diff options
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/dhcp.c | 21 | ||||
| -rw-r--r-- | src/lib/protocols/rx.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 20 | ||||
| -rw-r--r-- | src/lib/protocols/tinc.c | 1 |
4 files changed, 29 insertions, 19 deletions
diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index 673b85b85..02ce00f25 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -72,19 +72,24 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru if(packet->udp) { dhcp_packet_t *dhcp = (dhcp_packet_t*)packet->payload; - if((packet->payload_packet_len >= 244) + if((packet->payload_packet_len >= 244 /* 244 is the offset of options[0] in dhcp_packet_t */) && (packet->udp->source == htons(67) || packet->udp->source == htons(68)) && (packet->udp->dest == htons(67) || packet->udp->dest == htons(68)) && (dhcp->magic == htonl(DHCP_OPTION_MAGIC_NUMBER))) { - int i = 0, foundValidMsgType = 0; + u_int i = 0, foundValidMsgType = 0; - while(i < DHCP_VEND_LEN) { + u_int dhcp_options_size = ndpi_min(DHCP_VEND_LEN /* maximum size of options in dhcp_packet_t */, + packet->payload_packet_len - 244); + + while(i + 1 /* for the len */ < dhcp_options_size) { u_int8_t id = dhcp->options[i]; if(id == 0xFF) break; else { - u_int8_t len = dhcp->options[i+1]; + /* Prevent malformed packets to cause out-of-bounds accesses */ + u_int8_t len = ndpi_min(dhcp->options[i+1] /* len as found in the packet */, + dhcp_options_size - (i+2) /* 1 for the type and 1 for the value */); if(len == 0) break; @@ -99,12 +104,14 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru } else if(id == 55 /* Parameter Request List / Fingerprint */) { u_int idx, offset = 0; - for(idx=0; idx<len; idx++) { + for(idx = 0; idx < len && offset < sizeof(flow->protos.dhcp.fingerprint) - 2; idx++) { snprintf((char*)&flow->protos.dhcp.fingerprint[offset], - sizeof(flow->protos.dhcp.fingerprint)-offset-1, - "%02X", dhcp->options[i+2+idx] & 0xFF); + sizeof(flow->protos.dhcp.fingerprint) - offset, + "%02X", dhcp->options[i+2+idx] & 0xFF); offset += 2; } + flow->protos.dhcp.fingerprint[sizeof(flow->protos.dhcp.fingerprint) - 1] = '\0'; + } else if(id == 60 /* Class Identifier */) { char *name = (char*)&dhcp->options[i+2]; int j = 0; diff --git a/src/lib/protocols/rx.c b/src/lib/protocols/rx.c index c61f0a9ad..6eb9bf149 100644 --- a/src/lib/protocols/rx.c +++ b/src/lib/protocols/rx.c @@ -62,7 +62,7 @@ struct ndpi_rx_header { #define PARAM_2 10 #define PARAM_3 11 #define PARAMS_4 12 -#define VERSION 13 +#define VERS 13 /* Flags values */ #define EMPTY 0 @@ -110,7 +110,7 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, **/ /* TYPE field */ - if((header->type < DATA) || (header->type > VERSION)) { + if((header->type < DATA) || (header->type > VERS)) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -156,7 +156,7 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, goto security; case PARAM_3: goto security; - case VERSION: + case VERS: goto security; default: NDPI_EXCLUDE_PROTO(ndpi_struct, flow); diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index eef6e024e..bb4780aab 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -90,7 +90,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * https://en.wikipedia.org/wiki/Skype_for_Business */ - while(offset < payload_length) { + while((offset+2) < payload_length) { u_int16_t attribute = ntohs(*((u_int16_t*)&payload[offset])); u_int16_t len = ntohs(*((u_int16_t*)&payload[offset+2])); u_int16_t x = (len + 4) % 4; @@ -107,6 +107,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * case 0x8054: /* Candidate Identifier */ if((len == 4) + && ((offset+7) < payload_length) && (payload[offset+5] == 0x00) && (payload[offset+6] == 0x00) && (payload[offset+7] == 0x00)) { @@ -118,6 +119,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * case 0x8070: /* Implementation Version */ if((len == 4) + && ((offset+7) < payload_length) && (payload[offset+4] == 0x00) && (payload[offset+5] == 0x00) && (payload[offset+6] == 0x00) @@ -239,7 +241,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * } #endif - if((flow->num_stun_udp_pkts > 0) && (msg_type <= 0x00FF)) { *is_whatsapp = 1; return NDPI_IS_STUN; /* This is WhatsApp Voice */ @@ -269,11 +270,12 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n NDPI_LOG_DBG(ndpi_struct, "search stun\n"); + if(packet->payload == NULL) return; + if(packet->tcp) { /* STUN may be encapsulated in TCP packets */ - if(packet->payload_packet_len >= 2 + 20 && - ntohs(get_u_int16_t(packet->payload, 0)) + 2 == packet->payload_packet_len) { - + if((packet->payload_packet_len >= 22) + && ((ntohs(get_u_int16_t(packet->payload, 0)) + 2) == packet->payload_packet_len)) { /* TODO there could be several STUN packets in a single TCP packet so maybe the detection could be * improved by checking only the STUN packet of given length */ @@ -283,10 +285,11 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n NDPI_LOG_INFO(ndpi_struct, "found Skype\n"); ndpi_int_stun_add_connection(ndpi_struct, NDPI_PROTOCOL_SKYPE, flow); } else { - NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); + NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */ ndpi_int_stun_add_connection(ndpi_struct, is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_STUN, flow); } + return; } } @@ -306,9 +309,8 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n return; } - if(flow->num_stun_udp_pkts >= MAX_NUM_STUN_PKTS) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } + if(flow->num_stun_udp_pkts >= MAX_NUM_STUN_PKTS) + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); if(flow->packet_counter > 0) { /* This might be a RTP stream: let's make sure we check it */ diff --git a/src/lib/protocols/tinc.c b/src/lib/protocols/tinc.c index adb547a48..19bfa34aa 100644 --- a/src/lib/protocols/tinc.c +++ b/src/lib/protocols/tinc.c @@ -25,6 +25,7 @@ #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TINC #include "ndpi_api.h" +#include "libcache.h" static void ndpi_check_tinc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) |