Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added fix to avoid potential heap buffer overflow in H.323 dissector
Modified HTTP report information to make it closer to the HTTP field names
  • Loading branch information
lucaderi committed May 19, 2020
1 parent 3d9285f commit b7e666e
Show file tree
Hide file tree
Showing 27 changed files with 1,051 additions and 1,054 deletions.
6 changes: 3 additions & 3 deletions example/ndpiReader.c
Expand Up @@ -1204,14 +1204,14 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa
if(risk != NDPI_NO_RISK)
NDPI_SET_BIT(flow->risk, risk);

fprintf(out, "[URL: %s[StatusCode: %u]",
fprintf(out, "[URL: %s][StatusCode: %u]",
flow->http.url, flow->http.response_status_code);

if(flow->http.content_type[0] != '\0')
fprintf(out, "[ContentType: %s]", flow->http.content_type);
fprintf(out, "[Content-Type: %s]", flow->http.content_type);

if(flow->http.user_agent[0] != '\0')
fprintf(out, "[UserAgent: %s]", flow->http.user_agent);
fprintf(out, "[User-Agent: %s]", flow->http.user_agent);
}

if(flow->risk) {
Expand Down
91 changes: 44 additions & 47 deletions src/lib/protocols/h323.c
@@ -1,7 +1,7 @@
/*
* h323.c
*
* Copyright (C) 2015-18 ntop.org
* Copyright (C) 2015-20 ntop.org
* Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr>
*
*/
Expand Down Expand Up @@ -36,37 +36,37 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n
if(packet->payload_packet_len >= 4
&& (packet->payload[0] == 0x03)
&& (packet->payload[1] == 0x00)) {
struct tpkt *t = (struct tpkt*)packet->payload;
u_int16_t len = ntohs(t->len);

if(packet->payload_packet_len == len) {
/*
We need to check if this packet is in reality
a RDP (Remote Desktop) packet encapsulated on TPTK
*/

if(packet->payload[4] == (packet->payload_packet_len - sizeof(struct tpkt) - 1)) {
/* ISO 8073/X.224 */
if((packet->payload[5] == 0xE0 /* CC Connect Request */)
|| (packet->payload[5] == 0xD0 /* CC Connect Confirm */)) {
NDPI_LOG_INFO(ndpi_struct, "found RDP\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN);
return;
}
struct tpkt *t = (struct tpkt*)packet->payload;
u_int16_t len = ntohs(t->len);

if(packet->payload_packet_len == len) {
/*
We need to check if this packet is in reality
a RDP (Remote Desktop) packet encapsulated on TPTK
*/

if(packet->payload[4] == (packet->payload_packet_len - sizeof(struct tpkt) - 1)) {
/* ISO 8073/X.224 */
if((packet->payload[5] == 0xE0 /* CC Connect Request */)
|| (packet->payload[5] == 0xD0 /* CC Connect Confirm */)) {
NDPI_LOG_INFO(ndpi_struct, "found RDP\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN);
return;
}
}

flow->l4.tcp.h323_valid_packets++;
flow->l4.tcp.h323_valid_packets++;

if(flow->l4.tcp.h323_valid_packets >= 2) {
NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN);
}
} else {
/* This is not H.323 */
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
if(flow->l4.tcp.h323_valid_packets >= 2) {
NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN);
}
} else {
/* This is not H.323 */
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
}
} else if(packet->udp != NULL) {
sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest);
NDPI_LOG_DBG2(ndpi_struct, "calculated dport over udp\n");
Expand All @@ -80,28 +80,25 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n
return;
}
/* H323 */
if(sport == 1719 || dport == 1719)
{
if(packet->payload[0] == 0x16 && packet->payload[1] == 0x80 && packet->payload[4] == 0x06 && packet->payload[5] == 0x00)
{
NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN);
return;
}
else if(packet->payload_packet_len >= 20 && packet->payload_packet_len <= 117)
{
NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN);
return;
}
else
{
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
if(sport == 1719 || dport == 1719) {
if((packet->payload_packet_len >= 5)
&& (packet->payload[0] == 0x16)
&& (packet->payload[1] == 0x80)
&& (packet->payload[4] == 0x06)
&& (packet->payload[5] == 0x00)) {
NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN);
return;
} else if(packet->payload_packet_len >= 20 && packet->payload_packet_len <= 117) {
NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN);
return;
} else {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
}
}

}

void init_h323_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
Expand Down

0 comments on commit b7e666e

Please sign in to comment.