| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
```
=================================================================
==17655==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x71053b8a702a at pc 0x5e6f1ed825a2 bp 0x7095389f1d10 sp 0x7095389f1d08
READ of size 1 at 0x71053b8a702a thread T1
#0 0x5e6f1ed825a1 in ndpi_init_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7890:10
#1 0x5e6f1ed94bb2 in ndpi_internal_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:9768:6
#2 0x5e6f1ed92f9f in ndpi_detection_process_packet /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:10065:22
#3 0x5e6f1ebe7a2e in packet_processing /home/ivan/svnrepos/nDPI/example/reader_util.c:1985:31
#4 0x5e6f1ebdffd2 in ndpi_workflow_process_packet /home/ivan/svnrepos/nDPI/example/reader_util.c:2730:10
#5 0x5e6f1ea5da49 in ndpi_process_packet /home/ivan/svnrepos/nDPI/example/ndpiReader.c:4751:7
#6 0x74953c48763e (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x2d63e) (BuildId: d0c6c787d35246d7107d600c893454c1fcbaf262)
#7 0x74953c4688e7 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0xe8e7) (BuildId: d0c6c787d35246d7107d600c893454c1fcbaf262)
```
Found by oss-fuzz
|
| |
|
|
| |
Added ndpi finalization in case protocols are dumped
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The main difference is that the memory is allocated at runtime
Typical usercase:
```
struct ndpi_bitmask b;
ndpi_bitmask_alloc(&b, ndpi_get_num_internal_protocols());
ndpi_bitmask_set(&b, $BIT);
ndpi_bitmask_is_set(&b, $BIT);
[...]
ndpi_bitmask_dealloc(&b);
```
See #2136
|
| |
|
| |
Close #2594
|
| |
|
|
| |
direction
|
| | |
|
| |
|
|
| |
PCRE2 is now enabled (if present) by default as necessary to report some HTTP risks
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Partial revert of 88bfe2cf0: in the trees we save the index and no more
a pointer to `ndpi_struct->proto_defaults[]`.
Remove same functions from public API
See #2136
|
| | |
|
| |
|
|
| |
Implements same optimization pattern as #2867
No behavior changes, just faster lookup
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Split the internal logic:
* update `ndpi_str->proto_defaults[]` array
* update the `default_ports_tree_node_t` trees
This is a preliminary work to have dynamic allocated
`ndpi_str->proto_defaults[]`, because in the tree we have a pointer to
the array entries
|
| |
|
| |
Add an explicit field to indicate if the protocol is custom or internal
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We want to get rid of the defines `NDPI_MAX_SUPPORTED_PROTOCOLS` and
`NDPI_MAX_NUM_CUSTOM_PROTOCOLS`.
You can use:
```
ndpi_get_num_protocols()
```
See #2136
Removed some unused functions from public API
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`ndpi_set_protocol_detection_bitmask2()` (#2853)
The main goal is not to have the bitmask depending on the total number
of protocols anymore: `NDPI_INTERNAL_PROTOCOL_BITMASK` depends only on
internal protocols, i.e. on `NDPI_MAX_INTERNAL_PROTOCOLS`, i.e.
custom-defined protocols are not counted.
See #2136
Keep the old data structure `NDPI_PROTOCOL_BITMASK` with the old
semantic.
Since we need to change the API (and all the application code...)
anyway, simplify the API: by default all the protocols are enabled.
If you need otherwise, please use `ndpi_init_detection_module_ext()`
instead of `ndpi_init_detection_module()` (you can find an example in
the `ndpiReader` code).
To update the application code you likely only need to remove these 3
lines from your code:
```
- NDPI_PROTOCOL_BITMASK all;
- NDPI_BITMASK_SET_ALL(all);
- ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
```
Removed an unused field and struct definition.
|
| | |
|
| | |
|
| |
|
|
| |
Improved lists file parsing
|
| | |
|
| |
|
|
| |
Added --protocols-list-dir <dir> to ndpiReader for loading IP_based protocol
|
| |
|
|
|
| |
Add some new tests about these configuration parameters.
Close #2858
|
| | |
|
| |
|
| |
Ad a trivial example, update SIP configuration to use range
|
| | |
|
| | |
|
| |
|
| |
Callback functions are about dissectors, not protocols
|
| |
|
|
|
|
| |
We should be able to identified this protocol on the first packet,
without keeping any state
Close #2745
|
| | |
|
| | |
|
| |
|
| |
See #2827
|
| |
|
| |
Close #2807
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use `registr_dissector()` instead of
`ndpi_set_bitmask_protocol_detection()`.
Every file in `src/lib/protocols/*.c` is a dissector.
Every dissector can handle multiple protocols.
The real goal is this small change:
```
struct call_function_struct {
- NDPI_PROTOCOL_BITMASK detection_bitmask;
```
i.e. getting rid of another protocol bitmask: this is mandatory to try
to fix #2136 (see also e845e8205b68752c997d05224d8b2fd45acde714)
As a nice side effect, we remove a bitmask comparison in the hot function
`check_ndpi_detection_func()`
TODO: change logging configuration from per-protocol to per-dissector
|
| |
|
|
|
|
|
|
|
| |
- default (0) is the native nDPI format
- MuonOF (1) has been added
The format can be changed using metadata.tcp_fingerprint_format
Added ability to identify mass scanners using TCP fingerprint
|
| | |
|
| | |
|
| |
|
|
| |
IPP is identified *only* as HTTP subprotocol, so it can't be over UDP
(HTTP is only over TCP...)
|
| |
|
| |
Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't use the same id for the same protocol identified via L3 info or
via standard TCP/UDP detection (example: ospf ip_proto 0x59 or TCP port
2604)
Before:
```
ivan@ivan-Precision-3591:~/svnrepos/nDPI(dev)$ ./example/ndpiReader -H | grep -wE 'OSPF|IPSec|AH|ESP|IP_OSPF'
79 79 IPSec UDP X Safe VPN 500,4500 500
85 85 OSPF X Acceptable Network - 2604
```
After:
```
ivan@ivan-Precision-3591:~/svnrepos/nDPI(ospf-ipsec)$ ./example/ndpiReader -H | grep -wE 'OSPF|IPSec|AH|ESP|IP_OSPF'
79 79 IPSec UDP X Safe VPN 500,4500 500
85 85 IP_OSPF X Acceptable Network - -
116 116 AH X Safe VPN - -
117 117 ESP X Safe VPN - -
184 184 OSPF TCP X Safe Network - 2604
```
|
| |
|
| |
See: c590dc495
|