From 9f27cd56b01db4c45fd5c3de8375b5287f9c72ce Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Mon, 30 Jan 2023 10:59:18 +0100
Subject: ndpiReader: fix packet dissection (CAPWAP and TSO) (#1878)

Fix decapsulation of CAPWAP; we are interested only in "real" user data
tunneled via CAPWAP.
When Tcp Segmentation Offload is enabled in the NIC, the received packet
might have 0 as "ip length" in the IPv4 header
(see
https://osqa-ask.wireshark.org/questions/16279/why-are-the-bytes-00-00-but-wireshark-shows-an-ip-total-length-of-2016/)

The effect of these two bugs was that some packets were discarded.

Be sure that flows order is deterministic
---
 example/ndpiReader.c  | 1 +
 example/reader_util.c | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

(limited to 'example')

diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 66706044a..925592de9 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -656,6 +656,7 @@ int cmpFlows(const void *_a, const void *_b) {
   if(htons(fa->src_port) < htons(fb->src_port)) return(-1); else { if(htons(fa->src_port) > htons(fb->src_port)) return(1); }
   if(htonl(fa->dst_ip)   < htonl(fb->dst_ip)  ) return(-1); else { if(htonl(fa->dst_ip)   > htonl(fb->dst_ip)  ) return(1); }
   if(htons(fa->dst_port) < htons(fb->dst_port)) return(-1); else { if(htons(fa->dst_port) > htons(fb->dst_port)) return(1); }
+  if(fa->vlan_id < fb->vlan_id) return(-1); else { if(fa->vlan_id > fb->vlan_id) return(1); }
   return(0);
 }
 
diff --git a/example/reader_util.c b/example/reader_util.c
index 5c2a45914..62fa3046a 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1465,7 +1465,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
     flow = get_ndpi_flow_info(workflow, IPVERSION, vlan_id,
 			      tunnel_type, iph, NULL,
 			      ip_offset, ipsize,
-			      ntohs(iph->tot_len) - (iph->ihl * 4),
+			      ntohs(iph->tot_len) ? (ntohs(iph->tot_len) - (iph->ihl * 4)) : ipsize - (iph->ihl * 4) /* TSO */,
 			      iph->ihl * 4,
 			      &tcph, &udph, &sport, &dport,
 			      &proto,
@@ -2228,7 +2228,8 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
 
 	    offset += msg_len;
 
-	    if((offset + 32 < header->caplen)) {
+	    if((offset + 32 < header->caplen) &&
+	       (packet[offset + 1] == 0x08)) {
 	      /* IEEE 802.11 Data */
 	      offset += 24;
 	      /* LLC header is 8 bytes */
-- 
cgit v1.2.3