From 0f168d9150cfcc94464b84591605a2c5e17c728e Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Thu, 11 Nov 2021 11:55:56 +0100
Subject: IMAP, POP3, SMTP: improve dissection (#1368)

Avoid NATS false positives
---
 src/lib/protocols/nats.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src/lib/protocols/nats.c')

diff --git a/src/lib/protocols/nats.c b/src/lib/protocols/nats.c
index a036303e8..d93c11b76 100644
--- a/src/lib/protocols/nats.c
+++ b/src/lib/protocols/nats.c
@@ -51,10 +51,15 @@ void ndpi_search_nats_tcp(struct ndpi_detection_module_struct *ndpi_struct,
     for(i=0; commands[i] != NULL; i++) {
       char *match = ndpi_strnstr((const char *)packet->payload,
 				 commands[i],
-				 packet->payload_packet_len);
+				 ndpi_min(strlen(commands[i]), packet->payload_packet_len));
 
       if(!match) continue;
 
+      /* These commands are used by POP3 too. To avoid false positives, look for the other ones */
+      if((strcmp(commands[i], "+OK") == 0) || (strcmp(commands[i], "-ERR") == 0)) {
+        return;
+      }
+
       if(ndpi_strnstr((const char *)match, "\r\n",
 		      packet->payload_packet_len - ((size_t)match - (size_t)packet->payload)) != NULL) {
 	NDPI_LOG_INFO(ndpi_struct, "found NATS\n");
-- 
cgit v1.2.3