aboutsummaryrefslogtreecommitdiff
path: root/src/lib/ndpi_utils.c
Commit message (Collapse)AuthorAge
...
* Code cleanupLuca Deri2023-09-01
|
* Code cleanupLuca Deri2023-08-31
|
* Add an heuristic to detect fully encrypted flows (#2058)Ivan Nardi2023-07-26
| | | | | | | | A fully encrypted session is a flow where every bytes of the payload is encrypted in an attempt to “look like nothing”. The heuristic needs only the very first packet of the flow. See: https://www.usenix.org/system/files/sec23fall-prepub-234-wu-mingshi.pdf A basic, but generic, inplementation of the popcpunt alg has been added
* Fixes risk mask exception handling while improving the overall performanceLuca Deri2023-07-14
|
* Implemented Count-Min Sketch [count how many times a value has been observed]Luca Deri2023-07-13
| | | | | | | - ndpi_cm_sketch_init() - ndpi_cm_sketch_add() - ndpi_cm_sketch_count() - ndpi_cm_sketch_destroy()
* fuzz: extend fuzzing coverage (#2040)Ivan Nardi2023-07-11
| | | | | | | | | Some notes: * libinjection: according to https://github.com/libinjection/libinjection/issues/44, it seems NULL characters are valid in the input string; * RTP: `rtp_get_stream_type()` is called only for RTP packets; if you want to tell RTP from RTCP you should use `is_rtp_or_rtcp()`; * TLS: unnecessary check; we already make the same check just above, at the beginning of the `while` loop
* Implemented Zoom/Teams stream type detectionLuca Deri2023-06-14
|
* Added vlan_id in ndpi_flow2json() prototypeLuca Deri2023-06-09
|
* Fix some memory errors triggered by allocation failures (#1995)Ivan Nardi2023-05-29
| | | | | | | | | | | | Some low hanging fruits found using nallocfuzz. See: https://github.com/catenacyber/nallocfuzz See: https://github.com/google/oss-fuzz/pull/9902 Most of these errors are quite trivial to fix; the only exception is the stuff in the uthash. If the insertion fails (because of an allocation failure), we need to avoid some memory leaks. But the only way to check if the `HASH_ADD_*` failed, is to perform a new lookup: a bit costly, but we don't use that code in any critical data-path.
* Fix an heap-buffer-overflow (#1994)Ivan Nardi2023-05-29
| | | | | | | | | | | | | | | | | | ``` ==32439==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000080 at pc 0x564a9a1639ac bp 0x7ffc77d42e20 sp 0x7ffc77d42e18 READ of size 1 at 0x604000000080 thread T0 #0 0x564a9a1639ab in ndpi_check_punycode_string /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:98:12 #1 0x564a9a26025a in ndpi_match_host_subprotocol /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:8652:6 #2 0x564a9a33e45c in ndpi_http_parse_subprotocol /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:446:9 #3 0x564a9a3354b8 in check_content_type_and_change_protocol /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:921:3 #4 0x564a9a32dc8b in process_request /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1237:3 #5 0x564a9a329a9c in ndpi_check_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1351:5 #6 0x564a9a3293ed in ndpi_search_http_tcp /home/ivan/svnrepos/nDPI/src/lib/protocols/http.c:1425:3 #7 0x564a9a21c64a in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5906:6 #8 0x564a9a21d057 in check_ndpi_tcp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:5954:12 ``` Found by oss-fuzzer. See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59393
* Improved missing usage of nDPIs malloc wrapper. Fixes #1978. (#1979)Toni2023-05-20
| | | | | * added CI check Signed-off-by: lns <matzeton@googlemail.com>
* Improve detection of crawler/bot traffic (#1956)Ivan Nardi2023-05-04
|
* Updated (C)Luca Deri2023-04-28
|
* fuzz: extend fuzzers coverage (#1952)Ivan Nardi2023-04-25
|
* add support for gre decapsulation (#1442) (#1921)Maatuq2023-04-04
|
* Added fix for better handling exceptions rollback in case of later matchLuca Deri2023-03-06
|
* Add a new flow risk about literal IP addresses used as SNI (#1892)Ivan Nardi2023-03-02
| | | | | | | | | | RFC 6066 3: "Literal IPv4 and IPv6 addresses are not permitted in "HostName"." Don't set this risk if we have a valid sub-classification (example: via certificate) Since a similar risk already exists for HTTP hostnames, reuse it, with a more generic name.
* fuzz: extend fuzz coverage (#1888)Ivan Nardi2023-02-16
|
* Fix export/serialization of `flow->risk` (#1885)Ivan Nardi2023-02-14
| | | | Any risks bigger than 31 was never exported/serialized; found looking a the fuzz coverage report.
* Added new risk NDPI_TCP_ISSUESLuca Deri2023-01-24
|
* Shrinked symbolic flow risks labelsLuca Deri2023-01-19
|
* Added NDPI_MINOR_ISSUES risk used for storing generic/relevant information ↵Luca Deri2022-12-31
| | | | about issues found on traffic.
* Added NDPI_PERIODIC_FLOW flow risk to be used by apps based on nDPILuca Deri2022-12-30
|
* Implemented EDNS(0) support in DNS dissectorLuca Deri2022-12-29
| | | | Improved DNS dissection
* fuzz: add fuzzer testing nDPI (initial) configurations (#1830)Ivan Nardi2022-12-23
| | | | | | | | | | | | | | | | | The goal of this fuzzer is to test init and deinit of the library, with different configurations. In details: * random memory allocation failures, even during init phase * random `ndpi_init_prefs` parameter of `ndpi_init_detection_module()` * random LRU caches sizes * random bitmask of enabled protocols * random parameters of `ndpi_set_detection_preferences()` * random initialization of opportunistic TLS * random load/don't load of configuration files This new fuzzer is a C++ file, because it uses `FuzzedDataProvider` class (see https://github.com/google/fuzzing/blob/master/docs/split-inputs.md). Note that the (existing) fuzzers need to be linked with C++ compiler anyway, so this new fuzzer doesn't add any new requirements.
* Fix some errors found by oss-fuzz (#1834)Ivan Nardi2022-12-20
|
* fuzz: add a new fuzzer testing memory allocation failures (#1818)Ivan Nardi2022-12-06
| | | | | | | | | Try to fuzz error paths triggered by allocation errors. Fix some errors already found by this new fuzzer. Basic idea taken from: https://github.com/harfbuzz/harfbuzz/pull/2566/files `FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` is a standard define used to (not)compile specific code in fuzzing builds. See: https://llvm.org/docs/LibFuzzer.html
* Improve export/print of L4 protocol information (#1799)Ivan Nardi2022-11-13
| | | Close #1797
* Fix json export of ipv6 addressesNardi Ivan2022-11-07
| | | | | | | The "string" buffer was to short; better start using `INET6_ADDRSTRLEN` as reported in the man page of `inet_ntop`. Close: #1794
* TLS: improve handling of ALPN(s) (#1784)Ivan Nardi2022-10-25
| | | | | | | | Tell "Advertised" ALPN list from "Negotiated" ALPN; the former is extracted from the CH, the latter from the SH. Add some entries to the known ALPN list. Fix printing of "TLS Supported Versions" field.
* Enhanced HTTP numeric IP checkLuca Deri2022-10-22
|
* Reworked severities adding critical and emergency, thus shifting values downLuca Deri2022-10-19
|
* Fix a use-of-uninitialized-value error on PCRE codeNardi Ivan2022-10-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is likely a false positive, triggered by the fact that libpcre is usually compiled without MASAN support. It it was a real error, ASAN would complain loudly with a invalid-free error at the end of the same function. ``` ==83793==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x562296111174 in ndpi_compile_rce_regex /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1631:3 #1 0x5622960e3e4a in ndpi_is_rce_injection /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1636:5 #2 0x5622960de7cd in ndpi_validate_url /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1741:12 #3 0x5622960dae45 in ndpi_dpi2json /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1362:29 #4 0x5622960e2751 in ndpi_flow2json /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1512:10 #5 0x562296033b0f in process_ndpi_collected_info /home/ivan/svnrepos/nDPI/example/reader_util.c:1310:9 #6 0x5622960501f9 in packet_processing /home/ivan/svnrepos/nDPI/example/reader_util.c:1659:2 #7 0x562296045aef in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/example/reader_util.c:2202:10 #8 0x562295e85374 in ndpi_process_packet /home/ivan/svnrepos/nDPI/example/ndpiReader.c:3937:7 #9 0x7f1235053466 (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466) (BuildId: b84c893ea2516d6fb2c1c6726b1fe93b3be78f61) #10 0x7f1235041f67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67) (BuildId: b84c893ea2516d6fb2c1c6726b1fe93b3be78f61) #11 0x562295e53139 in runPcapLoop /home/ivan/svnrepos/nDPI/example/ndpiReader.c:4060:15 #12 0x562295e51e7f in processing_thread /home/ivan/svnrepos/nDPI/example/ndpiReader.c:4130:3 #13 0x7f1234e53608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8 #14 0x7f1234d2f132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Uninitialized value was created by an allocation of 'pcreErrorStr' in the stack frame #0 0x5622961108a6 in ndpi_compile_rce_regex /home/ivan/svnrepos/nDPI/src/lib/ndpi_utils.c:1603:3 ```
* Updated protocol dissector serialisation code. (#1767)Toni2022-10-15
| | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added new flow risk NDPI_HTTP_OBSOLETE_SERVER. Currently Apache and nginx ↵Luca2022-10-04
| | | | are supported
* Improved NATPMP dissection. (#1745)Toni2022-09-21
| | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Build ndpiReader and run regression tests.Toni Uhlig2022-09-21
| | | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: lns <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add proj and sln for compile of dynamic x64 lib under Visual Studio 2019.mark andrews2022-09-21
| | | | | | * add CI support via MSBuild Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* STUN: several improvementsNardi Ivan2022-09-11
| | | | | | | | | Add detection over TCP and fix detection over IPv6. Rename some variables since Stun dissector is no more "udp-centric". Stun dissector should always classified the flow as `STUN` or `STUN/Something`. Don't touch `flow->guessed_host_protocol_id` field, which should be always be related to "ip-classification" only.
