nfqws: fix reasm seq handling

nfq/conntrack.c

@@ -142,13 +142,13 @@ static void ConntrackFeedPacket(t_ctrack *t, bool bReverse, const struct tcphdr
 		if (tcp_syn_segment(tcphdr))
 		{
 			if (t->state!=SYN) ConntrackReInitTrack(t); // erase current entry
-			t->seq0 = htonl(tcphdr->th_seq);
+			t->seq0 = ntohl(tcphdr->th_seq);
 		}
 		else if (tcp_synack_segment(tcphdr))
 		{
 			if (t->state!=SYN) ConntrackReInitTrack(t); // erase current entry
-			if (!t->seq0) t->seq0 = htonl(tcphdr->th_ack)-1;
+			if (!t->seq0) t->seq0 = ntohl(tcphdr->th_ack)-1;
-			t->ack0 = htonl(tcphdr->th_seq);
+			t->ack0 = ntohl(tcphdr->th_seq);
 		}
 		else if (tcphdr->th_flags & (TH_FIN|TH_RST))
 		{
@@ -159,25 +159,25 @@ static void ConntrackFeedPacket(t_ctrack *t, bool bReverse, const struct tcphdr
 			if (t->state==SYN) 
 			{
 				t->state=ESTABLISHED;
-				if (!bReverse && !t->ack0) t->ack0 = htonl(tcphdr->th_ack)-1;
+				if (!bReverse && !t->ack0) t->ack0 = ntohl(tcphdr->th_ack)-1;
 			}
 		}
 		scale = tcp_find_scale_factor(tcphdr);
 		if (bReverse)
 		{
-			t->pos_orig = t->seq_last = htonl(tcphdr->th_ack);
+			t->pos_orig = t->seq_last = ntohl(tcphdr->th_ack);
-			t->ack_last = htonl(tcphdr->th_seq);
+			t->ack_last = ntohl(tcphdr->th_seq);
 			t->pos_reply = t->ack_last + len_payload;
-			t->winsize_reply = htons(tcphdr->th_win);
+			t->winsize_reply = ntohs(tcphdr->th_win);
 			if (scale!=SCALE_NONE) t->scale_reply = scale;
 			
 		}
 		else
 		{
-			t->seq_last = htonl(tcphdr->th_seq);
+			t->seq_last = ntohl(tcphdr->th_seq);
 			t->pos_orig = t->seq_last + len_payload;
-			t->pos_reply = t->ack_last = htonl(tcphdr->th_ack);
+			t->pos_reply = t->ack_last = ntohl(tcphdr->th_ack);
-			t->winsize_orig = htons(tcphdr->th_win);
+			t->winsize_orig = ntohs(tcphdr->th_win);
 			if (scale!=SCALE_NONE) t->scale_orig = scale;
 		}
 	}
@@ -389,7 +389,7 @@ bool ReasmResize(t_reassemble *reasm, size_t new_size)
 }
 bool ReasmFeed(t_reassemble *reasm, uint32_t seq, const void *payload, size_t len)
 {
-	if (seq!=-1 && reasm->seq!=seq) return false; // fail session if out of sequence
+	if (reasm->seq!=seq) return false; // fail session if out of sequence
 	
 	size_t szcopy;
 	szcopy = reasm->size - reasm->size_present;
@@ -400,3 +400,7 @@ bool ReasmFeed(t_reassemble *reasm, uint32_t seq, const void *payload, size_t le
 
 	return true;
 }
+bool ReasmHasSpace(t_reassemble *reasm, size_t len)
+{
+	return (reasm->size_present+len)<=reasm->size;
+}

nfq/conntrack.h

@@ -110,5 +110,7 @@ bool ReasmResize(t_reassemble *reasm, size_t new_size);
 void ReasmClear(t_reassemble *reasm);
 // false means reassemble session has failed and we should ReasmClear() it
 bool ReasmFeed(t_reassemble *reasm, uint32_t seq, const void *payload, size_t len);
+// check if it has enough space to buffer 'len' bytes
+bool ReasmHasSpace(t_reassemble *reasm, size_t len);
 inline static bool ReasmIsEmpty(t_reassemble *reasm) {return !reasm->size;}
 inline static bool ReasmIsFull(t_reassemble *reasm) {return !ReasmIsEmpty(reasm) && (reasm->size==reasm->size_present);}

nfq/desync.c

@@ -269,15 +269,16 @@ static bool send_delayed(t_ctrack *ctrack)
 }
 
 
-static bool reasm_start(t_ctrack *ctrack, t_reassemble *reasm, size_t sz, size_t szMax, const uint8_t *data_payload, size_t len_payload)
+static bool reasm_start(t_ctrack *ctrack, t_reassemble *reasm, uint8_t proto, size_t sz, size_t szMax, const uint8_t *data_payload, size_t len_payload)
 {
 	ReasmClear(reasm);
 	if (sz<=szMax)
 	{
-		if (ReasmInit(reasm,sz,ctrack->seq_last))
+		uint32_t seq = (proto==IPPROTO_TCP) ? ctrack->seq_last : 0;
+		if (ReasmInit(reasm,sz,seq))
 		{
-			ReasmFeed(reasm,ctrack->seq_last,data_payload,len_payload);
+			ReasmFeed(reasm,seq,data_payload,len_payload);
-			DLOG(reasm->size_present==reasm->size ? "starting reassemble. now we have %zu\n" : "starting reassemble. now we have %zu/%zu\n",reasm->size_present,reasm->size);
+			DLOG("starting reassemble. now we have %zu/%zu\n",reasm->size_present,reasm->size);
 			return true;
 		}
 		else
@@ -287,17 +288,18 @@ static bool reasm_start(t_ctrack *ctrack, t_reassemble *reasm, size_t sz, size_t
 		DLOG("unexpected large payload for reassemble: size=%zu\n",sz);
 	return false;
 }
-static bool reasm_orig_start(t_ctrack *ctrack, size_t sz, size_t szMax, const uint8_t *data_payload, size_t len_payload)
+static bool reasm_orig_start(t_ctrack *ctrack, uint8_t proto, size_t sz, size_t szMax, const uint8_t *data_payload, size_t len_payload)
 {
-	return reasm_start(ctrack,&ctrack->reasm_orig,sz,szMax,data_payload,len_payload);
+	return reasm_start(ctrack,&ctrack->reasm_orig,proto,sz,szMax,data_payload,len_payload);
 }
 static bool reasm_feed(t_ctrack *ctrack, t_reassemble *reasm, uint8_t proto, const uint8_t *data_payload, size_t len_payload)
 {
 	if (ctrack && !ReasmIsEmpty(reasm))
 	{
-		if (ReasmFeed(reasm,proto==IPPROTO_TCP ? ctrack->seq_last : -1,data_payload,len_payload))
+		uint32_t seq = (proto==IPPROTO_TCP) ? ctrack->seq_last : (uint32_t)reasm->size_present;
+		if (ReasmFeed(reasm, seq, data_payload, len_payload))
 		{
-			DLOG(reasm->size_present==reasm->size ? "reassemble : feeding data payload size=%zu. now we have %zu\n" : "reassemble : feeding data payload size=%zu. now we have %zu/%zu\n", len_payload,reasm->size_present,reasm->size)
+			DLOG("reassemble : feeding data payload size=%zu. now we have %zu/%zu\n", len_payload,reasm->size_present,reasm->size)
 			return true;
 		}
 		else
@@ -313,27 +315,26 @@ static bool reasm_orig_feed(t_ctrack *ctrack, uint8_t proto, const uint8_t *data
 {
 	return reasm_feed(ctrack, &ctrack->reasm_orig, proto, data_payload, len_payload);
 }
-static void reasm_orig_fin(t_ctrack *ctrack)
+static void reasm_orig_stop(t_ctrack *ctrack, const char *dlog_msg)
-{
-	if (ctrack && ReasmIsFull(&ctrack->reasm_orig))
-	{
-		DLOG("reassemble session finished\n");
-		ReasmClear(&ctrack->reasm_orig);
-		send_delayed(ctrack);
-	}
-}
-static void reasm_orig_cancel(t_ctrack *ctrack)
 {
 	if (ctrack)
 	{
 		if (!ReasmIsEmpty(&ctrack->reasm_orig))
 		{
-			DLOG("reassemble session cancelled\n");
+			DLOG("%s",dlog_msg);
 			ReasmClear(&ctrack->reasm_orig);
 		}
 		send_delayed(ctrack);
 	}
 }
+static void reasm_orig_cancel(t_ctrack *ctrack)
+{
+	reasm_orig_stop(ctrack, "reassemble session cancelled\n");
+}
+static void reasm_orig_fin(t_ctrack *ctrack)
+{
+	reasm_orig_stop(ctrack, "reassemble session finished\n");
+}
 
 
 static uint8_t ct_new_postnat_fix(const t_ctrack *ctrack, struct ip *ip, struct ip6_hdr *ip6, uint8_t proto, struct udphdr *udp, struct tcphdr *tcp, size_t *len_pkt)
@@ -655,6 +656,10 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, uint32_t fwmark, const ch
 		{
 			DLOG("packet contains HTTP request\n")
 			if (ctrack && !ctrack->l7proto) ctrack->l7proto = HTTP;
+
+			// we do not reassemble http
+			reasm_orig_cancel(ctrack);
+
 			forced_wssize_cutoff(ctrack);
 			fake = params.fake_http;
 			fake_size = params.fake_http_size;
@@ -664,7 +669,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, uint32_t fwmark, const ch
 				if (!bHaveHost)
 				{
 					DLOG("not applying tampering to HTTP without Host:\n")
-					reasm_orig_fin(ctrack);
 					return verdict;
 				}
 			}
@@ -696,9 +700,8 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, uint32_t fwmark, const ch
 					!(ctrack->req_seq_finalized && seq_within(ctrack->seq_last, ctrack->req_seq_start, ctrack->req_seq_end)))
 				{
 					// do not reconstruct unexpected large payload (they are feeding garbage ?)
-					if (!reasm_orig_start(ctrack,TLSRecordLen(data_payload),16384,data_payload,len_payload))
+					if (!reasm_orig_start(ctrack,IPPROTO_TCP,TLSRecordLen(data_payload),16384,data_payload,len_payload))
 					{
-						fprintf(stderr, "reasm start failed ! out of memory.\n");
 						reasm_orig_cancel(ctrack);
 						return verdict;
 					}
@@ -746,7 +749,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, uint32_t fwmark, const ch
 			if (params.desync_skip_nosni && !bHaveHost)
 			{
 				DLOG("not applying tampering to TLS ClientHello without hostname in the SNI\n")
-				reasm_orig_fin(ctrack);
+				reasm_orig_cancel(ctrack);
 				return verdict;
 			}
 			
@@ -755,7 +758,7 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, uint32_t fwmark, const ch
 			bKnownProtocol = true;
 		}
 
-		reasm_orig_fin(ctrack);
+		reasm_orig_cancel(ctrack);
 		rdata_payload=NULL;
 
 		if (bHaveHost)
@@ -1065,6 +1068,21 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, uint32_t fwmark, const ch
 	return verdict;
 }
 
+// return : true - should continue, false - should stop with verdict
+static bool quic_reasm_cancel(t_ctrack *ctrack, const char *reason)
+{
+	reasm_orig_cancel(ctrack);
+	if (params.desync_any_proto)
+	{
+		DLOG("%s. applying tampering because desync_any_proto is set\n",reason)
+		return true;
+	}
+	else
+	{
+		DLOG("%s. not applying tampering because desync_any_proto is not set\n",reason)
+		return false;
+	}
+}
 
 static uint8_t dpi_desync_udp_packet_play(bool replay, uint32_t fwmark, const char *ifout, uint8_t *data_pkt, size_t *len_pkt, struct ip *ip, struct ip6_hdr *ip6hdr, struct udphdr *udphdr, size_t transport_len, uint8_t *data_payload, size_t len_payload)
 {
@@ -1127,7 +1145,7 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, uint32_t fwmark, const ch
 			
 			if (ctrack && !ctrack->l7proto) ctrack->l7proto = QUIC;
 
-			uint8_t clean[9000], *pclean;
+			uint8_t clean[16384], *pclean;
 			size_t clean_len;
 			bool bIsHello = false;
 			
@@ -1145,14 +1163,7 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, uint32_t fwmark, const ch
 			{
 				if (ctrack && !ReasmIsEmpty(&ctrack->reasm_orig))
 				{
-					size_t newlen = ctrack->reasm_orig.size_present  + clean_len;
+					if (ReasmHasSpace(&ctrack->reasm_orig, clean_len))
-					if (newlen>16384)
-					{
-						DLOG("QUIC reasm is too long. cancelling.\n");
-						reasm_orig_cancel(ctrack);
-						return verdict; // cannot be first packet
-					}
-					if (ReasmResize(&ctrack->reasm_orig, newlen))
 					{
 						reasm_orig_feed(ctrack,IPPROTO_UDP,clean,clean_len);
 						pclean = ctrack->reasm_orig.packet;
@@ -1160,7 +1171,7 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, uint32_t fwmark, const ch
 					}
 					else
 					{
-						fprintf(stderr, "reasm update failed ! out of memory.\n");
+						DLOG("QUIC reasm is too long. cancelling.\n");
 						reasm_orig_cancel(ctrack);
 						return verdict; // cannot be first packet
 					}
@@ -1179,9 +1190,9 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, uint32_t fwmark, const ch
 					{
 						if (bIsHello && !bReqFull && ReasmIsEmpty(&ctrack->reasm_orig))
 						{
-							if (!reasm_orig_start(ctrack,clean_len,clean_len,clean,clean_len))
+							// preallocate max buffer to avoid reallocs that cause memory copy
+							if (!reasm_orig_start(ctrack,IPPROTO_UDP,16384,16384,clean,clean_len))
 							{
-								fprintf(stderr, "reasm start failed ! out of memory.\n");
 								reasm_orig_cancel(ctrack);
 								return verdict;
 							}
@@ -1220,40 +1231,19 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, uint32_t fwmark, const ch
 					}
 					else
 					{
-						reasm_orig_cancel(ctrack);
+						if (!quic_reasm_cancel(ctrack,"QUIC initial without ClientHello")) return verdict;
-						if (params.desync_any_proto)
-							DLOG("QUIC initial without ClientHello. applying tampering because desync_any_proto is set\n")
-						else
-						{
-							DLOG("not applying tampering to QUIC initial without ClientHello\n")
-							return verdict;
-						}
 					}
 				}
 				else
 				{
 					// defrag failed
-					reasm_orig_cancel(ctrack);
+					if (!quic_reasm_cancel(ctrack,"QUIC initial defrag CRYPTO failed")) return verdict;
-					if (params.desync_any_proto)
-						DLOG("QUIC initial without CRYPTO frame. applying tampering because desync_any_proto is set\n")
-					else
-					{
-						DLOG("not applying tampering to QUIC initial without CRYPTO frame\n")
-						return verdict;
-					}
 				}
 			}
 			else
 			{
 				// decrypt failed
-				reasm_orig_cancel(ctrack);
+				if (!quic_reasm_cancel(ctrack,"QUIC initial decryption failed")) return verdict;
-				if (params.desync_any_proto)
-					DLOG("QUIC initial decryption failed. applying tampering because desync_any_proto is set\n")
-				else
-				{
-					DLOG("not applying tampering to QUIC initial that could not be decrypted\n")
-					return verdict;
-				}
 			}
 			
 			fake = params.fake_quic;
@@ -1301,8 +1291,11 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, uint32_t fwmark, const ch
 				DLOG("not applying tampering to this request\n")
 				if (!bExcluded && *params.hostlist_auto_filename && ctrack)
 				{
-					if (!ctrack->hostname) ctrack->hostname=strdup(host);
+					if (!ctrack->hostname)
-					process_retrans_fail(ctrack, IPPROTO_UDP);
+						// first request is not retrans
+						ctrack->hostname=strdup(host);
+					else
+						process_retrans_fail(ctrack, IPPROTO_UDP);
 				}
 				return verdict;
 			}

nfq/protocol.c

@@ -131,7 +131,7 @@ size_t TLSHandshakeLen(const uint8_t *data)
 }
 bool IsTLSHandshakeClientHello(const uint8_t *data, size_t len)
 {
-	return len>=4 && data[0]==0x01;
+	return len>=4 && data[0]==0x01 && TLSHandshakeLen(data)>0;
 }
 bool IsTLSHandshakeFull(const uint8_t *data, size_t len)
 {