1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
From 8fed2be3d5b83949fabb2bdf39d6de4f24d2e68f Mon Sep 17 00:00:00 2001
From: Christian Marangi <ansuelsmth@gmail.com>
Date: Mon, 30 Oct 2023 18:10:51 +0100
Subject: [PATCH] Move from PCRE to PCRE2
Move from PCRE to PCRE2. PCRE is EOL and won't receive any security
updates anymore. Convert to PCRE2 by converting any function PCRE2 new
API.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
---
configure.ac | 18 ++++----
src/lib/ndpi_utils.c | 46 ++++++++++-----------
src/lib/third_party/include/rce_injection.h | 6 +--
tests/do.sh.in | 4 +-
4 files changed, 37 insertions(+), 37 deletions(-)
--- a/configure.ac
+++ b/configure.ac
@@ -359,14 +359,14 @@ AS_IF([test "${with_local_libgcrypt+set}
AC_DEFINE_UNQUOTED(USE_HOST_LIBGCRYPT, 1, [Use locally installed libgcrypt instead of builtin gcrypt-light])
])
-dnl> PCRE
-PCRE_ENABLED=0
-AC_ARG_WITH(pcre, AS_HELP_STRING([--with-pcre], [Enable nDPI build with libpcre]))
-if test "${with_pcre+set}" = set; then :
- AC_CHECK_LIB(pcre, pcre_compile, AC_DEFINE_UNQUOTED(HAVE_PCRE, 1, [libpcre(-dev) is present]))
- if test "x$ac_cv_lib_pcre_pcre_compile" = xyes; then :
- ADDITIONAL_LIBS="${ADDITIONAL_LIBS} -lpcre"
- PCRE_ENABLED=1
+dnl> PCRE2
+PCRE2_ENABLED=0
+AC_ARG_WITH(pcre2, AS_HELP_STRING([--with-pcre2], [Enable nDPI build with libpcre2]))
+if test "${with_pcre2+set}" = set; then :
+ AC_CHECK_LIB(pcre2-8, pcre2_compile_8, AC_DEFINE_UNQUOTED(HAVE_PCRE2, 1, [libpcre2(-dev) is present]))
+ if test "x$ac_cv_lib_pcre2_8_pcre2_compile_8" = xyes; then :
+ ADDITIONAL_LIBS="${ADDITIONAL_LIBS} -lpcre2-8"
+ PCRE2_ENABLED=1
fi
fi
@@ -420,7 +420,7 @@ AC_SUBST(GPROF_CFLAGS)
AC_SUBST(GPROF_LIBS)
AC_SUBST(GPROF_ENABLED)
AC_SUBST(USE_HOST_LIBGCRYPT)
-AC_SUBST(PCRE_ENABLED)
+AC_SUBST(PCRE2_ENABLED)
AC_SUBST(NBPF_ENABLED)
AC_SUBST(HANDLE_TLS_SIGS)
AC_SUBST(DISABLE_NPCAP)
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -62,12 +62,12 @@
// #define DEBUG_REASSEMBLY
-#ifdef HAVE_PCRE
-#include <pcre.h>
+#ifdef HAVE_PCRE2
+#define PCRE2_CODE_UNIT_WIDTH 8
+#include <pcre2.h>
-struct pcre_struct {
- pcre *compiled;
- pcre_extra *optimized;
+struct pcre2_struct {
+ pcre2_code *compiled;
};
#endif
@@ -1712,18 +1712,19 @@ static int ndpi_is_xss_injection(char* q
/* ********************************** */
-#ifdef HAVE_PCRE
+#ifdef HAVE_PCRE2
static void ndpi_compile_rce_regex() {
- const char *pcreErrorStr = NULL;
- int pcreErrorOffset;
+ PCRE2_UCHAR pcreErrorStr[128];
+ PCRE2_SIZE pcreErrorOffset;
+ int pcreErrorCode;
for(int i = 0; i < N_RCE_REGEX; i++) {
- comp_rx[i] = (struct pcre_struct*)ndpi_malloc(sizeof(struct pcre_struct));
+ comp_rx[i] = (struct pcre2_struct*)ndpi_malloc(sizeof(struct pcre2_struct));
- comp_rx[i]->compiled = pcre_compile(rce_regex[i], 0, &pcreErrorStr,
+ comp_rx[i]->compiled = pcre2_compile((PCRE2_SPTR)rce_regex[i], PCRE2_ZERO_TERMINATED, 0, &pcreErrorCode,
