Improved TFTP. Fixes #2075. (#2149)

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

1 files changed, 127 insertions, 54 deletions

diff --git a/src/lib/protocols/tftp.c b/src/lib/protocols/tftp.c
index b44746f45..f32a7851c 100644
--- a/src/lib/protocols/tftp.c
+++ b/src/lib/protocols/tftp.c
@@ -29,18 +29,111 @@
 #include "ndpi_api.h"
 #include "ndpi_private.h"
 
-/* see: https://datatracker.ietf.org/doc/html/rfc1350 */
-
 static void ndpi_int_tftp_add_connection(struct ndpi_detection_module_struct
 					 *ndpi_struct, struct ndpi_flow_struct *flow)
 {
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TFTP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
 }
 
+static size_t tftp_dissect_szstr(struct ndpi_packet_struct const * const packet,
+                                 size_t * const offset,
+                                 char const ** const string_start)
+{
+  if (packet->payload_packet_len <= *offset)
+  {
+    return 0;
+  }
+
+  const union {
+    uint8_t const * const as_ptr;
+    char const * const as_str;
+  } payload = { .as_ptr = packet->payload + *offset };
+
+  size_t len = strnlen(payload.as_str, packet->payload_packet_len - *offset);
+  if (len == 0 ||
+      packet->payload_packet_len <= *offset + len ||
+      payload.as_str[len] != '\0')
+  {
+    return 0;
+  }
+
+  if (string_start != NULL)
+  {
+    *string_start = payload.as_str;
+  }
+  *offset += len + 1;
+  return len;
+}
+
+static int tftp_dissect_mode(struct ndpi_packet_struct const * const packet,
+                             size_t * const offset)
+{
+  static char const * const valid_modes[] = {
+    "netascii", "octet", "mail"
+  };
+  char const * string_start;
+  size_t string_length = tftp_dissect_szstr(packet, offset, &string_start);
+  size_t i;
+
+  if (string_length == 0)
+  {
+    return 1;
+  }
+
+  for (i = 0; i < NDPI_ARRAY_LENGTH(valid_modes); ++i)
+  {
+    if (strncasecmp(string_start, valid_modes[i], string_length) == 0)
+    {
+      break;
+    }
+  }
+
+  return i == NDPI_ARRAY_LENGTH(valid_modes);
+}
+
+static int tftp_dissect_options(struct ndpi_packet_struct const * const packet,
+                                size_t * const offset)
+{
+  static char const * const valid_options[] = {
+    "blksize", "tsize"
+  };
+  uint8_t options_used[NDPI_ARRAY_LENGTH(valid_options)] = {0, 0};
+  size_t i;
+
+  do {
+    char const * string_start;
+    size_t string_length = tftp_dissect_szstr(packet, offset, &string_start);
+
+    if (string_length == 0 ||
+        tftp_dissect_szstr(packet, offset, NULL) == 0 /* value, not interested */)
+    {
+      break;
+    }
+
+    for (i = 0; i < NDPI_ARRAY_LENGTH(valid_options); ++i)
+    {
+      if (strncasecmp(string_start, valid_options[i], string_length) == 0)
+      {
+        break;
+      }
+    }
+
+    if (i == NDPI_ARRAY_LENGTH(valid_options) /* option not found in valid_options */ ||
+        options_used[i] != 0 /* duplicate options are not allowed */)
+    {
+      break;
+    }
+
+    options_used[i] = 1;
+  } while (1);
+
+  return *offset != packet->payload_packet_len;
+}
+
 static void ndpi_search_tftp(struct ndpi_detection_module_struct *ndpi_struct,
 			     struct ndpi_flow_struct *flow)
 {
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
   u_int16_t block_num;
   u_int16_t prev_num;
 
@@ -68,60 +161,26 @@ static void ndpi_search_tftp(struct ndpi_detection_module_struct *ndpi_struct,
         }
 
