1 files changed, 32 insertions, 18 deletions

diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c
index 8d3e6fa8c..7c646c363 100644
--- a/src/lib/protocols/ftp_data.c
+++ b/src/lib/protocols/ftp_data.c
@@ -49,16 +49,22 @@ static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *nd
   struct ndpi_packet_struct *packet = &flow->packet;
   u_int32_t payload_len = packet->payload_packet_len;
 
-  if((payload_len >= 4)
-      && ((packet->payload[0] == '-') || (packet->payload[0] == 'd'))
-      && ((packet->payload[1] == '-') || (packet->payload[1] == 'r'))
-      && ((packet->payload[2] == '-') || (packet->payload[2] == 'w'))
-      && ((packet->payload[3] == '-') || (packet->payload[3] == 'x'))) {
-
-    return 1;
+  if(payload_len > 10) {
+    int i;
+
+    if(!((packet->payload[0] == '-') || (packet->payload[0] == 'd')))
+      return(0);
+  
+    for(i=0; i<9; i += 3)
+      if(((packet->payload[1+i] == '-') || (packet->payload[1+i] == 'r'))
+	 && ((packet->payload[2+i] == '-') || (packet->payload[2+i] == 'w'))
+	 && ((packet->payload[3+i] == '-') || (packet->payload[3+i] == 'x'))) {
+	;
+      } else
+	return 0;
   }
 
-  return 0;
+  return 1;
 }
 
 static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
@@ -220,16 +226,24 @@ static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_stru
 static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &flow->packet;
 
-  if((packet->payload_packet_len > 0)
-     && (ndpi_match_file_header(ndpi_struct, flow)
-	 || ndpi_match_ftp_data_directory(ndpi_struct, flow) 
-	 || ndpi_match_ftp_data_port(ndpi_struct, flow)
-	 )
-     ) {
-    NDPI_LOG_INFO(ndpi_struct, "found FTP_DATA request\n");
-    ndpi_int_ftp_data_add_connection(ndpi_struct, flow);
-  } else
-    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+  /*
+    Make sure we see the beginning of the connection as otherwise we might have
+    false positive results
+  */
+  if(flow->l4.tcp.seen_syn) {
+    if((packet->payload_packet_len > 0)
+       && (ndpi_match_file_header(ndpi_struct, flow)
+	   || ndpi_match_ftp_data_directory(ndpi_struct, flow) 
+	   || ndpi_match_ftp_data_port(ndpi_struct, flow)
+	   )
+       ) {
+      NDPI_LOG_INFO(ndpi_struct, "found FTP_DATA request\n");
+      ndpi_int_ftp_data_add_connection(ndpi_struct, flow);
+      return;
+    }
+  }
+  
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 void ndpi_search_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {