fuzzing: improve coverage (#2495)

Fix detection of WebDAV and Gnutella (over HTTP) Fix detection of z3950 Add two fuzzers to test `ndpi_memmem()` and `ndpi_strnstr()` Remove some dead code: * RTP: the same exact check is performed at the very beginning of the function * MQTT: use a better helper to exclude the protocol * Colletd: `ndpi_hostname_sni_set()` never fails Update pl7m code (fix a Use-of-uninitialized-value error)
2026-05-02 00:40:17 +00:00 · 2024-07-12 14:22:25 +02:00 · 2024-07-12 14:22:25 +02:00 · c3ba65311e
commit c3ba65311e
parent 456f0fd427
19 changed files with 142 additions and 63 deletions
--- a/.gitignore
+++ b/.gitignore
@ -62,6 +62,8 @@
 /fuzz/fuzz_alg_ses_des
 /fuzz/fuzz_alg_bytestream
 /fuzz/fuzz_alg_shoco
 /fuzz/fuzz_alg_memmem
 /fuzz/fuzz_alg_strnstr
 /fuzz/fuzz_config
 /fuzz/fuzz_community_id
 /fuzz/fuzz_serialization
--- a/fuzz/Makefile.am
+++ b/fuzz/Makefile.am
@ -1,6 +1,6 @@
 bin_PROGRAMS = fuzz_process_packet fuzz_ndpi_reader fuzz_ndpi_reader_alloc_fail fuzz_ndpi_reader_payload_analyzer fuzz_quic_get_crypto_data fuzz_config fuzz_community_id fuzz_serialization fuzz_tls_certificate fuzz_dga fuzz_is_stun_udp fuzz_is_stun_tcp
 #Alghoritms
-bin_PROGRAMS += fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_jitter fuzz_alg_ses_des fuzz_alg_crc32_md5 fuzz_alg_bytestream fuzz_alg_shoco
+bin_PROGRAMS += fuzz_alg_bins fuzz_alg_hll fuzz_alg_hw_rsi_outliers_da fuzz_alg_jitter fuzz_alg_ses_des fuzz_alg_crc32_md5 fuzz_alg_bytestream fuzz_alg_shoco fuzz_alg_memmem fuzz_alg_strnstr
 #Data structures
 bin_PROGRAMS += fuzz_ds_patricia fuzz_ds_ahocorasick fuzz_ds_libcache fuzz_ds_tree fuzz_ds_ptree fuzz_ds_hash fuzz_ds_cmsketch fuzz_ds_bitmap64_fuse fuzz_ds_domain_classify
 #Third party
@ -223,6 +223,32 @@ fuzz_alg_shoco_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
    $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
    $(fuzz_alg_shoco_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
 fuzz_alg_memmem_SOURCES = fuzz_alg_memmem.cpp
 fuzz_alg_memmem_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
 fuzz_alg_memmem_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
 fuzz_alg_memmem_LDFLAGS = $(LIBS)
 if HAS_FUZZLDFLAGS
 fuzz_alg_memmem_CXXFLAGS += $(LIB_FUZZING_ENGINE)
 fuzz_alg_memmem_LDFLAGS += $(LIB_FUZZING_ENGINE)
 endif
 # force usage of CXX for linker
 fuzz_alg_memmem_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
    $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
    $(fuzz_alg_memmem_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
 fuzz_alg_strnstr_SOURCES = fuzz_alg_strnstr.cpp
 fuzz_alg_strnstr_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
 fuzz_alg_strnstr_LDADD = ../src/lib/libndpi.a $(ADDITIONAL_LIBS)
 fuzz_alg_strnstr_LDFLAGS = $(LIBS)
 if HAS_FUZZLDFLAGS
 fuzz_alg_strnstr_CXXFLAGS += $(LIB_FUZZING_ENGINE)
 fuzz_alg_strnstr_LDFLAGS += $(LIB_FUZZING_ENGINE)
 endif
 # force usage of CXX for linker
 fuzz_alg_strnstr_LINK=$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
    $(LIBTOOLFLAGS) --mode=link $(CXX) @NDPI_CFLAGS@ $(AM_CXXFLAGS) $(CXXFLAGS) \
    $(fuzz_alg_strnstr_LDFLAGS) @NDPI_LDFLAGS@ $(LDFLAGS) -o $@
 fuzz_alg_ses_des_SOURCES = fuzz_alg_ses_des.cpp fuzz_common_code.c
 fuzz_alg_ses_des_CXXFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
 fuzz_alg_ses_des_CFLAGS = @NDPI_CFLAGS@ $(CXXFLAGS)
--- a/fuzz/fuzz_alg_memmem.cpp
+++ b/fuzz/fuzz_alg_memmem.cpp
@ -0,0 +1,35 @@
 #include "ndpi_api.h"
 #include "fuzzer/FuzzedDataProvider.h"
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  FuzzedDataProvider fuzzed_data(data, size);
  char dst[256];
  uint8_t *h;
  int h_len, needle_len = 0, needle_start = 0;
  /* No real memory allocations involved */
  /* 1: needle is a subset of haystack */
  std::vector<uint8_t>haystack = fuzzed_data.ConsumeBytes<uint8_t>(512);
  h = haystack.data();
  h_len = haystack.size();
  if(h_len > 1) {
    needle_start = fuzzed_data.ConsumeIntegralInRange(0, h_len - 1);
    needle_len = fuzzed_data.ConsumeIntegralInRange(0, h_len - needle_start - 1); 
  }
  ndpi_memmem(h, h_len, &h[needle_start], needle_len);
  /* 2: fully random */
  std::vector<uint8_t>needle = fuzzed_data.ConsumeBytes<uint8_t>(512);
  ndpi_memmem(h, h_len, needle.data(), needle.size());
  /* Let use this fuzzer to check also this simple function... */
  ndpi_strlcpy(dst, (const char *)h, sizeof(dst), h_len);
  return 0;
 }
--- a/fuzz/fuzz_alg_strnstr.cpp
+++ b/fuzz/fuzz_alg_strnstr.cpp
@ -0,0 +1,18 @@
 #include "ndpi_api.h"
 #include "fuzzer/FuzzedDataProvider.h"
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  FuzzedDataProvider fuzzed_data(data, size);
  u_int16_t len;
  /* No real memory allocations involved */
  len = fuzzed_data.ConsumeIntegral<u_int16_t>();
  std::string haystack = fuzzed_data.ConsumeRandomLengthString();
  std::string needle = fuzzed_data.ConsumeRandomLengthString();
  ndpi_strnstr(haystack.c_str(), needle.c_str(), len);
  return 0;
 }
--- a/fuzz/fuzz_ds_domain_classify.cpp
+++ b/fuzz/fuzz_ds_domain_classify.cpp
@ -30,7 +30,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  for (i = 0; i < num_iteration; i++) {
    value = fuzzed_data.ConsumeBytesAsString(fuzzed_data.ConsumeIntegral<u_int8_t>());
    class_id = fuzzed_data.ConsumeIntegral<u_int16_t>();
-    rc = ndpi_domain_classify_add(ndpi_struct, d, class_id, (char*)value.c_str());
+    rc = ndpi_domain_classify_add(fuzzed_data.ConsumeBool() ? ndpi_struct : NULL,
                                  d, class_id, (char*)value.c_str());
    /* Keep one random entry really added */
    if (rc == true && is_added == 0 && fuzzed_data.ConsumeBool()) {
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@ -588,8 +588,6 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc
 				 struct ndpi_flow_struct *flow,
 				 u_int32_t saddr, u_int32_t daddr);
 u_int32_t ip_port_hash_funct(u_int32_t ip, u_int16_t port);
 char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen);
 u_int16_t icmp4_checksum(u_int8_t const * const buf, size_t len);
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@ -7528,12 +7528,6 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 /* ********************************************************************************* */
 u_int32_t ip_port_hash_funct(u_int32_t ip, u_int16_t port) {
  return(ip + 3 * port);
 }
 /* ********************************************************************************* */
 /* #define BITTORRENT_CACHE_DEBUG */
 int search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_struct,
--- a/src/lib/protocols/collectd.c
+++ b/src/lib/protocols/collectd.c
@ -101,11 +101,11 @@ static int ndpi_int_collectd_check_type(u_int16_t block_type)
  return 1;
 }
-static int ndpi_int_collectd_dissect_hostname(struct ndpi_flow_struct * const flow,
+static void ndpi_int_collectd_dissect_hostname(struct ndpi_flow_struct * const flow,
-                                              struct ndpi_packet_struct const * const packet,
+                                               struct ndpi_packet_struct const * const packet,
-                                              u_int16_t block_length)
+                                               u_int16_t block_length)
 {
-  return (ndpi_hostname_sni_set(flow, &packet->payload[4], block_length, NDPI_HOSTNAME_NORM_ALL) == NULL);
+  ndpi_hostname_sni_set(flow, &packet->payload[4], block_length, NDPI_HOSTNAME_NORM_ALL);
 }
 static int ndpi_int_collectd_dissect_username(struct ndpi_flow_struct * const flow,
@ -184,11 +184,8 @@ static void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struc
    return;
  }
-  if (hostname_length > 0 &&
+  if (hostname_length > 0)
-      ndpi_int_collectd_dissect_hostname(flow, packet, hostname_length) != 0)
+    ndpi_int_collectd_dissect_hostname(flow, packet, hostname_length);
  {
    ndpi_set_risk(flow, NDPI_MALFORMED_PACKET, "Invalid collectd Header");
  }
  ndpi_int_collectd_add_connection(ndpi_struct, flow);
 }
--- a/src/lib/protocols/gnutella.c
+++ b/src/lib/protocols/gnutella.c
@ -103,8 +103,10 @@ static void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struc
 					    || (memcmp(packet->payload, "GET /uri-res/", 13) == 0))) {
      c = 8;
      while (c < (packet->payload_packet_len - 9)) {
-	if (packet->payload[c] == '?')
+	if (packet->payload[c] == '?') {
 	  c++;
 	  break;
 	}
 	c++;
      }
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@ -1086,12 +1086,18 @@ static struct l_string {
 		    STATIC_STRING_L("DELETE "),
 		    STATIC_STRING_L("CONNECT "),
 		    STATIC_STRING_L("PROPFIND "),
 		    STATIC_STRING_L("PROPPATCH "),
 		    STATIC_STRING_L("MKCOL "),
 		    STATIC_STRING_L("MOVE "),
 		    STATIC_STRING_L("COPY "),
 		    STATIC_STRING_L("LOCK "),
 		    STATIC_STRING_L("UNLOCK "),
 		    STATIC_STRING_L("REPORT "),
 		    STATIC_STRING_L("RPC_CONNECT "),
 		    STATIC_STRING_L("RPC_IN_DATA "),
 		    STATIC_STRING_L("RPC_OUT_DATA ")
 };
-static const char *http_fs = "CDGHOPR";
+static const char *http_fs = "CDGHLMOPRU";
 static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct)
 {
--- a/src/lib/protocols/mqtt.c
+++ b/src/lib/protocols/mqtt.c
@ -93,7 +93,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 	struct ndpi_packet_struct *packet = &ndpi_struct->packet;
 	if (flow->packet_counter > 10) {
 		NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n");
-		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 		return;
 	}
@ -105,20 +105,20 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 		      packet->payload_packet_len);
 	if (packet->payload_packet_len < 2) {
 		NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n");
-		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 		return;
 	}
 	// we extract the remaining length
 	rl = get_var_int(&packet->payload[1], packet->payload_packet_len - 1, &rl_len);
 	if (rl < 0) {
 		NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. invalid length!\n");
-		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 		return;
 	}
 	NDPI_LOG_DBG(ndpi_struct, "Mqtt: msg_len %d\n", (unsigned long long)rl);
 	if (packet->payload_packet_len != rl + 1 + rl_len) {
 		NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. maximum packet size exceeded!\n");
-		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 		return;
 	}
 	// we extract the packet type
@ -126,7 +126,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 	NDPI_LOG_DBG2(ndpi_struct,"====>>>> Mqtt packet type: [%d]\n",pt);
 	if ((pt == 0) || (pt == 15)) {
 		NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. invalid packet type!\n");
-		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 		return;
 	}
 	// we extract the flags
@ -137,12 +137,12 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 					(pt == PUBCOMP) || (pt == SUBACK) || (pt == UNSUBACK) || (pt == PINGREQ) ||
 					(pt == PINGRESP) || (pt == DISCONNECT)) && (flags > 0)) {
 		NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Flag combination flag!=0\n");
-		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 		return;
 	}
 	if (((pt == PUBREL) || (pt == SUBSCRIBE) || (pt == UNSUBSCRIBE)) && (flags != 2)) {
 		NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Flag combination flag!=2\n");
-		NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+		NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 		return;
 	}
 	NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed first stage of identification\n");
@ -151,7 +151,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 			(pt == PUBREC) || (pt == PUBCOMP) || (pt == UNSUBACK)) {
 		if (packet->payload_packet_len != 4) { // these packets are always 4 bytes long
 			NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Length < 4 \n");
-			NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+			NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 			return;
 		} else {
 			NDPI_LOG_INFO(ndpi_struct, "found Mqtt CONNACK/PUBACK/PUBREL/PUBREC/PUBCOMP/UNSUBACK\n");
@ -162,7 +162,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 	if ((pt == PINGREQ) || (pt == PINGRESP) || (pt == DISCONNECT)) {
 		if (packet->payload_packet_len != 2) { // these packets are always 2 bytes long
 			NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Length <2 \n");
-			NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+			NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 			return;
 		} else {
 			NDPI_LOG_INFO(ndpi_struct, "found Mqtt PING/PINGRESP/DISCONNECT\n");
@ -183,25 +183,25 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 		u_int8_t dup = (u_int8_t) (flags & 0x08) >> 3;
 		if (qos > 2) { // qos values possible are 0,1,2
 			NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos\n");
-			NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+			NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 			return;