         {
-          uint8_t mode_found = 0;
-          size_t mode_len;
-          int i;
           size_t filename_len = 0;
-          const char *string;
-          size_t len = 0;
-          bool first = true;
+          size_t offset = 2;
+          char const * filename_start;
+
+          filename_len = tftp_dissect_szstr(packet, &offset, &filename_start);
 
-          /* Skip 2 byte opcode. */
-          for (i = 2; i < packet->payload_packet_len; i++)
+          /* Exclude the flow as TFPT if there was no filename and mode in the first two strings. */
+          if (filename_len == 0 || ndpi_is_printable_buffer((uint8_t *)filename_start, filename_len) == 0)
           {
-            /* Search through the payload until we find a NULL terminated string. */
-            if (packet->payload[i] != '\0')
-            {
-              len++;
-              continue;
-            }
-            string = (const char *)&packet->payload[i - len];
-
-            /* Filename should be immediately after opcode followed by the mode. */
-            if (first)
-            {
-              filename_len = len;
-              len = 0;
-              first = false;
-              continue;
-            }
-
-            char const * const possible_modes[] = { "netascii", "octet", "mail" };
-            uint8_t mode_idx;
-
-            /* Check the string in the payload against the possible TFTP modes. */
-            for(mode_idx = 0; mode_idx < NDPI_ARRAY_LENGTH(possible_modes); ++mode_idx)
-              {
-                mode_len = strlen(possible_modes[mode_idx]);
-                /* Both are now null terminated */
-                if (len != mode_len)
-                {
-                  continue;
-                }
-                if (strncasecmp(string, possible_modes[mode_idx], mode_len) == 0)
-                {
-                  mode_found = 1;
-                  break;
-                }
-              }
-
-            /* Second string searched must've been the mode, break out before any following options. */
-            break;
+            NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+            return;
           }
 
-          /* Exclude the flow as TFPT if there was no filename and mode in the first two strings. */
-          if (filename_len == 0 || ndpi_is_printable_buffer(&packet->payload[2], filename_len) == 0 ||
-              mode_found == 0)
+          if (tftp_dissect_mode(packet, &offset) != 0)
+          {
+            NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+            return;
+          }
+
+          if (tftp_dissect_options(packet, &offset) != 0)
           {
             NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
             return;
@@ -129,7 +188,7 @@ static void ndpi_search_tftp(struct ndpi_detection_module_struct *ndpi_struct,
 
           /* Dissect RRQ/WWQ filename. */
           filename_len = ndpi_min(filename_len, sizeof(flow->protos.tftp.filename) - 1);
-          memcpy(flow->protos.tftp.filename, &packet->payload[2], filename_len);
+          memcpy(flow->protos.tftp.filename, filename_start, filename_len);
           flow->protos.tftp.filename[filename_len] = '\0';
 
           /* We have seen enough and do not need any more TFTP packets. */
@@ -158,6 +217,7 @@ static void ndpi_search_tftp(struct ndpi_detection_module_struct *ndpi_struct,
 
     case 0x04:
         /* Acknowledgment (ACK) */
+
         if (packet->payload_packet_len != 4 /* ACK has a fixed packet size */)
         {
           NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
@@ -188,7 +248,20 @@ static void ndpi_search_tftp(struct ndpi_detection_module_struct *ndpi_struct,
 
     case 0x06:
         /* Option Acknowledgment (OACK) */
-        /* No fixed lengths as it can include the options from the request. */
+
+        {
+          size_t offset = 2;
+
+          if (tftp_dissect_options(packet, &offset) != 0)
+          {
+            NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+            return;
+          }
+        }
+
+        /* We have seen enough and do not need any more TFTP packets. */
+        NDPI_LOG_INFO(ndpi_struct, "found tftp (OACK)\n");
+        ndpi_int_tftp_add_connection(ndpi_struct, flow);
         break;
 
     default: