From 6c1accd2bdca957b0979707b7f789ae8b5a63334 Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Mon, 21 Feb 2022 20:30:22 +0100 Subject: DTLS: fix access to certificate cache (#1450) ``` protocols/tls.c:650:54: runtime error: member access within null pointer of type 'const struct ndpi_tcphdr' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:650:54 in protocols/tls.c:650:54: runtime error: load of null pointer of type 'const u_int16_t' (aka 'const unsigned short') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:650:54 in AddressSanitizer:DEADLYSIGNAL ================================================================= ==47401==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55f7a61b661c bp 0x7f38190f91b0 sp 0x7f38190f70e0 T1) ==47401==The signal is caused by a READ memory access. ==47401==Hint: address points to the zero page. #0 0x55f7a61b661c in processCertificateElements /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:650:41 #1 0x55f7a61ac3cc in processCertificate /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:792:7 #2 0x55f7a61d34e1 in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:846:13 ``` --- src/lib/protocols/tls.c | 2 +- tests/pcap/dtls_certificate.pcapng | Bin 0 -> 1632 bytes tests/result/dtls_certificate.pcapng.out | 12 ++++++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 tests/pcap/dtls_certificate.pcapng create mode 100644 tests/result/dtls_certificate.pcapng.out diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 1ab3dd85c..8214ede04 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -646,7 +646,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi if(ndpi_struct->tls_cert_cache == NULL) ndpi_struct->tls_cert_cache = ndpi_lru_cache_init(1024); - if(ndpi_struct->tls_cert_cache && packet->iph) { + if(ndpi_struct->tls_cert_cache && packet->iph && packet->tcp) { u_int32_t key = packet->iph->saddr + packet->tcp->source; /* Server */ ndpi_lru_add_to_cache(ndpi_struct->tls_cert_cache, key, proto_id); diff --git a/tests/pcap/dtls_certificate.pcapng b/tests/pcap/dtls_certificate.pcapng new file mode 100644 index 000000000..ddf6f02c9 Binary files /dev/null and b/tests/pcap/dtls_certificate.pcapng differ diff --git a/tests/result/dtls_certificate.pcapng.out b/tests/result/dtls_certificate.pcapng.out new file mode 100644 index 000000000..be5f414ca --- /dev/null +++ b/tests/result/dtls_certificate.pcapng.out @@ -0,0 +1,12 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) + +WindowsUpdate 1 1486 1 + +JA3 Host Stats: + IP Address # JA3C + + + 1 UDP 191.62.60.190:443 -> 163.205.15.180:38876 [proto: 91.147/TLS.WindowsUpdate][Encrypted][Confidence: DPI][cat: SoftwareUpdate/19][1 pkts/1486 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][< 1 sec][Risk: ** Known Protocol on Non Standard Port **** TLS Expired Certificate **][Risk Score: 150][JA3S: 953c1507994f72697446de4eff6e300b][Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Update Secure Server CA 1][Subject: C=US, ST=Washington, L=Redmond, O=Microsoft, OU=DSP, CN=www.update.microsoft.com][Certificate SHA-1: D1:88:0F:51:C1:01:91:72:A1:A4:6E:69:F4:33:7F:FE:3E:C4:F0:39][Validity: 2017-02-27 12:00:00 - 2019-02-27 00:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][PLAIN TEXT (Washington1)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0] -- cgit v1.2.3