* Serialize nDPI detection/dissection data as object. (#1725)Toni2022-09-06
| | | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Add Discord dissector. (#1694)Toni2022-08-03
| | | | | * fixed RiotGames false positive Signed-off-by: lns <matzeton@googlemail.com>
* Compilation fix (not all compilers like restrict) (part 2)Luca Deri2022-08-03
|
* Improved nDPI JSON serialization. (#1689)Toni2022-08-02
| | | | | | | | * fixed autoconf CFLAGS/LDFLAGS MSAN issue which could lead to build errors * introduced portable version of gmtime_r aka ndpi_gmtime_r * do as most as possible of the serialization work in ndpi_utils.c * use flow2json in ndpiReader Signed-off-by: lns <matzeton@googlemail.com>
* Improve handling of HTTP-Proxy and HTTP-Connect (#1673)Ivan Nardi2022-07-25
| | | | | | | | | | | | Treat HTTP-Proxy and HTTP-Connect flows like the HTTP ones: print/serialize all the attributes and allow parsing of replies. The line about "1kxun" has been removed to avoid regressions in 1KXUN classification in `tests/pcap/1kxun.pcap`. I haven't fully understod what was happening but the comment at the beginning of `static ndpi_category_match category_match[]` says that we can't have overlaps between `host_match` and `category_match` lists and that is no longer true since 938e89ca. Bottom line: removing this line seems the right thing to do, anyway.
* Add support for flow client/server information (#1671)Ivan Nardi2022-07-24
| | | | | | | | | | | | | | | | | | In a lot of places in ndPI we use *packet* source/dest info (address/port/direction) when we are interested in *flow* client/server info, instead. Add basic logic to autodetect this kind of information. nDPI doesn't perform any "flow management" itself but this task is delegated to the external application. It is then likely that the application might provide more reliable hints about flow client/server direction and about the TCP handshake presence: in that case, these information might be (optionally) passed to the library, disabling the internal "autodetect" logic. These new fields have been used in some LRU caches and in the "guessing" algorithm. It is quite likely that some other code needs to be updated.
* Windows error C2466 fix (array size init with 0).Zied Aouini2022-07-22
|
* Windows compilation fix.Zied Aouini2022-07-22
|
* Added null pointer checksLuca2022-07-14
|
* ASN1/BER: fix signed integer overflow (#1660)Ivan Nardi2022-07-12
| | | | | | | | | | | | | ``` protocols/snmp_proto.c:77:23: runtime error: signed integer overflow: 6 + 2147483647 cannot be represented in type 'int' #0 0x52f69e in ndpi_search_snmp ndpi/src/lib/protocols/snmp_proto.c:77:23 #1 0x4c5347 in check_ndpi_detection_func ndpi/src/lib/ndpi_main.c:5211:4 #2 0x4c5591 in ndpi_check_flow_func ndpi/src/lib/ndpi_main.c:0 #3 0x4c8903 in ndpi_detection_process_packet ndpi/src/lib/ndpi_main.c:6145:15 #4 0x4b3712 in LLVMFuzzerTestOneInput ndpi/fuzz/fuzz_process_packet.c:29:5 [...] ``` Found by oss-fuzzer. See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49057
* LDAP: rewrite dissection (#1649)Ivan Nardi2022-07-08
|
Powered by cgit, Themed by Ted Yin.