TLS: avoid sub-classification for RDP flows (#2769)

These flows are already classified as TLS.RDP.
This change also fix a memory leak

```
Direct leak of 62 byte(s) in 1 object(s) allocated from:
   #0 0x5883d762429f in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
   #1 0x5883d76fe46a in ndpi_malloc ndpi/src/lib/ndpi_memory.c:57:46
   #2 0x5883d76fe46a in ndpi_strdup ndpi/src/lib/ndpi_memory.c:110:13
   #3 0x5883d77adcd6 in ndpi_compute_ja4 ndpi/src/lib/protocols/tls.c:2298:46
   #4 0x5883d77ab2ec in processClientServerHello ndpi/src/lib/protocols/tls.c:3314:10
   #5 0x5883d77a4c51 in processTLSBlock ndpi/src/lib/protocols/tls.c:1319:5
```
Found by oss-fuzz.
See: https://oss-fuzz.com/testcase-detail/5244512192757760

3 files changed, 8 insertions, 3 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 8ce77bf54..95c295108 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1426,7 +1426,7 @@ struct ndpi_flow_struct {
 
   struct {
     message_t message[2]; /* Directions */
-    u_int8_t certificate_processed:1, change_cipher_from_client:1, change_cipher_from_server:1, from_opportunistic_tls:1, pad:4;
+    u_int8_t certificate_processed:1, change_cipher_from_client:1, change_cipher_from_server:1, from_opportunistic_tls:1, from_rdp:1, pad:3;
     struct tls_obfuscated_heuristic_state *obfuscated_heur_state;
     struct ndpi_tls_obfuscated_heuristic_matching_set *obfuscated_heur_matching_set;
   } tls_quic; /* Used also by DTLS and POPS/IMAPS/SMTPS/FTPS */
diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c
index 5831c01b7..23e50af63 100644
--- a/src/lib/protocols/rdp.c
+++ b/src/lib/protocols/rdp.c
@@ -91,7 +91,7 @@ static void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct,
 	    if((rdp_requested_proto & 0x1) == 0x1) {
 	      /* RDP Response + Client Hello + Server hello */
 	      flow->max_extra_packets_to_check = 5;
-	      
+	      flow->tls_quic.from_rdp = 1;
 	      flow->extra_packets_func = ndpi_search_tls_over_rdp;
 	    }
 	  }
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 1dcae22c4..c45d42de1 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -1087,7 +1087,8 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
 		    }
 
 		    if(ndpi_struct->cfg.tls_subclassification_enabled &&
-		       !flow->protos.tls_quic.subprotocol_detected) {
+		       !flow->protos.tls_quic.subprotocol_detected &&
+		       !flow->tls_quic.from_rdp) { /* No (other) sub-classification; we will have TLS.RDP anyway */
 		      if(ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), dNSName, dNSName_len)) {
 			flow->protos.tls_quic.subprotocol_detected = 1;
 		        ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST);
@@ -2855,10 +2856,14 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
 
 		    if(!is_quic) {
 		      if(ndpi_struct->cfg.tls_subclassification_enabled &&
+		         flow->protos.tls_quic.subprotocol_detected == 0 &&
+		         !flow->tls_quic.from_rdp && /* No (other) sub-classification; we will have TLS.RDP anyway */
 		         ndpi_match_hostname_protocol(ndpi_struct, flow, __get_master(ndpi_struct, flow), sni, sni_len))
 		        flow->protos.tls_quic.subprotocol_detected = 1;
 		    } else {
 		      if(ndpi_struct->cfg.quic_subclassification_enabled &&
+		         flow->protos.tls_quic.subprotocol_detected == 0 &&
+		         !flow->tls_quic.from_rdp && /* No (other) sub-classification; we will have TLS.RDP anyway */
 		         ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, sni, sni_len))
 		        flow->protos.tls_quic.subprotocol_detected = 1;
 		    }