nfqws: allow to decrease udp length

nfq/darkmagic.c

@@ -294,15 +294,23 @@ bool prepare_tcp_segment(
 }
 
 
+// padlen<0 means payload shrinking
 bool prepare_udp_segment4(
 	const struct sockaddr_in *src, const struct sockaddr_in *dst,
 	uint8_t ttl,
 	uint8_t fooling,
-	uint16_t padlen,
+	int padlen,
 	const void *data, uint16_t len,
 	uint8_t *buf, size_t *buflen)
 {
-	uint16_t datalen = len + padlen;
+	if ((len+padlen)<=0) padlen=-(int)len+1; // do not allow payload to be less that 1 byte
+	if ((len+padlen)>0xFFFF) padlen=0xFFFF-len; // do not allow payload size to exceed u16 range
+	if (padlen<0)
+	{
+		len+=padlen;
+		padlen=0;
+	}
+	uint16_t datalen = (uint16_t)(len + padlen);
 	uint16_t ip_payload_len = sizeof(struct udphdr) + datalen;
 	uint16_t pktlen = sizeof(struct ip) + ip_payload_len;
 	if (pktlen>*buflen) return false;
@@ -327,11 +335,18 @@ bool prepare_udp_segment6(
 	const struct sockaddr_in6 *src, const struct sockaddr_in6 *dst,
 	uint8_t ttl,
 	uint8_t fooling,
-	uint16_t padlen,
+	int padlen,
 	const void *data, uint16_t len,
 	uint8_t *buf, size_t *buflen)
 {
-	uint16_t datalen = len + padlen;
+	if ((len+padlen)<=0) padlen=-(int)len+1; // do not allow payload to be less that 1 byte
+	if ((len+padlen)>0xFFFF) padlen=0xFFFF-len; // do not allow payload size to exceed u16 range
+	if (padlen<0)
+	{
+		len+=padlen;
+		padlen=0;
+	}
+	uint16_t datalen = (uint16_t)(len + padlen);
 	uint16_t transport_payload_len = sizeof(struct udphdr) + datalen;
 	uint16_t ip_payload_len = transport_payload_len +
 		8*!!((fooling & (FOOL_HOPBYHOP|FOOL_HOPBYHOP2))==FOOL_HOPBYHOP) +
@@ -404,7 +419,7 @@ bool prepare_udp_segment(
 	const struct sockaddr *src, const struct sockaddr *dst,
 	uint8_t ttl,
 	uint8_t fooling,
-	uint16_t padlen,
+	int padlen,
 	const void *data, uint16_t len,
 	uint8_t *buf, size_t *buflen)
 {

nfq/darkmagic.h

@@ -73,21 +73,21 @@ bool prepare_udp_segment4(
 	const struct sockaddr_in *src, const struct sockaddr_in *dst,
 	uint8_t ttl,
 	uint8_t fooling,
-	uint16_t padlen,
+	int padlen,
 	const void *data, uint16_t len,
 	uint8_t *buf, size_t *buflen);
 bool prepare_udp_segment6(
 	const struct sockaddr_in6 *src, const struct sockaddr_in6 *dst,
 	uint8_t ttl,
 	uint8_t fooling,
-	uint16_t padlen,
+	int padlen,
 	const void *data, uint16_t len,
 	uint8_t *buf, size_t *buflen);
 bool prepare_udp_segment(
 	const struct sockaddr *src, const struct sockaddr *dst,
 	uint8_t ttl,
 	uint8_t fooling,
-	uint16_t padlen,
+	int padlen,
 	const void *data, uint16_t len,
 	uint8_t *buf, size_t *buflen);
 

nfq/desync.c

@@ -831,8 +831,11 @@ packet_process_result dpi_desync_udp_packet(uint32_t fwmark, const char *ifout,
 			case DESYNC_UDPLEN:
 				pkt1_len = sizeof(pkt1);
 				if (!prepare_udp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, ttl_orig,fooling_orig, params.udplen_increment, data_payload, len_payload, pkt1, &pkt1_len))
+				{
+					DLOG("could not construct packet with modified length. too large ?\n");
 					return res;
-				DLOG("resending original packet with increased by %u length\n", params.udplen_increment);
+				}
+				DLOG("resending original packet with increased by %d length\n", params.udplen_increment);
 				if (!rawsend((struct sockaddr *)&dst, desync_fwmark, ifout , pkt1, pkt1_len))
 					return res;
 				return drop;

nfq/nfqws.c

@@ -545,7 +545,7 @@ static void exithelp()
 		" --dpi-desync-fake-unknown=<filename>\t; file containing unknown protocol fake payload\n"
 		" --dpi-desync-fake-quic=<filename>\t; file containing fake QUIC Initial\n"
 		" --dpi-desync-fake-unknown-udp=<filename> ; file containing unknown udp protocol fake payload\n"
-		" --dpi-desync-udplen-increment=<int>\t; increase udp packet length by N bytes (default %u)\n"
+		" --dpi-desync-udplen-increment=<int>\t; increase or decrease udp packet length by N bytes (default %u). negative values decrease length.\n"
 		" --dpi-desync-cutoff=[n|d|s]N\t\t; apply dpi desync only to packet numbers (n, default), data packet numbers (d), relative sequence (s) less than N\n"
 		" --hostlist=<filename>\t\t\t; apply dpi desync only to the listed hosts (one host per line, subdomains auto apply, gzip supported, multiple hostlists allowed)\n"
 		" --hostlist-exclude=<filename>\t\t; do not apply dpi desync to the listed hosts (one host per line, subdomains auto apply, gzip supported, multiple hostlists allowed)\n",
@@ -1004,7 +1004,11 @@ int main(int argc, char **argv)
 			load_file_or_exit(optarg,params.fake_unknown_udp,&params.fake_unknown_udp_size);
 			break;
 		case 33: /* dpi-desync-udplen-increment */
-			params.udplen_increment = (uint16_t)atoi(optarg);
+			if (sscanf(optarg,"%d",&params.udplen_increment)<1 || params.udplen_increment>0x7FFF || params.udplen_increment<-0x8000)
+			{
+				fprintf(stderr, "dpi-desync-udplen-increment must be integer within -32768..32767 range\n");
+				exit_clean(1);
+			}
 			break;
 		case 34: /* desync-cutoff */
 			if (!parse_cutoff(optarg, &params.desync_cutoff, &params.desync_cutoff_mode))

nfq/params.h

@@ -52,7 +52,7 @@ struct params_s
 	uint32_t desync_badseq_increment, desync_badseq_ack_increment;
 	uint8_t fake_http[1432],fake_tls[1432],fake_unknown[1432],fake_unknown_udp[1472],fake_quic[1472];
 	size_t fake_http_size,fake_tls_size,fake_unknown_size,fake_unknown_udp_size,fake_quic_size;
-	uint16_t udplen_increment;
+	int udplen_increment;
 	bool droproot;
 	uid_t uid;
 	gid_t gid;

nfq/strpool.c

@@ -99,7 +99,7 @@ static void strlist_entry_destroy(struct str_list *entry)
 void strlist_destroy(struct str_list_head *head)
 {
 	struct str_list *entry;
-	while (entry = LIST_FIRST(head))
+	while ((entry = LIST_FIRST(head)))
 	{
 		LIST_REMOVE(entry, next);
 		strlist_entry_destroy(entry);