1 files changed, 52 insertions, 34 deletions

diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 72af5313e..1f84b268f 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -50,8 +50,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 					   struct ndpi_flow_struct *flow,
 					   const u_int8_t * payload, 
 					   const u_int16_t payload_length,
-					   u_int8_t *is_whatsapp)
-{
+					   u_int8_t *is_whatsapp) {
   u_int16_t msg_type, msg_len;
   struct stun_packet_header *h = (struct stun_packet_header*)payload;
 
@@ -66,6 +65,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
   
   msg_type = ntohs(h->msg_type) & 0x3EEF, msg_len = ntohs(h->msg_len);
 
+  if((payload[0] != 0x80) && ((msg_len+20) > payload_length))
+    return(NDPI_IS_NOT_STUN);
+
   if((payload_length == (msg_len+20))
      && ((msg_type <= 0x000b) /* http://www.3cx.com/blog/voip-howto/stun-details/ */))
     goto udp_stun_found;
@@ -88,9 +90,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
    */
 
   if(payload_length >= 20 && ntohs(get_u_int16_t(payload, 2)) + 20 == payload_length &&
-      ((payload[0] == 0x00 && (payload[1] >= 0x01 && payload[1] <= 0x04)) ||
-       (payload[0] == 0x01 &&
-	((payload[1] >= 0x01 && payload[1] <= 0x04) || (payload[1] >= 0x11 && payload[1] <= 0x15))))) {
+     ((payload[0] == 0x00 && (payload[1] >= 0x01 && payload[1] <= 0x04)) ||
+      (payload[0] == 0x01 &&
+       ((payload[1] >= 0x01 && payload[1] <= 0x04) || (payload[1] >= 0x11 && payload[1] <= 0x15))))) {
     u_int8_t mod;
     u_int8_t old = 1;
     u_int8_t padding = 0;
@@ -106,17 +108,17 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
     while (a < payload_length) {
 
       if(old && payload_length >= a + 4
-	  &&
-	  ((payload[a] == 0x00
-	    && ((payload[a + 1] >= 0x01 && payload[a + 1] <= 0x16) || payload[a + 1] == 0x19
-		|| payload[a + 1] == 0x20 || payload[a + 1] == 0x22 || payload[a + 1] == 0x24
-		|| payload[a + 1] == 0x25))
-	   || (payload[a] == 0x80
-	       && (payload[a + 1] == 0x01 || payload[a + 1] == 0x03 || payload[a + 1] == 0x04
-		   || payload[a + 1] == 0x06 || payload[a + 1] == 0x08 || payload[a + 1] == 0x15
-		   || payload[a + 1] == 0x20 || payload[a + 1] == 0x22 || payload[a + 1] == 0x28
-		   || payload[a + 1] == 0x2a || payload[a + 1] == 0x29 || payload[a + 1] == 0x50
-		   || payload[a + 1] == 0x54 || payload[a + 1] == 0x55)))) {
+	 &&
+	 ((payload[a] == 0x00
+	   && ((payload[a + 1] >= 0x01 && payload[a + 1] <= 0x16) || payload[a + 1] == 0x19
+	       || payload[a + 1] == 0x20 || payload[a + 1] == 0x22 || payload[a + 1] == 0x24
+	       || payload[a + 1] == 0x25))
+	  || (payload[a] == 0x80
+	      && (payload[a + 1] == 0x01 || payload[a + 1] == 0x03 || payload[a + 1] == 0x04
+		  || payload[a + 1] == 0x06 || payload[a + 1] == 0x08 || payload[a + 1] == 0x15
+		  || payload[a + 1] == 0x20 || payload[a + 1] == 0x22 || payload[a + 1] == 0x28
+		  || payload[a + 1] == 0x2a || payload[a + 1] == 0x29 || payload[a + 1] == 0x50
+		  || payload[a + 1] == 0x54 || payload[a + 1] == 0x55)))) {
 
 	NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "attribute match.\n");
 
@@ -132,21 +134,21 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 
       } else if(payload_length >= a + padding + 4
 		&&
-		 ((payload[a + padding] == 0x00
-		   && ((payload[a + 1 + padding] >= 0x01 && payload[a + 1 + padding] <= 0x16)
-		       || payload[a + 1 + padding] == 0x19 || payload[a + 1 + padding] == 0x20
-		       || payload[a + 1 + padding] == 0x22 || payload[a + 1 + padding] == 0x24
-		       || payload[a + 1 + padding] == 0x25))
-		  || (payload[a + padding] == 0x80
-		      && (payload[a + 1 + padding] == 0x01 || payload[a + 1 + padding] == 0x03
-			  || payload[a + 1 + padding] == 0x04 || payload[a + 1 + padding] == 0x06
-			  || payload[a + 1 + padding] == 0x08 || payload[a + 1 + padding] == 0x15
-			  || payload[a + 1 + padding] == 0x20 || payload[a + 1 + padding] == 0x22
-			  || payload[a + 1 + padding] == 0x28 || payload[a + 1 + padding] == 0x2a
-			  || payload[a + 1 + padding] == 0x29 || payload[a + 1 + padding] == 0x50
-			  || payload[a + 1 + padding] == 0x54 || payload[a + 1 + padding] == 0x55))
-		  || ((payload[a + padding] == 0x40) && (payload[a + padding + 1] == 0x00))
-		  )) {
+		((payload[a + padding] == 0x00
+		  && ((payload[a + 1 + padding] >= 0x01 && payload[a + 1 + padding] <= 0x16)
+		      || payload[a + 1 + padding] == 0x19 || payload[a + 1 + padding] == 0x20
+		      || payload[a + 1 + padding] == 0x22 || payload[a + 1 + padding] == 0x24
+		      || payload[a + 1 + padding] == 0x25))
+		 || (payload[a + padding] == 0x80
+		     && (payload[a + 1 + padding] == 0x01 || payload[a + 1 + padding] == 0x03
+			 || payload[a + 1 + padding] == 0x04 || payload[a + 1 + padding] == 0x06
+			 || payload[a + 1 + padding] == 0x08 || payload[a + 1 + padding] == 0x15
+			 || payload[a + 1 + padding] == 0x20 || payload[a + 1 + padding] == 0x22
+			 || payload[a + 1 + padding] == 0x28 || payload[a + 1 + padding] == 0x2a
+			 || payload[a + 1 + padding] == 0x29 || payload[a + 1 + padding] == 0x50
+			 || payload[a + 1 + padding] == 0x54 || payload[a + 1 + padding] == 0x55))
+		 || ((payload[a + padding] == 0x40) && (payload[a + padding + 1] == 0x00))
+		 )) {
 	if((payload[a + padding] == 0x40) && (payload[a + padding + 1] == 0x00))
 	  goto udp_stun_found;
 
@@ -171,11 +173,14 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 #endif
 
 
-  if((flow->num_stun_udp_pkts > 0) && ((payload[0] == 0x80) || (payload[0] == 0x81))) {
+  if(
+     ((flow->num_stun_udp_pkts > 0) && (msg_type = 0x0800)) 
+     || ((msg_type = 0x0800) && (msg_len == 106))
+     ) {     
     *is_whatsapp = 1;
     return NDPI_IS_STUN; /* This is WhatsApp Voice */
   } else
-    return NDPI_IS_NOT_STUN;
+    return NDPI_IS_NOT_STUN;  
 
  udp_stun_found:
   flow->num_stun_udp_pkts++;
@@ -194,7 +199,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
     /* STUN may be encapsulated in TCP packets */
 
     if(packet->payload_packet_len >= 2 + 20 &&
-	ntohs(get_u_int16_t(packet->payload, 0)) + 2 == packet->payload_packet_len) {
+       ntohs(get_u_int16_t(packet->payload, 0)) + 2 == packet->payload_packet_len) {
       
       /* TODO there could be several STUN packets in a single TCP packet so maybe the detection could be
        * improved by checking only the STUN packet of given length */
@@ -222,4 +227,17 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
   }
 }
 
+
+void init_stun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
+{
+  ndpi_set_bitmask_protocol_detection("STUN", ndpi_struct, detection_bitmask, *id,
+				      NDPI_PROTOCOL_STUN,
+				      ndpi_search_stun,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+				      ADD_TO_DETECTION_BITMASK);
+
+  *id += 1;
+}
+
 #endif