4 files changed, 18 insertions, 6 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 03f7bf6c3..97fb71a80 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -808,6 +808,7 @@ typedef enum {
 	      CUSTOM_CATEGORY_ADVERTISEMENT    = 101,
 	      CUSTOM_CATEGORY_BANNED_SITE      = 102,
 	      CUSTOM_CATEGORY_SITE_UNAVAILABLE = 103,
+	      CUSTOM_CATEGORY_ALLOWED_SITE     = 104,
 
 	      /*
 		IMPORTANT
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 8bcb06198..6561bf1b9 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -423,7 +423,8 @@ static const char* categories[] = {
   "Malware",
   "Advertisement",
   "Banned_Site",
-  "Site_Unavailable"
+  "Site_Unavailable",
+  "Allowed_Site",
 };
 
 /* ****************************************** */
@@ -2885,6 +2886,12 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod,
   Format:
   <tcp|udp>:<port>,<tcp|udp>:<port>,.....@<proto>
 
+  Subprotocols Format:
+  host:"<value>",host:"<value>",.....@<subproto>
+
+  IP based Subprotocols Format (<value> is IP or CIDR):
+  ip:<value>,ip:<value>,.....@<subproto>
+
   Example:
   tcp:80,tcp:3128@HTTP
   udp:139@NETBIOS
@@ -5031,7 +5038,8 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc
   packet->line[packet->parsed_lines].ptr = packet->payload;
   packet->line[packet->parsed_lines].len = 0;
 
-  for(a = 0; a < packet->payload_packet_len; a++) {
+  for(a = 0; (a < packet->payload_packet_len)
+	&& (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET); a++) {
     if((a + 1) == packet->payload_packet_len)
       return; /* Return if only one byte remains (prevent invalid reads past end-of-buffer) */
 
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 1c2593feb..dc97f3fe7 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -190,11 +190,11 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
 		flow->protos.dns.rsp_type = rsp_type;
 
 		/* here x points to the response "class" field */
-		if((x+12) < flow->packet.payload_packet_len) {
+		if((x+12) <= flow->packet.payload_packet_len) {
 		  x += 6;
 		  data_len = get16(&x, flow->packet.payload);
 
-		  if(((x + data_len) < flow->packet.payload_packet_len)
+		  if(((x + data_len) <= flow->packet.payload_packet_len)
 		    && (((rsp_type == 0x1) && (data_len == 4)) /* A */
 #ifdef NDPI_DETECTION_SUPPORT_IPV6
 		       || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */
diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c
index f7fbd337c..fdc47d15c 100644
--- a/src/lib/protocols/mail_smtp.c
+++ b/src/lib/protocols/mail_smtp.c
@@ -58,13 +58,16 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct
 	
   NDPI_LOG_DBG(ndpi_struct, "search mail_smtp\n");
 
-  if (packet->payload_packet_len > 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) {
+  if((packet->payload_packet_len > 2)
+      && (packet->parsed_lines <  NDPI_MAX_PARSE_LINES_PER_PACKET)
+      && (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a)
+      ) {
     u_int8_t a;
     u_int8_t bit_count = 0;
 
     NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow,packet);
-    for (a = 0; a < packet->parsed_lines; a++) {
 
+    for (a = 0; a < packet->parsed_lines; a++) {
       // expected server responses
       if (packet->line[a].len >= 3) {
 	if (memcmp(packet->line[a].ptr, "220", 3) == 0) {