4 files changed, 51 insertions, 37 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index b8c3b40bb..ae7b2462f 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1189,6 +1189,17 @@ struct ndpi_flow_struct {
     u_int16_t response_status_code; /* 200, 404, etc. */
   } http;
 
+  /* 
+     Put outside of the union to avoid issues in case the protocol
+     is remapped to somethign pther than Kerberos due to a faulty
+     dissector
+  */
+  struct {    
+    char *pktbuf;
+    u_int16_t pktbuf_maxlen, pktbuf_currlen;
+  } kerberos_buf;
+
+
   union {
     /* the only fields useful for nDPI and ntopng */
     struct {
@@ -1203,8 +1214,6 @@ struct ndpi_flow_struct {
     } ntp;
 
     struct {
-      char *pktbuf;
-      u_int16_t pktbuf_maxlen, pktbuf_currlen;
       char hostname[48], domain[48], username[48];
     } kerberos;
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 1efa9fd2f..85e3c0fbd 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -6373,10 +6373,10 @@ int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_str,
 
 void ndpi_free_flow(struct ndpi_flow_struct *flow) {
   if(flow) {
-  if(flow->http.url)            ndpi_free(flow->http.url);
-    if(flow->http.content_type) ndpi_free(flow->http.content_type);
-    if(flow->http.user_agent)   ndpi_free(flow->http.user_agent);
-    if(flow->protos.kerberos.pktbuf) ndpi_free(flow->protos.kerberos.pktbuf);
+  if(flow->http.url)              ndpi_free(flow->http.url);
+    if(flow->http.content_type)   ndpi_free(flow->http.content_type);
+    if(flow->http.user_agent)     ndpi_free(flow->http.user_agent);
+    if(flow->kerberos_buf.pktbuf) ndpi_free(flow->kerberos_buf.pktbuf);
   
     if(flow->l4_proto == IPPROTO_TCP) {
       if(flow->l4.tcp.tls_srv_cert_fingerprint_ctx)
diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c
index ae33d525a..1eb006108 100644
--- a/src/lib/protocols/kerberos.c
+++ b/src/lib/protocols/kerberos.c
@@ -30,6 +30,8 @@
 
 //#define KERBEROS_DEBUG 1
 
+#define KERBEROS_PORT 88
+
 static void ndpi_int_kerberos_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
 					     struct ndpi_flow_struct *flow) {
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS, NDPI_PROTOCOL_UNKNOWN);
@@ -41,34 +43,37 @@ static void ndpi_int_kerberos_add_connection(struct ndpi_detection_module_struct
 void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
 			  struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &flow->packet;
-#ifdef KERBEROS_DEBUG
   u_int16_t sport = packet->tcp ? ntohs(packet->tcp->source) : ntohs(packet->udp->source);
   u_int16_t dport = packet->tcp ? ntohs(packet->tcp->dest) : ntohs(packet->udp->dest);
-#endif
 
+  if((sport != KERBEROS_PORT) && (dport != KERBEROS_PORT)) {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return;
+  }
+  
   NDPI_LOG_DBG(ndpi_struct, "search KERBEROS\n");
 
 #ifdef KERBEROS_DEBUG
   printf("\n[Kerberos] Process packet [len: %u]\n", packet->payload_packet_len);
 #endif
     
-  if(flow->protos.kerberos.pktbuf != NULL) {
-    u_int missing = flow->protos.kerberos.pktbuf_maxlen - flow->protos.kerberos.pktbuf_currlen;
+  if(flow->kerberos_buf.pktbuf != NULL) {
+    u_int missing = flow->kerberos_buf.pktbuf_maxlen - flow->kerberos_buf.pktbuf_currlen;
 
     if(packet->payload_packet_len <= missing) {
-      memcpy(&flow->protos.kerberos.pktbuf[flow->protos.kerberos.pktbuf_currlen], packet->payload, packet->payload_packet_len);
-      flow->protos.kerberos.pktbuf_currlen += packet->payload_packet_len;
+      memcpy(&flow->kerberos_buf.pktbuf[flow->kerberos_buf.pktbuf_currlen], packet->payload, packet->payload_packet_len);
+      flow->kerberos_buf.pktbuf_currlen += packet->payload_packet_len;
 
