Permalink
Browse files

Fix for avoid wrong substring match to happen

  • Loading branch information...
lucaderi committed Feb 10, 2019
1 parent ddf0066 commit 0c4fada265b7932688c0bec6fa8229b9907f5831
Showing with 33 additions and 10 deletions.
  1. +33 −10 src/lib/ndpi_main.c
@@ -1991,21 +1991,38 @@ static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) {
m->match_num, m->patterns->astring);
#endif

{
char *whatfound = strstr(buf, m->patterns->astring);

#ifdef MATCH_DEBUG
printf("[NDPI] %s() [searching=%s][pattern=%s][%s][%c]\n",
__FUNCTION__, buf, m->patterns->astring,
whatfound ? whatfound : "<NULL>",
whatfound[-1]);
#endif

/*
The patch below allows in case of pattern ws.amazon.com
to avoid matching aws.amazon.com whereas a.ws.amazon.com
has to match
*/
if(whatfound && (whatfound != buf) && (whatfound[-1] != '.'))
return(0);
}

/*
Return 1 for stopping to the first match.
We might consider searching for the more
specific match, paying more cpu cycles.
*/

memcpy(match, &m->patterns[0].rep, sizeof(AC_REP_t));

if(((buf_len >= min_len) && (strncmp(&buf[buf_len-min_len], m->patterns->astring, min_len) == 0))
|| (strncmp(buf, m->patterns->astring, min_len) == 0) /* begins with */
)
{
) {
#ifdef MATCH_DEBUG
printf("Found match [%s][%s] [len: %u][proto_id: %u]\n",
buf, m->patterns->astring, min_len, *matching_protocol_id);
buf, m->patterns->astring, min_len , *matching_protocol_id);
#endif
return(1); /* If the pattern found matches the string at the beginning we stop here */
} else
@@ -2301,8 +2318,8 @@ int ndpi_match_string(void *_automa, char *string_to_match) {
int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id) {
AC_TEXT_t ac_input_text;
AC_AUTOMATA_t *automa = (AC_AUTOMATA_t*)_automa;
AC_REP_t match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED };
AC_REP_t match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED };

*id = -1;
if((automa == NULL)
|| (string_to_match == NULL)
@@ -2340,9 +2357,12 @@ static int hyperscanCustomEventHandler(unsigned int id,

static int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
char *name, unsigned long *id) {
/* printf("[NDPI] %s(%s)\n", __FUNCTION__, name); */
#ifdef DEBUG
printf("[NDPI] %s(%s) [enable_category_substring_match: %u]\n",
__FUNCTION__, name, ndpi_struct->enable_category_substring_match);
#endif

if(!ndpi_struct->enable_category_substring_match) {
if(ndpi_struct->enable_category_substring_match == 0) {
if(ndpi_struct->custom_categories.hostnames_hash == NULL)
return(-1);
else {
@@ -2731,7 +2751,8 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod,
if(sscanf(value, "%u-%u", (u_int32_t *)&range.port_low, (u_int32_t *)&range.port_high) != 2)
range.port_low = range.port_high = atoi(&elem[4]);
if(do_add)
addDefaultPort(ndpi_mod, &range, def, 1 /* Custom user proto */, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot, __FUNCTION__,__LINE__);
addDefaultPort(ndpi_mod, &range, def, 1 /* Custom user proto */,
is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot, __FUNCTION__,__LINE__);
else
removeDefaultPort(&range, def, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot);
} else if(is_ip) {
@@ -4385,6 +4406,8 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str
return 0;
}

/* ********************************************************************************* */

void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
ndpi_protocol *ret) {
@@ -4435,7 +4458,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct

if(ndpi_struct->ndpi_log_level >= NDPI_LOG_TRACE)
NDPI_LOG(flow ? flow->detected_protocol_stack[0]:NDPI_PROTOCOL_UNKNOWN,
ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n");
ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n");
if(flow == NULL)
return(ret);

0 comments on commit 0c4fada

Please sign in to comment.