == 0x60 || packet->payload[6] == 0x61) && packet->payload[7] == 0x07) {
-				NDPI_LOG_INFO(ndpi_struct, "found ldap simple type 2\n");
-				ndpi_int_ldap_add_connection(ndpi_struct, flow);
-				return;
-			}
-		}
-		// normal type
-		if (packet->payload[1] == 0x84 &&
-			packet->payload[2] == 0x00 && packet->payload[3] == 0x00 && packet->payload[6] == 0x02) {
-
-			if (packet->payload[7] == 0x01 &&
-				(packet->payload[9] == 0x60 || packet->payload[9] == 0x61 || packet->payload[9] == 0x63 ||
-				 packet->payload[9] == 0x64) && packet->payload[10] == 0x84) {
-
-				NDPI_LOG_INFO(ndpi_struct, "found ldap type 1\n");
-				ndpi_int_ldap_add_connection(ndpi_struct, flow);
-				return;
-			}
-
-			if (packet->payload[7] == 0x02 &&
-				(packet->payload[10] == 0x60 || packet->payload[10] == 0x61 || packet->payload[10] == 0x63 ||
-				 packet->payload[10] == 0x64) && packet->payload[11] == 0x84) {
-
-				NDPI_LOG_INFO(ndpi_struct, "found ldap type 2\n");
-				ndpi_int_ldap_add_connection(ndpi_struct, flow);
-				return;
-			}
-
-			if (packet->payload[7] == 0x03 &&
-				(packet->payload[11] == 0x60 || packet->payload[11] == 0x61 || packet->payload[11] == 0x63 ||
-				 packet->payload[11] == 0x64 || packet->payload[11] == 0x65) && packet->payload[12] == 0x84) {
-
-				NDPI_LOG_INFO(ndpi_struct, "found ldap type 3\n");
-				ndpi_int_ldap_add_connection(ndpi_struct, flow);
-				return;
-			}
-		}
-	}
-
-
-	NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+  NDPI_LOG_DBG(ndpi_struct, "search ldap\n");
+
+  if(packet->payload_packet_len > 1 &&
+     packet->payload[0] == 0x30) {
+    length = ndpi_asn1_ber_decode_length(&packet->payload[1], packet->payload_packet_len - 1, &length_len);
+    NDPI_LOG_DBG(ndpi_struct, "length %d (%d bytes)\n", length, length_len);
+    if(length > 0 &&
+       packet->payload_packet_len > 1 + length_len + 1 &&
+       packet->payload[1 + length_len] == 0x02 /* Integer */) {
+      msg_id_len = packet->payload[1 + length_len + 1];
+      if(packet->payload_packet_len > 1 + length_len + 1 + msg_id_len + 1) {
+        op = packet->payload[1 + length_len + 1 + msg_id_len + 1];
+        NDPI_LOG_DBG(ndpi_struct, "Op 0x%x\n", op);
+        if((op & 0x60) == 0x60 && /* Application */
+           (op & 0x1F) <= 25) {
+          NDPI_LOG_INFO(ndpi_struct, "found ldap\n");
+          ndpi_int_ldap_add_connection(ndpi_struct, flow);
+          return;
+        }
+      }
+    }
+  }
+
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2022-07-08 12:50:46 +0200
committer	GitHub <noreply@github.com>	2022-07-08 12:50:46 +0200
commit	510517126a63f828754826b5bcfc4b4d1d3791d4 (patch)
tree	dde2ceb664d81a87770c1b669ec36c89ee2c0e26 /src
parent	9b958769738c2b63f195d1ee2d112206704cce7e (diff)