From 95ac8fd41a90e2aa8ddb61509160b8281ebb3ff8 Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Mon, 23 Aug 2021 14:30:29 +0200
Subject: STUN: fix extraction of Realm attribute

While at it, improve detection of Facebook Messenger
---
 src/lib/protocols/stun.c              |  17 ++++++++---------
 tests/pcap/stun_facebook.pcapng       | Bin 0 -> 13492 bytes
 tests/result/stun_facebook.pcapng.out |   7 +++++++
 3 files changed, 15 insertions(+), 9 deletions(-)
 create mode 100644 tests/pcap/stun_facebook.pcapng
 create mode 100644 tests/result/stun_facebook.pcapng.out

diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index f89239f7a..2f14639c9 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -346,17 +346,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 	    u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2]));
 
 	    if(flow->host_server_name[0] == '\0') {
-	      u_int j, i = (realm_len > sizeof(flow->host_server_name)) ? sizeof(flow->host_server_name) : realm_len;
+	      u_int i;
 	      u_int k = offset+4;
 
-	      memset(flow->host_server_name, 0, sizeof(flow->host_server_name));
-
-	      for(j=0; j<i; j++) {
-		if((k+i) < payload_length)
-		  flow->host_server_name[j] = payload[k++];
-		else
-		  break;
-	      }
+	      i = ndpi_min(realm_len, sizeof(flow->host_server_name) - 1);
+	      i = ndpi_min(i, payload_length - k);
+	      memcpy(flow->host_server_name, payload + k, i);
+	      flow->host_server_name[i] = '\0';
 	    
 #ifdef DEBUG_STUN
 	      printf("==> [%s]\n", flow->host_server_name);
@@ -368,6 +364,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 	      } else if(strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) {
 		flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
 		return(NDPI_IS_STUN);
+	      } else if(strstr((char*) flow->host_server_name, "facebook") != NULL) {
+		flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER;
+		return(NDPI_IS_STUN);
 	      }
 	    }
 	  }
diff --git a/tests/pcap/stun_facebook.pcapng b/tests/pcap/stun_facebook.pcapng
new file mode 100644
index 000000000..bb789c71d
Binary files /dev/null and b/tests/pcap/stun_facebook.pcapng differ
diff --git a/tests/result/stun_facebook.pcapng.out b/tests/result/stun_facebook.pcapng.out
new file mode 100644
index 000000000..bf7b1dd27
--- /dev/null
+++ b/tests/result/stun_facebook.pcapng.out
@@ -0,0 +1,7 @@
+Guessed flow protos:	0
+
+DPI Packets (UDP):	2	(2.00 pkts/flow)
+
+Messenger	75	10554	1
+
+	1	UDP 192.168.12.169:38123 <-> 31.13.86.54:40003 [proto: 78.157/STUN.Messenger][Encrypted][cat: VoIP/10][40 pkts/6134 bytes <-> 35 pkts/4420 bytes][Goodput ratio: 73/67][10.09 sec][Host: turner.facebook][bytes ratio: 0.162 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 260/331 6004/5997 1040/1126][Pkt Len c2s/s2c min/avg/max/stddev: 70/68 153/126 190/174 31/39][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (unauthorized)][Plen Bins: 8,14,9,28,40,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-- 
cgit v1.2.3