3 files changed, 10 insertions, 2 deletions

diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in
index 6e2c4e90c..366b04b26 100644
--- a/src/include/ndpi_define.h.in
+++ b/src/include/ndpi_define.h.in
@@ -156,6 +156,7 @@
 
 /* misc definitions */
 #define NDPI_DEFAULT_MAX_TCP_RETRANSMISSION_WINDOW_SIZE 0x10000
+#define NDPI_MAX_NUM_PKTS_PER_FLOW_TO_DISSECT           32
 
 
 /* TODO: rebuild all memory areas to have a more aligned memory block here */
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 493c71aea..c4535c768 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -5416,6 +5416,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
 
   flow->num_processed_pkts++;
 
+  if(flow->num_processed_pkts > NDPI_MAX_NUM_PKTS_PER_FLOW_TO_DISSECT)
+    return(ret); /* Avoid spending too much time with this flow */
+  
   /* Init default */
   ret.master_protocol = flow->detected_protocol_stack[1],
     ret.app_protocol = flow->detected_protocol_stack[0];
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index ecd5f177e..67909fc87 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -918,10 +918,14 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 
 	processed += packet->payload_packet_len;
       }
-    } else {
+    } else if(len > 5 /* Minimum block size */) {
       /* Process element as a whole */
       if(content_type == 0x17 /* Application Data */) {
-	ndpi_looks_like_tls(ndpi_struct, flow);
+	u_int32_t block_len   = ntohs((flow->l4.tcp.tls.message.buffer[3] << 16) + (flow->l4.tcp.tls.message.buffer[4] << 8));
+
+	/* Let's do a quick check to make sure this really looks like TLS */
+	if(block_len < 16384 /* Max TLS block size */)
+	  ndpi_looks_like_tls(ndpi_struct, flow);
 
 	if(flow->l4.tcp.tls.certificate_processed) {
 	  if(flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->num_tls_blocks_to_follow)