From 1d155ab2ebb29f30e830713c1b8eefecd03a16d1 Mon Sep 17 00:00:00 2001
From: u-devel <36368802+u-devel@users.noreply.github.com>
Date: Sun, 13 Jan 2019 00:07:45 +0600
Subject: FIX H.323 broken detection

TPKT header length field can have value more then 255, and in fact in all of the cases I've met it is more then 255.
Thus checking real H.323 packet like this:
(packet->payload[2] == 0x00)
stop detecting H.323 conversation at all.
---
 src/lib/protocols/h323.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c
index ddbcdadf3..d407c981b 100644
--- a/src/lib/protocols/h323.c
+++ b/src/lib/protocols/h323.c
@@ -31,8 +31,7 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n
     /* H323  */
     if(packet->payload_packet_len >= 3
        && (packet->payload[0] == 0x03)
-       && (packet->payload[1] == 0x00)
-       && (packet->payload[2] == 0x00)) {
+       && (packet->payload[1] == 0x00)) {
 	struct tpkt *t = (struct tpkt*)packet->payload;
 	u_int16_t len = ntohs(t->len);
 
-- 
cgit v1.2.3