-      if(flow->protos.kerberos.pktbuf_currlen == flow->protos.kerberos.pktbuf_maxlen) {
-	packet->payload = (u_int8_t *)flow->protos.kerberos.pktbuf;
-	packet->payload_packet_len = flow->protos.kerberos.pktbuf_currlen;
+      if(flow->kerberos_buf.pktbuf_currlen == flow->kerberos_buf.pktbuf_maxlen) {
+	packet->payload = (u_int8_t *)flow->kerberos_buf.pktbuf;
+	packet->payload_packet_len = flow->kerberos_buf.pktbuf_currlen;
 #ifdef KERBEROS_DEBUG
 	printf("[Kerberos] Packet is now full: processing\n");
 #endif
       } else {
 #ifdef KERBEROS_DEBUG
 	printf("[Kerberos] Missing %u bytes: skipping\n",
-	       flow->protos.kerberos.pktbuf_maxlen - flow->protos.kerberos.pktbuf_currlen);
+	       flow->kerberos_buf.pktbuf_maxlen - flow->kerberos_buf.pktbuf_currlen);
 #endif
 
 	return;
@@ -100,11 +105,11 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
       */
       if(kerberos_len > expected_len) {
 	if(packet->tcp) {
-	  flow->protos.kerberos.pktbuf = (char*)ndpi_malloc(kerberos_len+4);
-	  if(flow->protos.kerberos.pktbuf != NULL) {
-	    flow->protos.kerberos.pktbuf_maxlen = kerberos_len+4;
-	    memcpy(flow->protos.kerberos.pktbuf, packet->payload, packet->payload_packet_len);
-	    flow->protos.kerberos.pktbuf_currlen = packet->payload_packet_len;
+	  flow->kerberos_buf.pktbuf = (char*)ndpi_malloc(kerberos_len+4);
+	  if(flow->kerberos_buf.pktbuf != NULL) {
+	    flow->kerberos_buf.pktbuf_maxlen = kerberos_len+4;
+	    memcpy(flow->kerberos_buf.pktbuf, packet->payload, packet->payload_packet_len);
+	    flow->kerberos_buf.pktbuf_currlen = packet->payload_packet_len;
 	  }
 	}
 	
@@ -306,8 +311,8 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
 
 		    /* If necessary we can decode sname */
 
-		    if(flow->protos.kerberos.pktbuf) ndpi_free(flow->protos.kerberos.pktbuf);
-		    flow->protos.kerberos.pktbuf = NULL;
+		    if(flow->kerberos_buf.pktbuf) ndpi_free(flow->kerberos_buf.pktbuf);
+		    flow->kerberos_buf.pktbuf = NULL;
 		  }
 		}
 	      }
@@ -316,9 +321,9 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
 		ndpi_int_kerberos_add_connection(ndpi_struct, flow);
 
 	      /* We set the protocol in the response */
-	      if(flow->protos.kerberos.pktbuf != NULL) {
-		free(flow->protos.kerberos.pktbuf);
-		flow->protos.kerberos.pktbuf = NULL;
+	      if(flow->kerberos_buf.pktbuf != NULL) {
+		free(flow->kerberos_buf.pktbuf);
+		flow->kerberos_buf.pktbuf = NULL;
 	      }
 	      
 	      return;
diff --git a/tests/result/kerberos.pcap.out b/tests/result/kerberos.pcap.out
index 460e3d3d0..d6df722f6 100644
--- a/tests/result/kerberos.pcap.out
+++ b/tests/result/kerberos.pcap.out
@@ -3,28 +3,28 @@ SMBv23	6	1914	3
 Kerberos	48	19194	24
 LDAP	14	4152	7
 
