nDPI now detect RCE injections via PCRE instead Intel Hyperscan - BUGGY, DOES NOT COMPILE

src/include/ndpi_typedefs.h

@@ -1003,6 +1003,15 @@ struct hs {
 };
 #endif
 
+#ifdef HAVE_PCRE
+#include <pcre.h>
+
+struct pcre_struct {
+  pcre *compiled;
+  pcre_extra *optimized;
+};
+#endif
+
 struct ndpi_detection_module_struct {
   NDPI_PROTOCOL_BITMASK detection_bitmask;
   NDPI_PROTOCOL_BITMASK generic_http_packet_bitmask;

src/lib/ndpi_utils.c

@@ -1214,100 +1214,93 @@ static int ndpi_is_xss_injection(char* query) {
 
 /* ********************************** */
 
-#ifdef HAVE_HYPERSCAN
-
-static void free_hyperscan(struct ndpi_detection_module_struct *ndpi_str,
-                           hs_compile_error_t *compile_err)
-{
-  if (ndpi_str) {
-    struct hs *hs = (struct hs*)ndpi_str->hyperscan;
-
-    if(hs) {
-      hs_free_scratch(hs->scratch);
-      hs_free_database(hs->database);
-      ndpi_free(hs);
-    }
-
-    ndpi_free(ndpi_str);
-  }
-
-  if (compile_err) {
-    hs_free_compile_error(compile_err);
-  }
-}
-
-/* ********************************** */
+#ifdef HAVE_PCRE
 
 static void ndpi_compile_rce_regex() {
-  hs_compile_error_t *compile_err;
+  const char *pcreErrorStr;
+  int pcreErrorOffset;
 
   for(int i = 0; i < N_RCE_REGEX; i++) {
-    struct ndpi_detection_module_struct *ndpi_str =
-        ndpi_malloc(sizeof(struct ndpi_detection_module_struct));
+    comp_rx[i] = (struct pcre_struct*)ndpi_malloc(sizeof(struct pcre_struct));
 
-    ndpi_str->hyperscan = (void*)ndpi_malloc(sizeof(struct hs));
+    comp_rx[i]->compiled = pcre_compile(rce_regex[i], 0, &pcreErrorStr,
+                                        &pcreErrorOffset, NULL);
 
-    if(!ndpi_str->hyperscan) {
-      free_hyperscan(ndpi_str, NULL);
-      return;
-    }
-
-    comp_rx[i] = (struct hs*)ndpi_str->hyperscan;
-
-    if (hs_compile(rce_regex[i], HS_FLAG_DOTALL, HS_MODE_BLOCK, NULL,
-        &comp_rx[i]->database, &compile_err) != HS_SUCCESS)
-    {
+    if(comp_rx[i]->compiled == NULL) {
       #ifdef DEBUG
-      NDPI_LOG_ERR(ndpi_str, "ERROR: Unable to compile pattern \"%s\": %s\n",
-                   rce_regex[i], compile_err->message);
+      NDPI_LOG_ERR(ndpi_str, "ERROR: Could not compile '%s': %s\n", rce_regex[i],
+                   pcreErrorStr);
       #endif
 
       continue;
     }
 
-    comp_rx[i]->scratch = NULL;
+    comp_rx[i]->optimized = pcre_study(comp_rx[i]->compiled, 0, &pcreErrorStr);
 
-    if(hs_alloc_scratch(comp_rx[i]->database, &comp_rx[i]->scratch) != HS_SUCCESS) {
+    if(pcreErrorStr != NULL) {
       #ifdef DEBUG
-      NDPI_LOG_ERR(ndpi_str, "ERROR: Unable to allocate hyperscan scratch space\n");
+      NDPI_LOG_ERR(ndpi_str, "ERROR: Could not study '%s': %s\n", rce_regex[i],
+                   pcreErrorStr);
       #endif
 
       continue;
     }
   }
 
-  free_hyperscan(NULL, compile_err);
+  free((void *)pcreErrorStr);
 }
 
-/* ********************************** */
-
 static int ndpi_is_rce_injection(char* query) {
   if (!initialized_comp_rx) {
     ndpi_compile_rce_regex();
     initialized_comp_rx = 1;
   }
 
-  hs_error_t status;
+  int pcreExecRet;
+  int subStrVec[30];
 
   for(int i = 0; i < N_RCE_REGEX; i++) {
     unsigned int length = strlen(query);
 
-    status = hs_scan(comp_rx[i]->database, query, length, 0, comp_rx[i]->scratch,
-                     NULL, (void *)rce_regex[i]);
+    pcreExecRet = pcre_exec(comp_rx[i]->compiled,
+                            comp_rx[i]->optimized,
+                            query,
+                            length,
+                            0,
+                            0,
+                            subStrVec,
+                            30);
 
-    if (status == HS_SUCCESS) {
+    if (pcreExecRet >= 0) {
       return 1;
     }
-    else if(status == HS_SCAN_TERMINATED) {
-      continue;
-    }
+    #ifdef DEBUG
     else {
-      #ifdef DEBUG
-      NDPI_LOG_ERR(ndpi_str, "ERROR: Unable to scan input buffer\n");
-      #endif
-
-      continue;
+      switch(pcreExecRet) {
+        case PCRE_ERROR_NOMATCH:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: String did not match the pattern\n");
+          break;
+        case PCRE_ERROR_NULL:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: Something was null\n");
+          break;
+        case PCRE_ERROR_BADOPTION:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: A bad option was passed\n");
+          break;
+        case PCRE_ERROR_BADMAGIC:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: Magic number bad (compiled re corrupt?)\n");
+          break;
+        case PCRE_ERROR_UNKNOWN_NODE:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: Something kooky in the compiled re\n");
+          break;
+        case PCRE_ERROR_NOMEMORY:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: Ran out of memory\n");
+          break;
+        default:
+          NDPI_LOG_ERR(ndpi_str, "ERROR: Unknown error\n");
+          break;
+      }
     }
+    #endif
   }
 
   size_t ushlen = sizeof(ush_commands) / sizeof(ush_commands[0]);
@@ -1368,7 +1361,7 @@ ndpi_url_risk ndpi_validate_url(char *url) {
 	    rc = ndpi_url_possible_xss;
 	  else if(ndpi_is_sql_injection(decoded))
 	    rc = ndpi_url_possible_sql_injection;
-#ifdef HAVE_HYPERSCAN
+#ifdef HAVE_PCRE
 	  else if(ndpi_is_rce_injection(decoded))
 	    rc = ndpi_url_possible_rce_injection;
 #endif

src/lib/third_party/include/rce_injection.h

@@ -1,4 +1,4 @@
-#ifdef HAVE_HYPERSCAN
+#ifdef HAVE_PCRE
 
 #ifndef NDPI_RCE_H
 #define NDPI_RCE_H
@@ -8,7 +8,7 @@
 #define N_RCE_REGEX 7
 
 /* Compiled regex */
-static struct hs *comp_rx[N_RCE_REGEX];
+static struct pcre_struct *comp_rx[N_RCE_REGEX];
 
 static unsigned int initialized_comp_rx = 0;
 
@@ -610,4 +610,4 @@ static const char *pwsh_commands[] = {
   "-PSConsoleFile"
 };
 
-#endif
+#endif //HAVE_PCRE