diff --git a/blockcheck.sh b/blockcheck.sh index ed0ed243..e7025e3e 100755 --- a/blockcheck.sh +++ b/blockcheck.sh @@ -668,7 +668,7 @@ curl_with_dig() # $2 - domain name # $3 - port # $4+ - curl params - local dom=$2 port=$3 + local dom="$2" port=$3 local sdom suri ip split_by_separator "$dom" / sdom suri @@ -687,12 +687,12 @@ curl_probe() # $3 - port # $4 - subst ip # $5+ - curl params - local ipv=$1 dom=$2 port=$3 subst=$4 + local ipv=$1 dom="$2" port=$3 subst=$4 shift; shift; shift; shift if [ -n "$subst" ]; then - curl_with_subst_ip $dom $port $subst "$@" + curl_with_subst_ip "$dom" $port $subst "$@" else - curl_with_dig $ipv $dom $port "$@" + curl_with_dig $ipv "$dom" $port "$@" fi } curl_test_http() @@ -702,8 +702,8 @@ curl_test_http() # $3 - subst ip # $4 - "detail" - detail info - local code loc hdrt="${HDRTEMP}_${!:-$$}.txt" - curl_probe $1 $2 $HTTP_PORT "$3" -SsD "$hdrt" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || { + local code loc hdrt="${HDRTEMP}_${!:-$$}.txt" dom="$(tolower "$2")" + curl_probe $1 "$2" $HTTP_PORT "$3" -SsD "$hdrt" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || { code=$? rm -f "$hdrt" return $code @@ -715,8 +715,9 @@ curl_test_http() code=$(hdrfile_http_code "$hdrt") [ "$code" = 301 -o "$code" = 302 -o "$code" = 307 -o "$code" = 308 ] && { loc=$(hdrfile_location "$hdrt") - echo "$loc" | grep -qE "^https?://.*$2(/|$)" || - echo "$loc" | grep -vqE '^https?://' || { + split_by_separator "$dom" / dom + tolower "$loc" | grep -qE "^https?://.*$dom(/|$)" || + tolower "$loc" | grep -vqE '^https?://' || { echo suspicious redirection $code to : $loc rm -f "$hdrt" return 254 @@ -1079,7 +1080,7 @@ ws_curl_test() # $2 - test function # $3 - domain # $4,$5,$6, ... - ws params - local code ws_start=$1 testf=$2 dom=$3 + local code ws_start=$1 testf=$2 dom="$3" [ "$SIMULATE" = 1 ] && { n=$(random 0 99) @@ -1095,7 +1096,7 @@ ws_curl_test() shift shift $ws_start "$@" - curl_test $testf $dom + curl_test $testf "$dom" code=$? ws_kill return $code @@ -1108,7 +1109,7 @@ tpws_curl_test() echo - $1 ipv$IPV $2 : tpws $3 $4 $5 $6 $7 $8 $9${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"} local ALL_PROXY="socks5://127.0.0.1:$SOCKS_PORT" ws_curl_test tpws_start "$@"${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"} - local testf=$1 dom=$2 strategy code=$? + local testf=$1 dom="$2" strategy code=$? [ "$code" = 0 ] && { shift; shift; strategy="$@" @@ -1122,11 +1123,11 @@ pktws_curl_test() # $1 - test function # $2 - domain # $3,$4,$5, ... - nfqws/dvtws params - local testf=$1 dom=$2 strategy code + local testf=$1 dom="$2" strategy code shift; shift; echo - $testf ipv$IPV $dom : $PKTWSD ${WF:+$WF }${PKTWS_EXTRA_PRE:+$PKTWS_EXTRA_PRE }${PKTWS_EXTRA_PRE_1:+"$PKTWS_EXTRA_PRE_1" }${PKTWS_EXTRA_PRE_2:+"$PKTWS_EXTRA_PRE_2" }${PKTWS_EXTRA_PRE_3:+"$PKTWS_EXTRA_PRE_3" }${PKTWS_EXTRA_PRE_4:+"$PKTWS_EXTRA_PRE_4" }${PKTWS_EXTRA_PRE_5:+"$PKTWS_EXTRA_PRE_5" }${PKTWS_EXTRA_PRE_6:+"$PKTWS_EXTRA_PRE_6" }${PKTWS_EXTRA_PRE_7:+"$PKTWS_EXTRA_PRE_7" }${PKTWS_EXTRA_PRE_8:+"$PKTWS_EXTRA_PRE_8" }${PKTWS_EXTRA_PRE_9:+"$PKTWS_EXTRA_PRE_9" }$@${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"} - ws_curl_test pktws_start $testf $dom ${PKTWS_EXTRA_PRE:+$PKTWS_EXTRA_PRE }${PKTWS_EXTRA_PRE_1:+"$PKTWS_EXTRA_PRE_1" }${PKTWS_EXTRA_PRE_2:+"$PKTWS_EXTRA_PRE_2" }${PKTWS_EXTRA_PRE_3:+"$PKTWS_EXTRA_PRE_3" }${PKTWS_EXTRA_PRE_4:+"$PKTWS_EXTRA_PRE_4" }${PKTWS_EXTRA_PRE_5:+"$PKTWS_EXTRA_PRE_5" }${PKTWS_EXTRA_PRE_6:+"$PKTWS_EXTRA_PRE_6" }${PKTWS_EXTRA_PRE_7:+"$PKTWS_EXTRA_PRE_7" }${PKTWS_EXTRA_PRE_8:+"$PKTWS_EXTRA_PRE_8" }${PKTWS_EXTRA_PRE_9:+"$PKTWS_EXTRA_PRE_9" }"$@"${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"} + ws_curl_test pktws_start $testf "$dom" ${PKTWS_EXTRA_PRE:+$PKTWS_EXTRA_PRE }${PKTWS_EXTRA_PRE_1:+"$PKTWS_EXTRA_PRE_1" }${PKTWS_EXTRA_PRE_2:+"$PKTWS_EXTRA_PRE_2" }${PKTWS_EXTRA_PRE_3:+"$PKTWS_EXTRA_PRE_3" }${PKTWS_EXTRA_PRE_4:+"$PKTWS_EXTRA_PRE_4" }${PKTWS_EXTRA_PRE_5:+"$PKTWS_EXTRA_PRE_5" }${PKTWS_EXTRA_PRE_6:+"$PKTWS_EXTRA_PRE_6" }${PKTWS_EXTRA_PRE_7:+"$PKTWS_EXTRA_PRE_7" }${PKTWS_EXTRA_PRE_8:+"$PKTWS_EXTRA_PRE_8" }${PKTWS_EXTRA_PRE_9:+"$PKTWS_EXTRA_PRE_9" }"$@"${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"} code=$? [ "$code" = 0 ] && { @@ -1152,11 +1153,11 @@ xxxws_curl_test_update() # $2 - test function # $3 - domain # $4,$5,$6, ... - nfqws/dvtws params - local code xxxf=$1 testf=$2 dom=$3 + local code xxxf=$1 testf=$2 dom="$3" shift shift shift - $xxxf $testf $dom "$@" + $xxxf $testf "$dom" "$@" code=$? [ $code = 0 ] && strategy="${strategy:-$@}" return $code @@ -1317,13 +1318,13 @@ pktws_curl_test_update_vary() [ "$fake" = "-" ] && continue if [ -n "$splits" ]; then for pos in $splits ; do - pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" --dpi-desync-split-pos=$pos $fake && { + pktws_curl_test_update $testf "$domain" --dpi-desync=$desync "$@" --dpi-desync-split-pos=$pos $fake && { [ "$SCANLEVEL" = force ] || return 0 ret=0 } done else - pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" $fake && { + pktws_curl_test_update $testf "$domain" --dpi-desync=$desync "$@" $fake && { [ "$SCANLEVEL" = force ] || return 0 ret=0 } @@ -1572,7 +1573,7 @@ pktws_check_domain_http3_bypass_() for fake in '' "--dpi-desync-fake-quic=$ZAPRET_BASE/files/fake/quic_initial_www_google_com.bin"; do for rep in '' 2 5 10 20; do - pktws_curl_test_update $1 $2 --dpi-desync=fake ${fake:+$fake }${rep:+--dpi-desync-repeats=$rep} && [ "$SCANLEVEL" != force ] && { + pktws_curl_test_update $1 $2 --dpi-desync=fake ${fake:+"$fake" }${rep:+--dpi-desync-repeats=$rep} && [ "$SCANLEVEL" != force ] && { [ "$SCANLEVEL" = quick ] && return break } @@ -1698,7 +1699,7 @@ check_dpi_ip_block() # $1 - test function # $2 - domain - local blocked_dom=$2 + local blocked_dom="$2" local blocked_ip blocked_ips unblocked_ip echo @@ -2188,7 +2189,7 @@ check_dns_() if find_working_public_dns ; then echo comparing system resolver to public DNS : $PUBDNS for dom in $DNSCHECK_DOM; do - if check_dns_spoof $dom $PUBDNS ; then + if check_dns_spoof "$dom" $PUBDNS ; then echo $dom : MISMATCH echo -- system resolver : cat "$DNSCHECK_DIG1" diff --git a/common/base.sh b/common/base.sh index ece185e6..bba049f9 100644 --- a/common/base.sh +++ b/common/base.sh @@ -109,6 +109,10 @@ split_by_separator() [ -n "$3" ] && eval $3="\$before" [ -n "$4" ] && eval $4="\$after" } +tolower() +{ + echo "$@" | tr 'A-Z' 'a-z' +} dir_is_not_empty() { diff --git a/common/dialog.sh b/common/dialog.sh index 44f78c41..ec1c9aa2 100644 --- a/common/dialog.sh +++ b/common/dialog.sh @@ -36,11 +36,11 @@ ask_list() # $3 - (optional) default value local M_DEFAULT eval M_DEFAULT="\$$1" - local