STUN: parsing of DATA attribute (#2179)

Author: IvanNardi

fuzz/corpus/fuzz_is_stun_tcp/data_1

@@ -4,6 +4,7 @@
 
 static struct ndpi_detection_module_struct *ndpi_struct = NULL;
 static struct ndpi_flow_struct ndpi_flow;
+struct ndpi_iphdr iph;
 #ifdef STUN_TCP
 struct ndpi_tcphdr tcph;
 #else
@@ -31,6 +32,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 #else
   packet->tcp = &tcph;
 #endif
+  packet->iph = &iph; /* IPv4 only */
 
   is_stun(ndpi_struct, &ndpi_flow, &app_proto);
   return 0;

fuzz/corpus/fuzz_is_stun_tcp/data_2

@@ -38,6 +38,8 @@ static u_int32_t get_stun_lru_key_raw4(u_int32_t ip, u_int16_t port);
 static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
 					 struct ndpi_flow_struct *flow,
 					 u_int app_proto);
+static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct,
+                             struct ndpi_flow_struct *flow);
 
 
 static u_int16_t search_into_cache(struct ndpi_detection_module_struct *ndpi_struct,
@@ -133,6 +135,8 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct,
   int off;
   const u_int8_t *payload = packet->payload;
   u_int16_t payload_length = packet->payload_packet_len;
+  const u_int8_t *orig_payload;
+  u_int16_t orig_payload_length;
   u_int32_t magic_cookie;
 
   if(payload_length < STUN_HDR_LEN) {
@@ -306,6 +310,22 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct,
       *app_proto = NDPI_PROTOCOL_HANGOUT_DUO;
       return 1;
 
+    case 0x0013:
+      NDPI_LOG_DBG(ndpi_struct, "DATA attribute\n");
+
+      orig_payload = packet->payload;
+      orig_payload_length = packet->payload_packet_len;
+      packet->payload = payload + off + 4;
+      packet->payload_packet_len = payload_length - off - 4;
+
+      stun_search_again(ndpi_struct, flow);
+      NDPI_LOG_DBG(ndpi_struct, "End recursion\n");
+
+      packet->payload = orig_payload;
+      packet->payload_packet_len = orig_payload_length;
+
+      break;
+
     default:
       NDPI_LOG_DBG2(ndpi_struct, "Unknown attribute %04X\n", attribute);
       break;
@@ -326,7 +346,7 @@ static int keep_extra_dissection(struct ndpi_detection_module_struct *ndpi_struc
   /* We have a sub-classification */
 
   if((ndpi_struct->monitoring_stun_flags & NDPI_MONITORING_STUN_SUBCLASSIFIED) &&
-     flow->detected_protocol_stack[1] != NDPI_PROTOCOL_RTP)
+     flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RTP)
     return 1;
 
   /* Looking for XOR-PEER-ADDRESS metadata; TODO: other protocols? */

fuzz/corpus/fuzz_is_stun_tcp/data_3

@@ -6,7 +6,7 @@ Num dissector calls: 12 (6.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
-LRU cache stun:       6/20/0 (insert/search/found)
+LRU cache stun:       6/24/0 (insert/search/found)
 LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)

fuzz/corpus/fuzz_is_stun_udp/data_1

@@ -1,19 +1,19 @@
-Guessed flow protos:	1
+Guessed flow protos:	0
 
-DPI Packets (UDP):	39	(19.50 pkts/flow)
+DPI Packets (UDP):	36	(18.00 pkts/flow)
 Confidence DPI              : 2 (flows)
 Num dissector calls: 12 (6.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
-LRU cache stun:       35/78/0 (insert/search/found)
-LRU cache tls_cert:   0/0/0 (insert/search/found)
+LRU cache stun:       32/88/0 (insert/search/found)
+LRU cache tls_cert:   0/5/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache stun_zoom:  0/0/0 (insert/search/found)
 Automa host:          0/0 (search/found)
 Automa domain:        0/0 (search/found)
-Automa tls cert:      0/0 (search/found)
+Automa tls cert:      1/0 (search/found)
 Automa risk mask:     0/0 (search/found)
 Automa common alpns:  0/0 (search/found)
 Patricia risk mask:   4/0 (search/found)
@@ -23,7 +23,12 @@ Patricia risk IPv6:   0/0 (search/found)
 Patricia protocols:   4/0 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
 
-STUN	43	10358	2
+RTP	43	10358	2
 
-	1	UDP 10.1.0.3:5853 -> 10.10.0.1:2808 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 18][cat: Network/14][18 pkts/5384 bytes -> 0 pkts/0 bytes][Goodput ratio: 86/0][7.17 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 386/0 4001/0 979/0][Pkt Len c2s/s2c min/avg/max/stddev: 102/0 299/0 750/0 221/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (Coturn)][Plen Bins: 0,5,5,5,34,22,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	2	UDP 10.10.0.1:65226 -> 10.1.0.3:57730 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 21][cat: Network/14][25 pkts/4974 bytes -> 0 pkts/0 bytes][Goodput ratio: 79/0][7.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 324/0 4001/0 904/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 199/0 478/0 92/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][PLAIN TEXT (username1)][Plen Bins: 0,8,16,16,32,0,4,8,0,12,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 10.10.0.1                	 1      
+
+
+	1	UDP 10.1.0.3:5853 -> 10.10.0.1:2808 [proto: 30.87/DTLS.RTP][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 15][cat: Network/14][18 pkts/5384 bytes -> 0 pkts/0 bytes][Goodput ratio: 86/0][7.17 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 386/0 4001/0 979/0][Pkt Len c2s/s2c min/avg/max/stddev: 102/0 299/0 750/0 221/0][Risk: ** Known Proto on Non Std Port **** Self-signed Cert **][Risk Score: 150][Risk Info: CN=8][DTLSv1.0][JA3S: 1cfcbe58451407e23669f1dd08565519][Issuer: CN=8][Subject: CN=8][Certificate SHA-1: 94:8C:6F:C3:00:6A:A1:63:F1:52:7E:7F:1F:A7:93:90:46:3B:B1:2D][Validity: 2015-12-10 05:41:43 - 2016-01-10 05:41:43][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA][PLAIN TEXT (Coturn)][Plen Bins: 0,5,5,5,34,22,0,0,0,5,0,0,0,0,0,5,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 10.10.0.1:65226 -> 10.1.0.3:57730 [proto: 30.87/DTLS.RTP][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 21][cat: Network/14][25 pkts/4974 bytes -> 0 pkts/0 bytes][Goodput ratio: 79/0][7.16 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 324/0 4001/0 904/0][Pkt Len c2s/s2c min/avg/max/stddev: 78/0 199/0 478/0 92/0][Risk: ** Known Proto on Non Std Port **** TLS (probably) Not Carrying HTTPS **** Missing SNI TLS Extn **][Risk Score: 110][Risk Info: No ALPN][DTLSv1.0][JA3C: fd8faf73d274d5614a51dae82304be0a][PLAIN TEXT (username1)][Plen Bins: 0,8,16,16,32,0,4,8,0,12,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]