-	1	TCP 172.16.8.201:49171 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1486 bytes <-> 1 pkts/1506 bytes][Goodput ratio: 96.3/96.4][0.00 sec][johnson-pc (happycraft.org)][PLAIN TEXT (HAPPYCRAFT.ORG)]
-	2	TCP 172.16.8.201:49160 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1485 bytes <-> 1 pkts/1498 bytes][Goodput ratio: 96.3/96.3][< 1 sec][johnson-pc (happycraft.org)][PLAIN TEXT (HAPPYCRAFT.ORG)]
-	3	TCP 172.16.8.201:49176 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1485 bytes <-> 1 pkts/1498 bytes][Goodput ratio: 96.3/96.3][0.00 sec][johnson-pc (happycraft.org)][PLAIN TEXT (HAPPYCRAFT.ORG)]
+	1	TCP 172.16.8.201:49171 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1486 bytes <-> 1 pkts/1506 bytes][Goodput ratio: 96.3/96.4][0.00 sec][happycraft.org\johnson-pc][PLAIN TEXT (HAPPYCRAFT.ORG)]
+	2	TCP 172.16.8.201:49160 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1485 bytes <-> 1 pkts/1498 bytes][Goodput ratio: 96.3/96.3][< 1 sec][happycraft.org\johnson-pc][PLAIN TEXT (HAPPYCRAFT.ORG)]
+	3	TCP 172.16.8.201:49176 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1485 bytes <-> 1 pkts/1498 bytes][Goodput ratio: 96.3/96.3][0.00 sec][happycraft.org\johnson-pc][PLAIN TEXT (HAPPYCRAFT.ORG)]
 	4	TCP 172.16.8.201:49173 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1118 bytes <-> 1 pkts/190 bytes][Goodput ratio: 95.1/71.2][0.00 sec][PLAIN TEXT (HAPPYCRAFT.ORG)]
 	5	TCP 172.16.8.201:49194 <-> 172.16.8.8:445 [proto: 41/SMBv23][cat: System/18][1 pkts/410 bytes <-> 1 pkts/314 bytes][Goodput ratio: 86.6/82.5][0.00 sec]
 	6	TCP 172.16.8.201:49193 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/384 bytes <-> 1 pkts/264 bytes][Goodput ratio: 85.7/79.2][0.00 sec]
 	7	TCP 172.16.8.201:49191 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/368 bytes <-> 1 pkts/264 bytes][Goodput ratio: 85.1/79.2][< 1 sec]
-	8	TCP 172.16.8.201:49157 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/293 bytes <-> 1 pkts/332 bytes][Goodput ratio: 81.3/83.5][< 1 sec][johnson-pc (happycraft.org)][PLAIN TEXT (johnson)]
-	9	TCP 172.16.8.201:49166 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/293 bytes <-> 1 pkts/332 bytes][Goodput ratio: 81.3/83.5][0.00 sec][johnson-pc (happycraft.org)][PLAIN TEXT (johnson)]
-	10	TCP 172.16.8.201:49181 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/293 bytes <-> 1 pkts/332 bytes][Goodput ratio: 81.3/83.5][< 1 sec][johnson-pc (happycraft.org)][PLAIN TEXT (JOHNSON)]
+	8	TCP 172.16.8.201:49157 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/293 bytes <-> 1 pkts/332 bytes][Goodput ratio: 81.3/83.5][< 1 sec][happycraft.org\johnson-pc][PLAIN TEXT (johnson)]
+	9	TCP 172.16.8.201:49166 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/293 bytes <-> 1 pkts/332 bytes][Goodput ratio: 81.3/83.5][0.00 sec][happycraft.org\johnson-pc][PLAIN TEXT (johnson)]
+	10	TCP 172.16.8.201:49181 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/293 bytes <-> 1 pkts/332 bytes][Goodput ratio: 81.3/83.5][< 1 sec][happycraft.org\johnson-pc][PLAIN TEXT (JOHNSON)]
 	11	TCP 172.16.8.201:49156 <-> 172.16.8.8:445 [proto: 41/SMBv23][cat: System/18][1 pkts/281 bytes <-> 1 pkts/314 bytes][Goodput ratio: 80.5/82.5][0.00 sec]
 	12	TCP 172.16.8.201:49174 <-> 172.16.8.8:445 [proto: 41/SMBv23][cat: System/18][1 pkts/281 bytes <-> 1 pkts/314 bytes][Goodput ratio: 80.5/82.5][0.00 sec]