M_ALL=$M_DEFAULT + local M_DEFAULT_VAR="$M_DEFAULT" local M="" m - + [ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3" ;} - + n=1 for m in $2; do echo $n : $m @@ -52,6 +52,6 @@ ask_list() [ -z "$M" ] && M="$M_DEFAULT" echo selected : $M eval $1="\"$M\"" - - [ "$M" != "$M_DEFAULT" ] + + [ "$M" != "$M_DEFAULT_VAR" ] } diff --git a/common/installer.sh b/common/installer.sh index 453a70ad..574838fe 100644 --- a/common/installer.sh +++ b/common/installer.sh @@ -827,7 +827,9 @@ select_fwtype() echo WARNING ! if you need large lists it may be necessary to fall back to iptables+ipset firewall } echo select firewall type : - ask_list FWTYPE "iptables nftables" "$FWTYPE" && write_config_var FWTYPE + ask_list FWTYPE "iptables nftables" "$FWTYPE" + # always write config var to prevent auto discovery every time + write_config_var FWTYPE } dry_run_tpws_() diff --git a/docs/changes.txt b/docs/changes.txt index a12d0650..d1d54e71 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -595,3 +595,8 @@ mdig: --eagain, --eagain-delay 73.8 nfqws: fix breaking tcp if ts fooling is enabled but no timestamps present + +73.9 + +blockcheck: fix detection of http redirection if domain/URI specified +install_easy: fix writing of ask_list variables diff --git a/docs/readme.en.md b/docs/readme.en.md index 9390e74f..a921c645 100644 --- a/docs/readme.en.md +++ b/docs/readme.en.md @@ -207,8 +207,8 @@ nfqws takes the following parameters: --dpi-desync-fakedsplit-mod=mod[,mod] ; mods can be none,altorder=0|1|2|3 + 0|8|16 --dpi-desync-hostfakesplit-midhost=marker+N|marker-N ; additionally split real hostname at specified marker. must be within host..endhost or won't be splitted. --dpi-desync-hostfakesplit-mod=mod[,mod] ; can be none, host=, altorder=0|1 - --dpi-desync-ipfrag-pos-tcp=<8..9216> ; ip frag position starting from the transport header. multiple of 8, default 8. - --dpi-desync-ipfrag-pos-udp=<8..9216> ; ip frag position starting from the transport header. multiple of 8, default 32. + --dpi-desync-ipfrag-pos-tcp=<8..9216> ; ip frag position starting from the transport header. multiple of 8, default 32. + --dpi-desync-ipfrag-pos-udp=<8..9216> ; ip frag position starting from the transport header. multiple of 8, default 8. --dpi-desync-ts-increment= ; ts fooling TSval signed increment. default -600000 --dpi-desync-badseq-increment= ; badseq fooling seq signed increment. default -10000 --dpi-desync-badack-increment= ; badseq fooling ackseq signed increment. default -66000 @@ -1724,7 +1724,9 @@ If this is the case then run another script in background and add some delay the Are welcome here : -USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E` +USDT ERC `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E` + +USDT TRC `TEzAAtn4VhndqEaAyuCM78xh5W2gCjwWEo` BTC `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve` diff --git a/docs/readme.md b/docs/readme.md index be590c5d..10eb2b09 100644 --- a/docs/readme.md +++ b/docs/readme.md @@ -237,6 +237,8 @@ dvtws, собираемый из тех же исходников (см. [док --dpi-desync-fakedsplit-mod=mod[,mod] ; может быть none, altorder=0|1|2|3 + 0|8|16 --dpi-desync-hostfakesplit-midhost=marker+N|marker-N ; маркер дополнительного разреза сегмента с оригинальным хостом. должен попадать в пределы хоста. --dpi-desync-hostfakesplit-mod=mod[,mod] ; может