Minor code cleanup

ntop · Apr 11, 2024 · fd2838e · fd2838e
1 parent 39a5d23
commit fd2838e
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 38 deletions.
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -8168,28 +8168,25 @@ static int ndpi_is_ntop_protocol(ndpi_protocol *ret) {
 /* ********************************************************************************* */
 
 static void ndpi_search_shellscript(struct ndpi_detection_module_struct *ndpi_struct,
-                                    struct ndpi_flow_struct *flow)
-{
+                                    struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
 
   NDPI_LOG_DBG(ndpi_struct, "search Shellscript\n");
 
-  if (packet->payload_packet_len < 3)
-  {
-    return;
-  }
+  if (packet->payload_packet_len < 3)  
+    return;  
 
   if (packet->payload[0] != '#' ||
       packet->payload[1] != '!' ||
-      (packet->payload[2] != '/' && packet->payload[2] != ' '))
-  {
-    return;
-  }
+      (packet->payload[2] != '/' && packet->payload[2] != ' '))  
+    return;  
 
   NDPI_LOG_INFO(ndpi_struct, "found Shellscript\n");
   ndpi_set_risk(flow, NDPI_POSSIBLE_EXPLOIT, "Shellscript found");
 }
 
+/* ********************************************************************************* */
+
 /* ELF format specs: https://man7.org/linux/man-pages/man5/elf.5.html */
 static void ndpi_search_elf(struct ndpi_detection_module_struct *ndpi_struct,
                             struct ndpi_flow_struct *flow)
@@ -8201,50 +8198,39 @@ static void ndpi_search_elf(struct ndpi_detection_module_struct *ndpi_struct,
   NDPI_LOG_DBG(ndpi_struct, "search ELF file\n");
 
   if (packet->payload_packet_len < 24)
-  {
     return;
-  }
 
   if (ntohl(get_u_int32_t(packet->payload, 0)) != elf_signature)
-  {
     return;
-  }
 
   if (le32toh(get_u_int32_t(packet->payload, 20)) > max_version)
-  {
     return;
-  }
 
   NDPI_LOG_INFO(ndpi_struct, "found ELF file\n");
   ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "ELF found");
 }
 
+/* ********************************************************************************* */
+
 /* PE32/PE32+ format specs: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format */
 static void ndpi_search_portable_executable(struct ndpi_detection_module_struct *ndpi_struct,
-                                            struct ndpi_flow_struct *flow)
-{
+                                            struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
   static const uint16_t dos_signature = 0x4d5a; /* MZ */
   static const uint32_t pe_signature = 0x50450000; /* PE */
 
   NDPI_LOG_DBG(ndpi_struct, "search Portable Executable (PE) file\n");
 
   if (packet->payload_packet_len < 0x3C /* offset to PE header */ + 4)
-  {
     return;
-  }
 
   if (ntohs(get_u_int16_t(packet->payload, 0)) != dos_signature)
-  {
     return;
-  }
 
   uint32_t const pe_offset = le32toh(get_u_int32_t(packet->payload, 0x3C));
   if ((u_int32_t)(packet->payload_packet_len - 4) <= pe_offset ||
       be32toh(get_u_int32_t(packet->payload, pe_offset)) != pe_signature)
-  {
     return;
-  }
 
   NDPI_LOG_INFO(ndpi_struct, "found Portable Executable (PE) file\n");
   ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, "Portable Executable (PE32/PE32+) found");
@@ -8648,9 +8634,9 @@ static ndpi_protocol ndpi_internal_detection_process_packet(struct ndpi_detectio
    flow->first_pkt_fully_encrypted = fully_enc_heuristic(ndpi_str, flow);
   }
 
-  if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN &&
-     flow->packet_counter <= 5)
-  {
+  if((ret.app_protocol == NDPI_PROTOCOL_UNKNOWN)
+     && (packet->payload_packet_len > 0)
+     && (flow->packet_counter <= 5)) {
     ndpi_search_portable_executable(ndpi_str, flow);
     ndpi_search_elf(ndpi_str, flow);
     ndpi_search_shellscript(ndpi_str, flow);
@@ -8979,8 +8965,6 @@ static void parse_single_packet_line(struct ndpi_detection_module_struct *ndpi_s
   }
 }
 