-	13	TCP 172.16.8.201:49188 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/369 bytes <-> 1 pkts/216 bytes][Goodput ratio: 85.1/74.7][< 1 sec][theresa.johnson (happycraft)][PLAIN TEXT (theresa.johnson)]
+	13	TCP 172.16.8.201:49188 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/369 bytes <-> 1 pkts/216 bytes][Goodput ratio: 85.1/74.7][< 1 sec][happycraft\theresa.johnson][PLAIN TEXT (theresa.johnson)]
 	14	TCP 172.16.8.201:49161 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/320 bytes <-> 1 pkts/264 bytes][Goodput ratio: 82.9/79.2][< 1 sec]
 	15	TCP 172.16.8.201:49179 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/320 bytes <-> 1 pkts/264 bytes][Goodput ratio: 82.9/79.2][0.00 sec]
 	16	TCP 172.16.8.201:49180 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/320 bytes <-> 1 pkts/264 bytes][Goodput ratio: 82.9/79.2][0.00 sec]
-	17	TCP 172.16.8.201:49187 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/289 bytes <-> 1 pkts/294 bytes][Goodput ratio: 81.0/81.4][0.00 sec][theresa.johnson (happycraft)][PLAIN TEXT (theresa.johnson)]
+	17	TCP 172.16.8.201:49187 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/289 bytes <-> 1 pkts/294 bytes][Goodput ratio: 81.0/81.4][0.00 sec][happycraft\theresa.johnson][PLAIN TEXT (theresa.johnson)]
 	18	TCP 172.16.8.201:49169 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/296 bytes <-> 1 pkts/264 bytes][Goodput ratio: 81.5/79.2][0.00 sec][PLAIN TEXT (PSTUsM)]
 	19	TCP 172.16.8.201:49172 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/296 bytes <-> 1 pkts/264 bytes][Goodput ratio: 81.5/79.2][0.00 sec]
-	20	TCP 172.16.8.201:49158 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/373 bytes <-> 1 pkts/166 bytes][Goodput ratio: 85.3/67.1][0.00 sec][johnson-pc (happycraft.org)][PLAIN TEXT (johnson)]
-	21	TCP 172.16.8.201:49167 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/373 bytes <-> 1 pkts/166 bytes][Goodput ratio: 85.3/67.1][< 1 sec][johnson-pc (happycraft.org)][PLAIN TEXT (johnson)]
-	22	TCP 172.16.8.201:49182 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/373 bytes <-> 1 pkts/166 bytes][Goodput ratio: 85.3/67.1][< 1 sec][johnson-pc (happycraft.org)][PLAIN TEXT (JOHNSON)]
+	20	TCP 172.16.8.201:49158 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/373 bytes <-> 1 pkts/166 bytes][Goodput ratio: 85.3/67.1][0.00 sec][happycraft.org\johnson-pc][PLAIN TEXT (johnson)]
+	21	TCP 172.16.8.201:49167 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/373 bytes <-> 1 pkts/166 bytes][Goodput ratio: 85.3/67.1][< 1 sec][happycraft.org\johnson-pc][PLAIN TEXT (johnson)]
+	22	TCP 172.16.8.201:49182 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/373 bytes <-> 1 pkts/166 bytes][Goodput ratio: 85.3/67.1][< 1 sec][happycraft.org\johnson-pc][PLAIN TEXT (JOHNSON)]
 	23	TCP 172.16.8.201:49190 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/271 bytes <-> 1 pkts/244 bytes][Goodput ratio: 79.8/77.6][0.00 sec][PLAIN TEXT (happycraft.org)]
 	24	TCP 172.16.8.201:49192 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/255 bytes <-> 1 pkts/233 bytes][Goodput ratio: 78.5/76.5][0.00 sec][PLAIN TEXT (20370913024805Z)]
 	25	TCP 172.16.8.201:49195 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/255 bytes <-> 1 pkts/233 bytes][Goodput ratio: 78.5/76.5][0.00 sec][PLAIN TEXT (20370913024805Z)]