быть none, host=, altorder=0|1 +--dpi-desync-ipfrag-pos-tcp=<8..9216> ; позиция ip фрагментации tcp, начиная с транспортного заголовка. должно быть кратно 8, по умолчанию - 32. +--dpi-desync-ipfrag-pos-udp=<8..9216> ; позиция ip фрагментации udp, начиная с транспортного заголовка. должно быть кратно 8, по умолчанию - 8. --dpi-desync-ts-increment= ; инкремент TSval для ts. по умолчанию -600000 --dpi-desync-badseq-increment= ; инкремент sequence number для badseq. по умолчанию -10000 --dpi-desync-badack-increment= ; инкремент ack sequence number для badseq. по умолчанию -66000 @@ -2744,7 +2746,9 @@ VPS можно приобрести в множестве мест. Сущест ## Поддержать разработчика -USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E` +USDT ERC `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E` + +USDT TRC `TEzAAtn4VhndqEaAyuCM78xh5W2gCjwWEo` BTC `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve` diff --git a/mdig/mdig.c b/mdig/mdig.c index d5f327a2..f9dc7ab5 100644 --- a/mdig/mdig.c +++ b/mdig/mdig.c @@ -80,15 +80,15 @@ static bool dom_valid(char *dom) { if (!dom || *dom=='.') return false; for (; *dom; dom++) - if (*dom < 0x20 || (*dom & 0x80) || !(*dom == '.' || *dom == '-' || *dom == '_' || (*dom >= '0' && *dom <= '9') || (*dom >= 'a' && *dom <= 'z') || (*dom >= 'A' && *dom <= 'Z'))) - return false; + if (!(*dom == '.' || *dom == '-' || *dom == '_' || (*dom >= '0' && *dom <= '9') || (*dom >= 'a' && *dom <= 'z') || (*dom >= 'A' && *dom <= 'Z'))) + return false; return true; } static void invalid_domain_beautify(char *dom) { for (int i = 0; *dom && i < 64; i++, dom++) - if (*dom < 0x20 || *dom<0) *dom = '?'; + if (*dom < 0x20 || (*dom & 0x80)) *dom = '?'; if (*dom) *dom = 0; } @@ -220,7 +220,7 @@ static void *t_resolver(void *arg) { if ((family == AF_INET && (glob.family & FAMILY4)) || (family == AF_INET6 && (glob.family & FAMILY6))) { - unsigned int mask; + unsigned int mask=0; bool mask_needed = false; if (s_mask) { @@ -436,7 +436,7 @@ int dns_parse_query() _setmode(_fileno(stdin), _O_BINARY); #endif l = fread(a,1,sizeof(a),stdin); - if (!l || !feof(stdin)) + if (!l || ferror(stdin)) { fprintf(stderr, "could not read DNS reply blob from stdin\n"); return 10; @@ -455,8 +455,8 @@ static void exithelp(void) printf( " --family=<4|6|46>\t\t; ipv4, ipv6, ipv4+ipv6\n" " --threads=\n" - " --eagain=\t; how many times to retry if EAGAIN received. default %u\n" - " --eagain-delay=\t\t; time in msec to wait between EAGAIN attempts. default %u\n" + " --eagain=\t; how many times to retry if EAI_AGAIN received. default %u\n" + " --eagain-delay=\t\t; time in msec to wait between EAI_AGAIN attempts. default %u\n" " --verbose\t\t\t; print query progress to stderr\n" " --stats=N\t\t\t; print resolve stats to stderr every N domains\n" " --log-resolved=\t\t; log successfully resolved domains to a file\n" diff --git a/nfq/darkmagic.c b/nfq/darkmagic.c index 1acded44..35db0f12 100644 --- a/nfq/darkmagic.c +++ b/nfq/darkmagic.c @@ -928,6 +928,7 @@ void proto_skip_ipv6(uint8_t **data, size_t *len, uint8_t *proto_type, uint8_t * if (proto_type) *proto_type = 0; // put error in advance HeaderType = (*data)[6]; // NextHeader field + if (proto_type) *proto_type = HeaderType; if (last_header_type) *last_header_type = (*data)+6; *data += 40; *len -= 40; // skip ipv6 base header while (*len > 0) // need at least one byte for NextHeader field diff --git a/nfq/nfqws.c b/nfq/nfqws.c index 78b278af..b648958c 100644 --- a/nfq/nfqws.c +++ b/nfq/nfqws.c @@ -2014,8 +2014,8 @@ static void exithelp(void) " --dpi-desync-fakedsplit-mod=mod[,mod]\t\t\t; mods can be none,altorder=0|1|2|3 + 0|8|16\n" " --dpi-desync-hostfakesplit-midhost=marker+N|marker-N\t; additionally split real hostname at specified marker. must be within host..endhost or won't be splitted.