Fix classification "by-port" (#1851)

Classification "by-port" should be the last possible effort, *after*
having test all the LRU caches.

Remove some dead code from `ndpi_detection_giveup()`:
`flow->guessed_protocol_id` is never set to any od those voip protocols
and at that point in this function we never have both a master *and* a
application protocols.
Coverage reports (both from unit tests and from fuzzing) confirms that
was dead code.

1 files changed, 20 insertions, 46 deletions

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 642ddb780..4618cb75f 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -5977,7 +5977,6 @@ static void ndpi_add_connection_as_zoom(struct ndpi_detection_module_struct *ndp
 ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
 				    u_int8_t enable_guess, u_int8_t *protocol_was_guessed) {
   ndpi_protocol ret = NDPI_PROTOCOL_NULL;
-  u_int16_t guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN;
 
   /* *** We can't access ndpi_str->packet from this function!! *** */
 
@@ -6011,41 +6010,14 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
 
   if(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)
     goto check_stun_export;
-  else if((flow->guessed_protocol_id == NDPI_PROTOCOL_HANGOUT_DUO) ||
-          (flow->guessed_protocol_id == NDPI_PROTOCOL_FACEBOOK_VOIP) ||
-          (flow->guessed_protocol_id == NDPI_PROTOCOL_SIGNAL_VOIP) ||
-          (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_CALL)) {
-    *protocol_was_guessed = 1;
-    ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL);
-  } else if(enable_guess) {
-
-    guessed_protocol_id = flow->guessed_protocol_id;
-
-    /* Ignore guessed protocol if they have been discarded */
-    if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN)
-       && (flow->l4_proto == IPPROTO_UDP) &&
-       NDPI_ISSET(&flow->excluded_protocol_bitmask, guessed_protocol_id) &&
-       is_udp_not_guessable_protocol(guessed_protocol_id))
-      flow->guessed_protocol_id = guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN;
-
-    if(guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
-      *protocol_was_guessed = 1;
-      ndpi_set_detected_protocol(ndpi_str, flow, guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_MATCH_BY_PORT);
-    } else if(flow->stun.num_binding_requests > 0 &&
-              flow->stun.num_processed_pkts > 0) {
+  else if(enable_guess) {
+    if(flow->stun.num_binding_requests > 0 &&
+       flow->stun.num_processed_pkts > 0) {
       *protocol_was_guessed = 1;
       ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL);
     }
   }
 
-  if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && enable_guess) {
-    if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
-      *protocol_was_guessed = 1;
-      flow->detected_protocol_stack[1] = flow->guessed_protocol_id;
-      flow->confidence = NDPI_CONFIDENCE_MATCH_BY_PORT;
-    }
-  }
-
   if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) &&
      (flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)) {
   check_stun_export:
@@ -6055,23 +6027,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
 
   ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
 
-  if(ret.master_protocol == NDPI_PROTOCOL_STUN) {
-    if(ret.app_protocol == NDPI_PROTOCOL_FACEBOOK)
-      ret.app_protocol = NDPI_PROTOCOL_FACEBOOK_VOIP;
-    else if(ret.app_protocol == NDPI_PROTOCOL_GOOGLE) {
-      /*
-	As Google has recently introduced Duo,
-	we need to distinguish between it and hangout
-	thing that should be handled by the STUN dissector
-      */
-      ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN, NDPI_CONFIDENCE_DPI_PARTIAL);
-      ret.app_protocol = NDPI_PROTOCOL_HANGOUT_DUO;
-    }
-  }
-
   if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN)
      && (ret.app_protocol == NDPI_PROTOCOL_UNKNOWN)) {
-    /* Last resort */
+    /* Check some caches */
     if(ndpi_search_into_bittorrent_cache(ndpi_str, flow,
 					 flow->c_address.v4, flow->c_port,
 					 flow->s_address.v4, flow->s_port)) {
@@ -6091,6 +6049,22 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
     }
   }
 
+  /* Classification by-port is the last resort */
+  if(enable_guess && ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) {
+
+    /* Ignore guessed protocol if they have been discarded */
+    if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN &&
+       flow->l4_proto == IPPROTO_UDP &&
+       NDPI_ISSET(&flow->excluded_protocol_bitmask, flow->guessed_protocol_id) &&
+       is_udp_not_guessable_protocol(flow->guessed_protocol_id))
+      flow->guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN;
+
+    if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
+      ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_MATCH_BY_PORT);
+      ret.app_protocol = flow->detected_protocol_stack[0];
+    }
+  }
+
   if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) {
     *protocol_was_guessed = 1;
     ndpi_fill_protocol_category(ndpi_str, flow, &ret);