-
-
 /* ********************************************************************************* */
 
 /* internal function for every detection to parse one packet and to increase the info buffer */

diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
@@ -68,7 +68,7 @@ static char* forge_attempt_msg(struct ndpi_flow_struct *flow, char *msg, char *b
 static void ndpi_set_binary_data_transfer(struct ndpi_flow_struct *flow,
 					  char *msg) {
   char buf[256];
-  
+
   ndpi_set_risk(flow, NDPI_BINARY_DATA_TRANSFER,
 		forge_attempt_msg(flow, msg, buf, sizeof(buf)));
 }
@@ -90,7 +90,7 @@ static void ndpi_set_binary_application_transfer(struct ndpi_detection_module_st
     ;
   else {
     char buf[256];
-    
+
     ndpi_set_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER, forge_attempt_msg(flow, msg, buf, sizeof(buf)));
   }
  }
@@ -102,11 +102,18 @@ static void ndpi_analyze_content_signature(struct ndpi_detection_module_struct *
   u_int8_t set_risk = 0;
   const char *msg = NULL;
 
+  /*
+    NOTE: see also (ndpi_main.c)
+    - ndpi_search_elf
+    - ndpi_search_portable_executable
+    - ndpi_search_shellscript
+  */
+
   if((flow->initial_binary_bytes_len >= 2) && (flow->initial_binary_bytes[0] == 0x4D) && (flow->initial_binary_bytes[1] == 0x5A))
-    set_risk = 1, msg = "Found Windows Exe"; /* Win executable */
+    set_risk = 1, msg = "Found DOS/Windows Exe"; /* Win executable */
   else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0x7F) && (flow->initial_binary_bytes[1] == 'E')
 	  && (flow->initial_binary_bytes[2] == 'L') && (flow->initial_binary_bytes[3] == 'F'))
-    set_risk = 1, msg = "Found Linux Exe"; /* Linux executable */
+    set_risk = 1, msg = "Found Linux Exe"; /* Linux ELF executable */
   else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0xCF) && (flow->initial_binary_bytes[1] == 0xFA)
 	  && (flow->initial_binary_bytes[2] == 0xED) && (flow->initial_binary_bytes[3] == 0xFE))
     set_risk = 1, msg = "Found Linux Exe"; /* Linux executable */
@@ -265,7 +272,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 	if(app_len_avail > 3) {
 	  const char** cmp_mimes = NULL;
 	  bool found = false;
-	  
+
 	  switch(app[0]) {
 	  case 'b': cmp_mimes = download_file_mimes_b; break;
 	  case 'o': cmp_mimes = download_file_mimes_o; break;
@@ -277,7 +284,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 
 	    for(i = 0; cmp_mimes[i] != NULL; i++) {
 	      if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) {
-		char str[64];	       		
+		char str[64];
 
 		flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
 		NDPI_LOG_INFO(ndpi_struct, "found HTTP file transfer");
@@ -364,7 +371,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 
 	  if((attachment_len+ATTACHMENT_LEN) <= packet->content_disposition_line.len) {
 	    char str[64];
-	    
+
 	    for(i = 0; binary_exec_file_ext[i] != NULL; i++) {
 	      /* Use memcmp in case content-disposition contains binary data */
 	      if(memcmp(&packet->content_disposition_line.ptr[attachment_len],
@@ -585,12 +592,12 @@ static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndp
     ookla_add_to_cache(ndpi_struct, flow);
   }
 
-  if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) && 
+  if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) &&
       flow->http.user_agent && strstr(flow->http.user_agent, "MSRPC")) {
     ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MS_RPCH, master_protocol, NDPI_CONFIDENCE_DPI);
   }
 
-  if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) && 
+  if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) &&
       flow->http.user_agent && strstr(flow->http.user_agent, "Valve/Steam HTTP Client")) {
     ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEAM, master_protocol, NDPI_CONFIDENCE_DPI);
   }