\n" " --dpi-desync-hostfakesplit-mod=mod[,mod]\t\t; mods can be none,host=,altorder=0|1\n" - " --dpi-desync-ipfrag-pos-tcp=<8..%u>\t\t\t; ip frag position starting from the transport header. multiple of 8, default %u.\n" " --dpi-desync-ipfrag-pos-udp=<8..%u>\t\t\t; ip frag position starting from the transport header. multiple of 8, default %u.\n" + " --dpi-desync-ipfrag-pos-tcp=<8..%u>\t\t\t; ip frag position starting from the transport header. multiple of 8, default %u.\n" " --dpi-desync-ts-increment=\t\t\t; ts fooling TSval signed increment. default %d\n" " --dpi-desync-badseq-increment=\t\t; badseq fooling seq signed increment. default %d\n" " --dpi-desync-badack-increment=\t\t; badseq fooling ackseq signed increment. default %d\n" diff --git a/nfq/protocol.c b/nfq/protocol.c index 7b1ab6ee..77ab5857 100644 --- a/nfq/protocol.c +++ b/nfq/protocol.c @@ -310,7 +310,7 @@ size_t HttpPos(uint8_t posmarker, int16_t pos, const uint8_t *data, size_t sz) if (sz<10) break; if (*method=='\n' || *method=='\r') method++; if (*method=='\n' || *method=='\r') method++; - for (p=method,i=0;i<7;i++) if (*p>='A' && *p<='Z') p++; + for (p=method,i=0; i<9 && *p>='A' && *p<='Z'; i++,p++); if (i<3 || *p!=' ') break; return CheckPos(sz,method-data+pos); case PM_HOST: @@ -962,9 +962,9 @@ bool QUICExtractHostFromInitial(const uint8_t *data, size_t data_len, char *host bool IsQUICInitial(const uint8_t *data, size_t len) { - // too small packets are not likely to be initials with client hello + // too small packets are not likely to be initials // long header, fixed bit - if (len < 256 || (data[0] & 0xC0)!=0xC0) return false; + if (len < 128 || (data[0] & 0xF0)!=0xC0) return false; uint32_t ver = QUICExtractVersion(data,len); if (QUICDraftVersion(ver) < 11) return false; @@ -973,10 +973,10 @@ bool IsQUICInitial(const uint8_t *data, size_t len) // quic v2 : initial packets are 01b if ((data[0] & 0x30) != (is_quic_v2(ver) ? 0x10 : 0x00)) return false; - uint64_t offset=5, sz; + uint64_t offset=5, sz, sz2; - // DCID. must be present - if (!data[offset] || data[offset] > QUIC_MAX_CID_LENGTH) return false; + // DCID + if (data[offset] > QUIC_MAX_CID_LENGTH) return false; offset += 1 + data[offset]; // SCID @@ -984,18 +984,19 @@ bool IsQUICInitial(const uint8_t *data, size_t len) offset += 1 + data[offset]; // token length + if (offset>=len || (offset + tvb_get_size(data[offset])) > len) return false; offset += tvb_get_varint(data + offset, &sz); offset += sz; if (offset >= len) return false; // payload length - if ((offset + tvb_get_size(data[offset])) > len) return false; + sz2 = tvb_get_size(data[offset]); + if ((offset + sz2) > len) return false; tvb_get_varint(data + offset, &sz); - offset += sz; + offset += sz2 + sz; if (offset > len) return false; - // client hello cannot be too small. likely ACK - return sz>=96; + return true; }