&pcreErrorOffset, NULL);
-
+ pcre2_get_error_message(pcreErrorCode, pcreErrorStr, 128);
if(comp_rx[i]->compiled == NULL) {
#ifdef DEBUG
NDPI_LOG_ERR(ndpi_str, "ERROR: Could not compile '%s': %s\n", rce_regex[i],
@@ -1733,17 +1734,16 @@ static void ndpi_compile_rce_regex() {
continue;
}
- comp_rx[i]->optimized = pcre_study(comp_rx[i]->compiled, 0, &pcreErrorStr);
+ pcreErrorCode = pcre2_jit_compile(comp_rx[i]->compiled, PCRE2_JIT_COMPLETE);
#ifdef DEBUG
- if(pcreErrorStr != NULL) {
- NDPI_LOG_ERR(ndpi_str, "ERROR: Could not study '%s': %s\n", rce_regex[i],
+ if(pcreErrorCode < 0) {
+ pcre2_get_error_message(pcreErrorCode, pcreErrorStr, 128);
+ NDPI_LOG_ERR(ndpi_str, "ERROR: Could not jit compile '%s': %s\n", rce_regex[i],
pcreErrorStr);
}
#endif
}
-
- ndpi_free((void *)pcreErrorStr);
}
static int ndpi_is_rce_injection(char* query) {
@@ -1752,17 +1752,17 @@ static int ndpi_is_rce_injection(char* q
initialized_comp_rx = 1;
}
+ pcre2_match_data *pcreMatchData;
int pcreExecRet;
- int subStrVec[30];
for(int i = 0; i < N_RCE_REGEX; i++) {
unsigned int length = strlen(query);
- pcreExecRet = pcre_exec(comp_rx[i]->compiled,
- comp_rx[i]->optimized,
- query, length, 0, 0, subStrVec, 30);
-
- if(pcreExecRet >= 0) {
+ pcreMatchData = pcre2_match_data_create_from_pattern(comp_rx[i]->compiled, NULL);
+ pcreExecRet = pcre2_match(comp_rx[i]->compiled,
+ (PCRE2_SPTR)query, length, 0, 0, pcreMatchData, NULL);
+ pcre2_match_data_free(pcreMatchData);
+ if(pcreExecRet > 0) {
return 1;
}
#ifdef DEBUG
@@ -1852,7 +1852,7 @@ ndpi_risk_enum ndpi_validate_url(char *u
rc = NDPI_URL_POSSIBLE_XSS;
else if(ndpi_is_sql_injection(decoded))
rc = NDPI_URL_POSSIBLE_SQL_INJECTION;
-#ifdef HAVE_PCRE
+#ifdef HAVE_PCRE2
else if(ndpi_is_rce_injection(decoded))
rc = NDPI_URL_POSSIBLE_RCE_INJECTION;
#endif
--- a/src/lib/third_party/include/rce_injection.h
+++ b/src/lib/third_party/include/rce_injection.h
@@ -1,4 +1,4 @@
-#ifdef HAVE_PCRE
+#ifdef HAVE_PCRE2
#ifndef NDPI_RCE_H
#define NDPI_RCE_H
@@ -8,7 +8,7 @@
#define N_RCE_REGEX 7
/* Compiled regex */
-static struct pcre_struct *comp_rx[N_RCE_REGEX];
+static struct pcre2_struct *comp_rx[N_RCE_REGEX];
static unsigned int initialized_comp_rx = 0;
@@ -615,4 +615,4 @@ static const char *pwsh_commands[] = {
"-PSConsoleFile"
};
-#endif //HAVE_PCRE
\ No newline at end of file
+#endif //HAVE_PCRE2
\ No newline at end of file
--- a/tests/do.sh.in
+++ b/tests/do.sh.in
@@ -26,7 +26,7 @@ CMD_COLORDIFF="$(which colordiff)"
EXE_SUFFIX=@EXE_SUFFIX@
GPROF_ENABLED=@GPROF_ENABLED@
-PCRE_ENABLED=@PCRE_ENABLED@
+PCRE2_ENABLED=@PCRE2_ENABLED@
PCRE_PCAPS="WebattackRCE.pcap"
NBPF_ENABLED=@NBPF_ENABLED@
NBPF_PCAPS="h323-overflow.pcap"
@@ -84,7 +84,7 @@ check_results() {
[ $SKIP_PCAP = 1 ] && continue
fi
SKIP_PCAP=0
- if [ $PCRE_ENABLED -eq 0 ]; then
+ if [ $PCRE2_ENABLED -eq 0 ]; then
for p in $PCRE_PCAPS; do
if [ $f = $p ]; then
SKIP_PCAP=1
|