diff options
| -rw-r--r-- | src/lib/ndpi_main.c | 39 | ||||
| -rw-r--r-- | tests/cfgs/default/result/icmp-tunnel.pcap.out | 2 | ||||
| -rw-r--r-- | tests/cfgs/default/result/malformed_icmp.pcap.out | 2 |
3 files changed, 32 insertions, 11 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 4239f3064..c82fdb10b 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4379,16 +4379,26 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str /* Run some basic consistency tests */ if(packet->payload_packet_len < sizeof(struct ndpi_icmphdr)) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); + char buf[64]; + + snprintf(buf, sizeof(buf), "Packet too short (%d vs %u)", + packet->payload_packet_len, (unsigned int)sizeof(struct ndpi_icmphdr)); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, buf); } else { u_int8_t icmp_type = (u_int8_t)packet->payload[0]; u_int8_t icmp_code = (u_int8_t)packet->payload[1]; /* https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml */ if(((icmp_type >= 44) && (icmp_type <= 252)) - || (icmp_code > 15)) - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); + || (icmp_code > 15)) { + char buf[64]; + + snprintf(buf, sizeof(buf), "Invalid type (%u)/code(%u)", + icmp_type, icmp_code); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, buf); + } + if(packet->payload_packet_len > sizeof(struct ndpi_icmphdr)) { if(ndpi_str->cfg.compute_entropy && (flow->skip_entropy_check == 0)) { flow->entropy = ndpi_entropy(packet->payload + sizeof(struct ndpi_icmphdr), @@ -4399,7 +4409,7 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str u_int16_t chksm = icmp4_checksum(packet->payload, packet->payload_packet_len); if(chksm) { - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid ICMP checksum"); } } } @@ -4419,16 +4429,27 @@ static u_int16_t guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str if(flow) { /* Run some basic consistency tests */ - if(packet->payload_packet_len < sizeof(struct ndpi_icmp6hdr)) - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); - else { + if(packet->payload_packet_len < sizeof(struct ndpi_icmp6hdr)) { + char buf[64]; + + snprintf(buf, sizeof(buf), "Packet too short (%d vs %u)", + packet->payload_packet_len, (unsigned int)sizeof(struct ndpi_icmp6hdr)); + + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, buf); + } else { u_int8_t icmp6_type = (u_int8_t)packet->payload[0]; u_int8_t icmp6_code = (u_int8_t)packet->payload[1]; /* https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6 */ if(((icmp6_type >= 5) && (icmp6_type <= 127)) - || ((icmp6_code >= 156) && (icmp6_type != 255))) - ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, NULL); + || ((icmp6_code >= 156) && (icmp6_type != 255))) { + char buf[64]; + + snprintf(buf, sizeof(buf), "Invalid type (%u)/code(%u)", + icmp6_type, icmp6_code); + + ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, buf); + } } } return(NDPI_PROTOCOL_IP_ICMPV6); diff --git a/tests/cfgs/default/result/icmp-tunnel.pcap.out b/tests/cfgs/default/result/icmp-tunnel.pcap.out index c78009553..377630456 100644 --- a/tests/cfgs/default/result/icmp-tunnel.pcap.out +++ b/tests/cfgs/default/result/icmp-tunnel.pcap.out @@ -24,4 +24,4 @@ ICMP 863 190810 1 Acceptable 863 190810 1 - 1 ICMP 192.168.154.131:0 <-> 192.168.154.132:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 81/ICMP, Confidence: DPI][DPI packets: 1][cat: Network/14][448 pkts/98566 bytes <-> 415 pkts/92244 bytes][Goodput ratio: 81/81][1122.51 sec][bytes ratio: 0.033 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2578/2731 145505/145505 9091/9494][Pkt Len c2s/s2c min/avg/max/stddev: 74/74 220/222 1075/1070 245/245][Risk: ** Malformed Packet **** Susp Entropy **][Risk Score: 20][Risk Info: No server to client traffic / Entropy: 5.703 (Executable?)][PLAIN TEXT (OpenSSH5)][Plen Bins: 0,32,24,24,7,3,3,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 ICMP 192.168.154.131:0 <-> 192.168.154.132:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 81/ICMP, Confidence: DPI][DPI packets: 1][cat: Network/14][448 pkts/98566 bytes <-> 415 pkts/92244 bytes][Goodput ratio: 81/81][1122.51 sec][bytes ratio: 0.033 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2578/2731 145505/145505 9091/9494][Pkt Len c2s/s2c min/avg/max/stddev: 74/74 220/222 1075/1070 245/245][Risk: ** Malformed Packet **** Susp Entropy **][Risk Score: 20][Risk Info: No server to client traffic / Entropy: 5.703 (Executable?) / Invalid ICMP checksum][PLAIN TEXT (OpenSSH5)][Plen Bins: 0,32,24,24,7,3,3,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/malformed_icmp.pcap.out b/tests/cfgs/default/result/malformed_icmp.pcap.out index 3ddcb2c6b..e5b43c847 100644 --- a/tests/cfgs/default/result/malformed_icmp.pcap.out +++ b/tests/cfgs/default/result/malformed_icmp.pcap.out @@ -24,4 +24,4 @@ ICMP 1 42 1 Acceptable 1 42 1 - 1 ICMP 218.152.179.213:0 -> 218.152.179.54:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 81/ICMP, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/42 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 ICMP 218.152.179.213:0 -> 218.152.179.54:0 [proto: 81/ICMP][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 81/ICMP, Confidence: DPI][DPI packets: 1][cat: Network/14][1 pkts/42 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid type (165)/code(0)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |