Compare commits

..

2 Commits

Author SHA1 Message Date
[anp/hsw]
9574539292 cppcheck: fix possible null pointer dereference
[nfq/desync.c:1242] -> [nfq/desync.c:1243]: (warning) Either the condition 'if(ip6hdr)' is redundant or there is possible null pointer dereference: ip6hdr.
[nfq/protocol.c:280] -> [nfq/protocol.c:284]: (warning) Either the condition 'if(ext&&len_host)' is redundant or there is possible null pointer dereference: ext.
[tpws/protocol.c:270] -> [tpws/protocol.c:274]: (warning) Either the condition 'if(ext&&len_host)' is redundant or there is possible null pointer dereference: ext.
2024-08-03 20:51:53 +07:00
[anp/hsw]
6fca1223b3 valgrind: fix passing unitialized bytes to sendto()
==3801== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==3801==    at 0x49622E2: sendto (in /tmp/debug/lib/libc-2.22.so)
==3801==    by 0x11093D: rawsend (darkmagic.c:1778)
==3801==    by 0x114F47: dpi_desync_tcp_packet_play (desync.c:1021)
==3801==    by 0x117879: dpi_desync_packet_play (desync.c:1645)
==3801==    by 0x117A35: replay_queue (desync.c:1676)
==3801==    by 0x113F44: dpi_desync_tcp_packet_play (desync.c:781)
==3801==    by 0x117879: dpi_desync_packet_play (desync.c:1645)
==3801==    by 0x11797B: dpi_desync_packet (desync.c:1662)
==3801==    by 0x11A045: processPacketData (nfqws.c:106)
==3801==    by 0x11A1C3: nfq_cb (nfqws.c:140)
==3801==    by 0x4846B20: ??? (in /usr/lib/libnetfilter_queue.so.1.3.0)
==3801==    by 0x4851ABD: nfnl_handle_packet (in /usr/lib/libnfnetlink.so.0.2.0)
==3801==  Address 0xbecb2f81 is on thread 1's stack
==3801==  in frame #2, created by dpi_desync_tcp_packet_play (desync.c:478)
==3801==  Uninitialised value was created by a stack allocation
==3801==    at 0x112C35: dpi_desync_tcp_packet_play (desync.c:478)
2024-08-03 20:24:30 +07:00
3 changed files with 17 additions and 19 deletions

View File

@ -483,7 +483,9 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
struct sockaddr_storage src, dst;
uint8_t pkt1[DPI_DESYNC_MAX_FAKE_LEN+100], pkt2[DPI_DESYNC_MAX_FAKE_LEN+100];
size_t pkt1_len, pkt2_len;
size_t pkt1_len = sizeof(pkt1), pkt2_len;
memset (pkt1, 0, pkt1_len);
uint8_t ttl_orig,ttl_fake = 0, flags_orig = 0,scale_factor = 0;
uint32_t *timestamps = NULL;
@ -617,7 +619,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
switch (params.desync_mode0)
{
case DESYNC_SYNACK:
pkt1_len = sizeof(pkt1);
if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, TH_SYN|TH_ACK, tcphdr->th_seq, tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps,
ttl_fake,params.desync_fooling_mode,params.desync_badseq_increment,params.desync_badseq_ack_increment,
NULL, 0, pkt1, &pkt1_len))
@ -640,7 +641,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
DLOG("received SYN with data payload. syndata desync is not applied.\n");
break;
}
pkt1_len = sizeof(pkt1);
if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, tcphdr->th_seq, tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps,
ttl_orig,0,0,0, params.fake_syndata,params.fake_syndata_size, pkt1,&pkt1_len))
{
@ -897,7 +897,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
uint32_t fooling_orig = FOOL_NONE;
bool b;
pkt1_len = sizeof(pkt1);
b = false;
switch(desync_mode)
{
@ -976,7 +975,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
desync_mode = params.desync_mode2;
}
pkt1_len = sizeof(pkt1);
switch(desync_mode)
{
case DESYNC_DISORDER:
@ -1036,7 +1034,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
return verdict;
}
pkt1_len = sizeof(pkt1);
if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, tcphdr->th_seq, tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps,
ttl_orig,fooling_orig,params.desync_badseq_increment,params.desync_badseq_ack_increment,
data_payload, split_pos, pkt1, &pkt1_len))
@ -1113,7 +1110,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
}
if (split_pos<len_payload)
{
pkt1_len = sizeof(pkt1);
if (!prepare_tcp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, flags_orig, net32_add(tcphdr->th_seq,split_pos), tcphdr->th_ack, tcphdr->th_win, scale_factor, timestamps,
ttl_orig,fooling_orig,params.desync_badseq_increment,params.desync_badseq_ack_increment,
data_payload+split_pos, len_payload-split_pos, pkt1, &pkt1_len))
@ -1138,7 +1134,6 @@ static uint8_t dpi_desync_tcp_packet_play(bool replay, size_t reasm_offset, uint
size_t ipfrag_pos = (params.desync_ipfrag_pos_tcp && params.desync_ipfrag_pos_tcp<transport_len) ? params.desync_ipfrag_pos_tcp : 24;
uint32_t ident = ip ? ip->ip_id ? ip->ip_id : htons(1+random()%0xFFFF) : htonl(1+random()%0xFFFFFFFF);
pkt1_len = sizeof(pkt1);
pkt2_len = sizeof(pkt2);
if (ip6hdr && (fooling_orig==FOOL_HOPBYHOP || fooling_orig==FOOL_DESTOPT))
@ -1205,8 +1200,10 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
bool bReverse=false;
struct sockaddr_storage src, dst;
uint8_t pkt1[DPI_DESYNC_MAX_FAKE_LEN+100], pkt2[DPI_DESYNC_MAX_FAKE_LEN+100];
size_t pkt1_len, pkt2_len;
uint8_t pkt1[DPI_DESYNC_MAX_FAKE_LEN+100], pkt2[DPI_DESYNC_MAX_FAKE_LEN+100];
size_t pkt1_len = sizeof(pkt1), pkt2_len;
memset (pkt1, 0, pkt1_len);
uint8_t ttl_orig,ttl_fake;
if (replay)
@ -1239,9 +1236,14 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
if (!replay && !process_desync_interval(ctrack)) return verdict;
uint32_t desync_fwmark = fwmark | params.desync_fwmark;
ttl_orig = ip ? ip->ip_ttl : ip6hdr->ip6_ctlun.ip6_un1.ip6_un1_hlim;
if (ip6hdr) ttl_fake = params.desync_ttl6 ? params.desync_ttl6 : ttl_orig;
else ttl_fake = params.desync_ttl ? params.desync_ttl : ttl_orig;
if (ip6hdr) {
ttl_orig = ip ? ip->ip_ttl : ip6hdr->ip6_ctlun.ip6_un1.ip6_un1_hlim;
ttl_fake = params.desync_ttl6 ? params.desync_ttl6 : ttl_orig;
} else {
ttl_orig = ip ? ip->ip_ttl : 0;
ttl_fake = params.desync_ttl ? params.desync_ttl : ttl_orig;
}
extract_endpoints(ip, ip6hdr, NULL, udphdr, &src, &dst);
if (len_payload)
@ -1433,7 +1435,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
printf("\n");
}
pkt1_len = sizeof(pkt1);
b = false;
switch(desync_mode)
{
@ -1493,7 +1494,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
switch(desync_mode)
{
case DESYNC_UDPLEN:
pkt1_len = sizeof(pkt1);
if (!prepare_udp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, ttl_orig,fooling_orig, params.udplen_pattern, sizeof(params.udplen_pattern), params.udplen_increment, data_payload, len_payload, pkt1, &pkt1_len))
{
DLOG("could not construct packet with modified length. too large ?\n");
@ -1518,7 +1518,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
}
memcpy(pkt2+pkt2_len,data_payload+1,szcopy);
pkt2_len+=szcopy;
pkt1_len = sizeof(pkt1);
if (!prepare_udp_segment((struct sockaddr *)&src, (struct sockaddr *)&dst, ttl_orig,fooling_orig, NULL, 0 , 0, pkt2, pkt2_len, pkt1, &pkt1_len))
{
DLOG("could not construct packet with modified length. too large ?\n");
@ -1545,7 +1544,6 @@ static uint8_t dpi_desync_udp_packet_play(bool replay, size_t reasm_offset, uint
// freebsd do not set ip.id
uint32_t ident = ip ? ip->ip_id ? ip->ip_id : htons(1+random()%0xFFFF) : htonl(1+random()%0xFFFFFFFF);
pkt1_len = sizeof(pkt1);
pkt2_len = sizeof(pkt2);
if (ip6hdr && (fooling_orig==FOOL_HOPBYHOP || fooling_orig==FOOL_DESTOPT))

View File

@ -277,7 +277,7 @@ static bool TLSExtractHostFromExt(const uint8_t *ext, size_t elen, char *host, s
// u16 data+0 - name list length
// u8 data+2 - server name type. 0=host_name
// u16 data+3 - server name length
if (elen < 5 || ext[2] != 0) return false;
if (elen < 5 || (ext && ext[2] != 0)) return false;
size_t slen = pntoh16(ext + 3);
ext += 5; elen -= 5;
if (slen < elen) return false;

View File

@ -267,7 +267,7 @@ static bool TLSExtractHostFromExt(const uint8_t *ext, size_t elen, char *host, s
// u16 data+0 - name list length
// u8 data+2 - server name type. 0=host_name
// u16 data+3 - server name length
if (elen < 5 || ext[2] != 0) return false;
if (elen < 5 || (ext && ext[2] != 0)) return false;
size_t slen = pntoh16(ext + 3);
ext += 5; elen -= 5;
if (slen < elen) return false;