From b68b45f3bbc0754427f04e393c66a9f3e69188ff Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Sat, 6 Jun 2020 15:54:44 +0200 Subject: TLS: extract JA3 signatures in some corner cases In some (rare) cases, Client Hello message contains lots of cipher suits. --- src/lib/protocols/tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index c9b2d0ee2..007931e19 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -818,14 +818,14 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp /* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ #define JA3_STR_LEN 1024 -#define MAX_NUM_JA3 128 +#define MAX_NUM_JA3 512 struct ja3_info { u_int16_t tls_handshake_version; u_int16_t num_cipher, cipher[MAX_NUM_JA3]; u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; - u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; + u_int16_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; }; /* **************************************** */ -- cgit v1.2.3 From 3669c14afddc30649866a88e7a5f147bdabe6495 Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Fri, 12 Jun 2020 14:11:36 +0200 Subject: DNP3: add missing initialization --- src/lib/ndpi_main.c | 3 +++ tests/result/dnp3.pcap.out | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index e34a5a5ee..20c140f4a 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3288,6 +3288,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* IEC 60870-5-104 */ init_104_dissector(ndpi_str, &a, detection_bitmask); + /* DNP3 */ + init_dnp3_dissector(ndpi_str, &a, detection_bitmask); + /* WEBSOCKET */ init_websocket_dissector(ndpi_str, &a, detection_bitmask); diff --git a/tests/result/dnp3.pcap.out b/tests/result/dnp3.pcap.out index 4c9319e5d..5a16e1026 100644 --- a/tests/result/dnp3.pcap.out +++ b/tests/result/dnp3.pcap.out @@ -1,5 +1,4 @@ -SOCKS 135 9351 1 -DNP3 408 29403 7 +DNP3 543 38754 8 1 TCP 10.0.0.8:2828 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][60 pkts/4041 bytes <-> 78 pkts/7164 bytes][Goodput ratio: 17/38][121.83 sec][bytes ratio: -0.279 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 421/302 13044/8439 1926/1115][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 67/92 79/145 5/37][Plen Bins: 64,3,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 TCP 10.0.0.9:1080 <-> 10.0.0.3:20000 [proto: 172/SOCKS][cat: Web/5][72 pkts/4659 bytes <-> 63 pkts/4692 bytes][Goodput ratio: 10/27][384.60 sec][bytes ratio: -0.004 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 4732/3049 75028/40127 13787/9968][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 65/74 81/147 7/16][Plen Bins: 96,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] -- cgit v1.2.3 From d6a97219ea14f0eb4d7d0831d4aefc971878caae Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Tue, 23 Jun 2020 11:27:45 +0200 Subject: Fix use-after-free in http content parsing --- src/lib/ndpi_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 20c140f4a..957e3b763 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4379,7 +4379,8 @@ static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) { packet->http_cookie.len = 0, packet->http_origin.len = 0, packet->http_origin.ptr = NULL, packet->http_x_session_type.ptr = NULL, packet->http_x_session_type.len = 0, packet->server_line.ptr = NULL, packet->server_line.len = 0, packet->http_method.ptr = NULL, packet->http_method.len = 0, - packet->http_response.ptr = NULL, packet->http_response.len = 0, packet->http_num_headers = 0; + packet->http_response.ptr = NULL, packet->http_response.len = 0, packet->http_num_headers = 0, + packet->forwarded_line.ptr = NULL, packet->forwarded_line.len = 0; } /* ********************************************************************************* */ -- cgit v1.2.3 From 317d3ffd3ee6a417a804d79248eb98e0eea5a9de Mon Sep 17 00:00:00 2001 From: Nardi Ivan Date: Sun, 28 Jun 2020 12:13:21 +0200 Subject: Fix undefined behaviour in internal tests Error messages: ndpiReader.c:3211:2: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' ndpiReader.c:3207:5: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' The errors started popping up since 3d9285f1 --- src/include/ndpi_define.h.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in index be7c21175..13989a60e 100644 --- a/src/include/ndpi_define.h.in +++ b/src/include/ndpi_define.h.in @@ -277,7 +277,7 @@ #define NDPI_SET_BIT(num, n) num |= 1UL << n #define NDPI_CLR_BIT(num, n) num &= ~(1UL << n) #define NDPI_CLR_BIT(num, n) num &= ~(1UL << n) -#define NDPI_ISSET_BIT(num, n) (num & (1 << n)) +#define NDPI_ISSET_BIT(num, n) (num & (1UL << n)) #define NDPI_ZERO_BIT(num) num = 0 /* this is a very very tricky macro *g*, -- cgit v1.2.3