 		}
 		if (qos == 0) {
 			if (dup != 0) {
 				NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 and dup combination\n");
-				NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+				NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 				return;
 			}
 			if (packet->payload_packet_len < 5) { // at least topic (3Bytes + 2Bytes fixed header)
 				NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 size\n");
-				NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+				NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 				return;
 			}
 		}
 		if ((qos == 1) || (qos == 2)) {
 			if (packet->payload_packet_len < 7 ) { // at least topic + pkt identifier (3Bytes + 2Bytes + 2Bytes fixed header)
 				NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos1&2\n");
-				NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+				NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 				return;
 			}
 		}
@ -212,7 +212,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 	if (pt == SUBSCRIBE) {
 		if (packet->payload_packet_len < 8) { // at least one topic+filter is required in the payload
 			NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid SUBSCRIBE\n");
-			NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+			NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 			return;
 		} else {
 			NDPI_LOG_INFO(ndpi_struct, "found Mqtt SUBSCRIBE\n");
@ -223,7 +223,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 	if (pt == SUBACK ) {
 		if (packet->payload_packet_len <5 ) { // must have at least a response code
 			NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid SUBACK\n");
-			NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+			NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 			return;
 		} else {
 			NDPI_LOG_INFO(ndpi_struct, "found Mqtt SUBACK\n");
@ -234,7 +234,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 	if (pt == UNSUBSCRIBE) {
 		if (packet->payload_packet_len < 7) { // at least a topic
 			NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid UNSUBSCRIBE\n");
-			NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT);
+			NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 			return;
 		} else {
 			NDPI_LOG_INFO(ndpi_struct, "found Mqtt UNSUBSCRIBE\n");
@ -242,9 +242,7 @@ static void ndpi_search_mqtt(struct ndpi_detection_module_struct *ndpi_struct,
 			return;
 		}
 	}
-	NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed third stage of identification");
+	/* We already checked every possible values of pt: we are never here */
 	NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 	return;
 }
 /**
 * Entry point for the ndpi library
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@ -235,9 +235,6 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
        NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP);
      }
    } else if(flow->packet_counter > 3) {
        NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
        NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP);
    }      
  }
 }
--- a/src/lib/protocols/ssh.c
+++ b/src/lib/protocols/ssh.c
@ -71,9 +71,6 @@ typedef struct {
 static void ssh_analyze_signature_version(struct ndpi_flow_struct *flow,
 					  char *str_to_check,
 					  u_int8_t is_client_signature) {
  if(str_to_check == NULL) return;
  u_int i;
  u_int8_t obsolete_ssh_version = 0;  
  const ssh_pattern ssh_servers_strings[] =
--- a/src/lib/protocols/z3950.c
+++ b/src/lib/protocols/z3950.c
@ -42,7 +42,7 @@ static int z3950_parse_sequences(struct ndpi_packet_struct const * const packet,
  pdu_type = packet->payload[0] & 0x1F;
-  if(((pdu_type < 20) || (pdu_type > 36)) && ((pdu_type < 43) || (pdu_type > 48)))
+  if((pdu_type < 20) || ((pdu_type > 36) && ((pdu_type < 43) || (pdu_type > 48))))
    return(-1);  
  while(cur_sequences++ < max_sequences) {
--- a/src/lib/third_party/src/fuzz/pl7m.c
+++ b/src/lib/third_party/src/fuzz/pl7m.c
@ -284,7 +284,7 @@ static int dissect_l2(int datalink_type, struct m_pkt *p)
 		break;
 	case DLT_PPI:
-		if (data_len < l2_offset + 4)
+		if (data_len < l2_offset + 8)
 			return -1;
 		header_length = le16toh(*(u_int16_t *)&data[l2_offset + 2]);
 		dlt = le32toh(*(u_int32_t *)&data[l2_offset + 4]);
--- a/tests/cfgs/default/pcap/ssh.pcap
+++ b/tests/cfgs/default/pcap/ssh.pcap
--- a/tests/cfgs/default/pcap/webdav.pcap
+++ b/tests/cfgs/default/pcap/webdav.pcap
--- a/tests/cfgs/default/result/ssh.pcap.out
+++ b/tests/cfgs/default/result/ssh.pcap.out
@ -1,6 +1,6 @@
-DPI Packets (TCP):	10	(10.00 pkts/flow)
+DPI Packets (TCP):	19	(9.50 pkts/flow)
-Confidence DPI              : 1 (flows)
+Confidence DPI              : 2 (flows)
-Num dissector calls: 1 (1.00 diss/flow)
+Num dissector calls: 22 (11.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
@ -16,11 +16,12 @@ Patricia risk mask:   2/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   2/0 (search/found)
+Patricia protocols:   4/0 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
-SSH	258	35546	1
+SSH	295	44977	2
-Acceptable                     258 35546         1            
+Acceptable                     295 44977         2            
 	1	TCP 172.16.238.1:58395 <-> 172.16.238.168:22 [proto: 92/SSH][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 10][cat: RemoteAccess/12][159 pkts/15615 bytes <-> 99 pkts/19931 bytes][Goodput ratio: 33/67][248.48 sec][Hostname/SNI: SSH-2.0-OpenSSH_5.3][bytes ratio: -0.121 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1846/2934 166223/166224 14794/19692][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 98/201 970/1346 83/283][Risk: ** SSH Obsolete Cli Vers/Cipher **** SSH Obsolete Ser Vers/Cipher **][Risk Score: 150][Risk Info: Found cipher arcfour128 / Found cipher arcfour128][HASSH-C: 21B457A327CE7A2D4FCE5EF2C42400BD][Server: SSH-2.0-OpenSSH_5.6][HASSH-S: B1C6C0D56317555B85C7005A3DE29325][Plen Bins: 2,76,12,2,3,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0]
 	2	TCP 127.0.0.1:58496 <-> 127.0.0.1:8000 [proto: 92/SSH][IP: 0/Unknown][Encrypted][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 9][cat: RemoteAccess/12][20 pkts/5598 bytes <-> 17 pkts/3833 bytes][Goodput ratio: 76/71][2.18 sec][Hostname/SNI: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11][bytes ratio: 0.187 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 119/162 1760/1760 424/463][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 280/225 1602/1098 437/270][Risk: ** Known Proto on Non Std Port **** SSH Obsolete Ser Vers/Cipher **][Risk Score: 100][Risk Info: Found cipher arcfour128][HASSH-C: C11B200866CF918393E62EA25D851D90][Server: SSH-2.0-APACHE-SSHD-2.5.0][HASSH-S: CA6DD86B2D9A44E4A3F1A55C53E6B0FA][Plen Bins: 13,4,42,4,4,0,0,0,0,0,0,4,4,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,4,0,0,0,0,0,4]
--- a/tests/cfgs/default/result/webdav.pcap.out
+++ b/tests/cfgs/default/result/webdav.pcap.out
@ -1,6 +1,6 @@
-DPI Packets (TCP):	6	(6.00 pkts/flow)
+DPI Packets (TCP):	41	(5.12 pkts/flow)
-Confidence DPI              : 1 (flows)
+Confidence DPI              : 8 (flows)
-Num dissector calls: 15 (15.00 diss/flow)
+Num dissector calls: 120 (15.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache stun:       0/0/0 (insert/search/found)
@ -10,17 +10,24 @@ LRU cache msteams:    0/0/0 (insert/search/found)
 Automa host:          0/0 (search/found)
 Automa domain:        0/0 (search/found)
 Automa tls cert:      0/0 (search/found)
-Automa risk mask:     1/0 (search/found)
+Automa risk mask:     8/0 (search/found)
 Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   2/0 (search/found)
+Patricia risk mask:   16/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   2/0 (search/found)
+Patricia protocols:   16/0 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
-WebDAV	14	2742	1
+WebDAV	92	22025	8
-Acceptable                      14 2742          1            
+Acceptable                      92 22025         8            
-	1	TCP 10.24.8.189:50652 <-> 104.156.149.6:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Collaborative/15][7 pkts/727 bytes <-> 7 pkts/2015 bytes][Goodput ratio: 46/81][5.07 sec][Hostname/SNI: 104.156.149.6][bytes ratio: -0.470 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/8 67/20 24/9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 104/288 223/1107 75/390][URL: 104.156.149.6/webdav][StatusCode: 301][Content-Type: text/html][Server: Apache/2.4.52 (Ubuntu)][User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 10][Risk Info: Found host 104.156.149.6][PLAIN TEXT (PROPFIND /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.16.173:35612 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][8 pkts/1196 bytes <-> 4 pkts/2599 bytes][Goodput ratio: 55/89][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.370 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/26 13/27 28/28 13/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 150/650 572/1614 167/640][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (MKCOL /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25]
 	2	TCP 192.168.16.173:47726 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1136 bytes <-> 4 pkts/2468 bytes][Goodput ratio: 59/89][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.370 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/26 16/26 28/27 13/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 162/617 575/1483 177/592][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (PROPFIND /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0]
 	3	TCP 10.24.8.189:50652 <-> 104.156.149.6:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 6][cat: Collaborative/15][7 pkts/727 bytes <-> 7 pkts/2015 bytes][Goodput ratio: 46/81][5.07 sec][Hostname/SNI: 104.156.149.6][bytes ratio: -0.470 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 22/8 67/20 24/9][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 104/288 223/1107 75/390][URL: 104.156.149.6/webdav][StatusCode: 301][Content-Type: text/html][Server: Apache/2.4.52 (Ubuntu)][User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045][Risk: ** HTTP/TLS/QUIC Numeric Hostname/SNI **][Risk Score: 10][Risk Info: Found host 104.156.149.6][PLAIN TEXT (PROPFIND /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	TCP 192.168.16.173:57432 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1138 bytes <-> 4 pkts/1246 bytes][Goodput ratio: 59/78][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.045 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/27 16/28 28/28 13/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 163/312 576/845 177/318][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (PROPPATCH /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	5	TCP 192.168.16.173:47436 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1132 bytes <-> 4 pkts/1246 bytes][Goodput ratio: 58/78][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.048 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/26 16/26 27/27 13/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 162/312 573/845 176/318][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (UNLOCK /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	6	TCP 192.168.16.173:41714 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1128 bytes <-> 4 pkts/1246 bytes][Goodput ratio: 58/78][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/25 16/26 27/27 13/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 161/312 571/845 175/318][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (MOVE /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	7	TCP 192.168.16.173:47432 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1128 bytes <-> 4 pkts/1246 bytes][Goodput ratio: 58/78][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/25 16/26 27/27 13/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 161/312 571/845 175/318][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (LOCK /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	8	TCP 192.168.16.173:55974 <-> 198.244.151.63:80 [proto: 7.376/HTTP.WebDAV][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 0/Unknown, Confidence: Unknown][DPI packets: 5][cat: Collaborative/15][7 pkts/1128 bytes <-> 4 pkts/1246 bytes][Goodput ratio: 58/78][0.11 sec][Hostname/SNI: www.dlp-test.com][bytes ratio: -0.050 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/26 16/27 28/28 13/1][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 161/312 571/845 175/318][URL: www.dlp-test.com/webdav][StatusCode: 401][Content-Type: text/html][Server: Microsoft-HTTPAPI/2.0][User-Agent: curl/7.68.0][Risk: ** Error Code **][Risk Score: 10][Risk Info: HTTP Error Code 401][PLAIN TEXT (COPY /webdav HTTP/1.1)][Plen Bins: 0,0,0,0,25,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]