From b68b45f3bbc0754427f04e393c66a9f3e69188ff Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Sat, 6 Jun 2020 15:54:44 +0200
Subject: TLS: extract JA3 signatures in some corner cases

In some (rare) cases, Client Hello message contains lots of cipher
suits.
---
 src/lib/protocols/tls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index c9b2d0ee2..007931e19 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -818,14 +818,14 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp
 /* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */
 
 #define JA3_STR_LEN 1024
-#define MAX_NUM_JA3  128
+#define MAX_NUM_JA3  512
 
 struct ja3_info {
   u_int16_t tls_handshake_version;
   u_int16_t num_cipher, cipher[MAX_NUM_JA3];
   u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3];
   u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3];
-  u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3];
+  u_int16_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3];
 };
 
 /* **************************************** */
-- 
cgit v1.2.3


From 3669c14afddc30649866a88e7a5f147bdabe6495 Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Fri, 12 Jun 2020 14:11:36 +0200
Subject: DNP3: add missing initialization

---
 src/lib/ndpi_main.c        | 3 +++
 tests/result/dnp3.pcap.out | 3 +--
 2 files changed, 4 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index e34a5a5ee..20c140f4a 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3288,6 +3288,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
   /* IEC 60870-5-104 */
   init_104_dissector(ndpi_str, &a, detection_bitmask);
 
+  /* DNP3 */
+  init_dnp3_dissector(ndpi_str, &a, detection_bitmask);
+
   /* WEBSOCKET */
   init_websocket_dissector(ndpi_str, &a, detection_bitmask);
 
diff --git a/tests/result/dnp3.pcap.out b/tests/result/dnp3.pcap.out
index 4c9319e5d..5a16e1026 100644
--- a/tests/result/dnp3.pcap.out
+++ b/tests/result/dnp3.pcap.out
@@ -1,5 +1,4 @@
-SOCKS	135	9351	1
-DNP3	408	29403	7
+DNP3	543	38754	8
 
 	1	TCP 10.0.0.8:2828 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][60 pkts/4041 bytes <-> 78 pkts/7164 bytes][Goodput ratio: 17/38][121.83 sec][bytes ratio: -0.279 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 421/302 13044/8439 1926/1115][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 67/92 79/145 5/37][Plen Bins: 64,3,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	TCP 10.0.0.9:1080 <-> 10.0.0.3:20000 [proto: 172/SOCKS][cat: Web/5][72 pkts/4659 bytes <-> 63 pkts/4692 bytes][Goodput ratio: 10/27][384.60 sec][bytes ratio: -0.004 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 4732/3049 75028/40127 13787/9968][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 65/74 81/147 7/16][Plen Bins: 96,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-- 
cgit v1.2.3


From d6a97219ea14f0eb4d7d0831d4aefc971878caae Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Tue, 23 Jun 2020 11:27:45 +0200
Subject: Fix use-after-free in http content parsing

---
 src/lib/ndpi_main.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 20c140f4a..957e3b763 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4379,7 +4379,8 @@ static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) {
     packet->http_cookie.len = 0, packet->http_origin.len = 0, packet->http_origin.ptr = NULL,
     packet->http_x_session_type.ptr = NULL, packet->http_x_session_type.len = 0, packet->server_line.ptr = NULL,
     packet->server_line.len = 0, packet->http_method.ptr = NULL, packet->http_method.len = 0,
-    packet->http_response.ptr = NULL, packet->http_response.len = 0, packet->http_num_headers = 0;
+    packet->http_response.ptr = NULL, packet->http_response.len = 0, packet->http_num_headers = 0,
+    packet->forwarded_line.ptr = NULL, packet->forwarded_line.len = 0;
 }
 
 /* ********************************************************************************* */
-- 
cgit v1.2.3


From 317d3ffd3ee6a417a804d79248eb98e0eea5a9de Mon Sep 17 00:00:00 2001
From: Nardi Ivan <nardi.ivan@gmail.com>
Date: Sun, 28 Jun 2020 12:13:21 +0200
Subject: Fix undefined behaviour in internal tests

Error messages:
ndpiReader.c:3211:2: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
ndpiReader.c:3207:5: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

The errors started popping up since 3d9285f1
---
 src/include/ndpi_define.h.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in
index be7c21175..13989a60e 100644
--- a/src/include/ndpi_define.h.in
+++ b/src/include/ndpi_define.h.in
@@ -277,7 +277,7 @@
 #define NDPI_SET_BIT(num, n)    num |= 1UL << n
 #define NDPI_CLR_BIT(num, n)    num &= ~(1UL << n)
 #define NDPI_CLR_BIT(num, n)    num &= ~(1UL << n)
-#define NDPI_ISSET_BIT(num, n)  (num & (1 << n))
+#define NDPI_ISSET_BIT(num, n)  (num & (1UL << n))
 #define NDPI_ZERO_BIT(num)      num = 0
 
 /* this is a very very tricky macro *g*,
-- 
cgit v1.2.3