From 2120264e0bc50db478009ba8a11782be3eecd859 Mon Sep 17 00:00:00 2001 From: bol-van Date: Mon, 16 Feb 2026 19:39:52 +0300 Subject: [PATCH] AI and manual fixes --- docs/changes.txt | 1 + lua/zapret-lib.lua | 11 +++++------ nfq2/conntrack.c | 17 +++++++++++------ nfq2/desync.c | 7 +++++-- nfq2/gzip.c | 22 ++++++++++++++++++---- nfq2/hostlist.c | 2 +- nfq2/ipset.c | 2 +- nfq2/lua.c | 43 +++++++++++++++++++++++++++++++------------ nfq2/protocol.c | 1 - 9 files changed, 73 insertions(+), 33 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index b741e96..c102168 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -246,3 +246,4 @@ v0.9.4 * github actions: update upx to 5.1.0. use upx for linux-riscv5 * github actions: stronger zip and gz compression * nfqws2: --chdir +* nfqws2: fixed wrong scale factor application to winsize diff --git a/lua/zapret-lib.lua b/lua/zapret-lib.lua index 3896b82..de05616 100644 --- a/lua/zapret-lib.lua +++ b/lua/zapret-lib.lua @@ -805,9 +805,9 @@ function autottl(incoming_ttl, attl) if incoming_ttl>223 then orig=255 - elseif incoming_ttl<128 and incoming_ttl>96 then + elseif incoming_ttl<=128 and incoming_ttl>96 then orig=128 - elseif incoming_ttl<64 and incoming_ttl>32 then + elseif incoming_ttl<=64 and incoming_ttl>32 then orig=64 else return nil @@ -1161,16 +1161,15 @@ function rawsend_dissect_segmented(desync, dis, mss, options) local pos=1 local len local payload=discopy.payload - while pos <= #payload do len = #payload - pos + 1 if len > max_data then len = max_data end if oob then if urp>=pos and urp<(pos+len)then - discopy.tcp.th_flags = bitor(dis.tcp.th_flags, TH_URG) + discopy.tcp.th_flags = bitor(discopy.tcp.th_flags, TH_URG) discopy.tcp.th_urp = urp-pos+1 else - discopy.tcp.th_flags = bitand(dis.tcp.th_flags, bitnot(TH_URG)) + discopy.tcp.th_flags = bitand(discopy.tcp.th_flags, bitnot(TH_URG)) discopy.tcp.th_urp = 0 end end @@ -2449,7 +2448,7 @@ function tls_dissect(tls, offset, partialOK) encrypted = true elseif typ==TLS_RECORD_TYPE_HANDSHAKE and not encrypted then -- need 4 bytes for handshake type and 24-bit length - if (#tls-offset+1)<9 then + if (#tls-off+1)<9 then if not partialOK then return end break end diff --git a/nfq2/conntrack.c b/nfq2/conntrack.c index 806d43a..8bdffdc 100644 --- a/nfq2/conntrack.c +++ b/nfq2/conntrack.c @@ -140,8 +140,17 @@ static void ConntrackApplyPos(t_ctrack *t, bool bReverse, const struct dissect * if (dis->ip6) direct->ip6flow = ntohl(dis->ip6->ip6_ctlun.ip6_un1.ip6_un1_flow); - scale = tcp_find_scale_factor(dis->tcp); - mss = tcp_find_mss(dis->tcp); + direct->winsize_calc = direct->winsize = ntohs(dis->tcp->th_win); + if (t->pos.state == SYN) + { + // scale and mss only valid in syn packets + scale = tcp_find_scale_factor(dis->tcp); + if (scale != SCALE_NONE) direct->scale = scale; + direct->mss = tcp_find_mss(dis->tcp); + } + else if (direct->scale != SCALE_NONE) + // apply scale only outside of the SYN stage + direct->winsize_calc <<= direct->scale; direct->seq_last = ntohl(dis->tcp->th_seq); direct->pos = direct->seq_last + dis->len_payload; @@ -154,10 +163,6 @@ static void ConntrackApplyPos(t_ctrack *t, bool bReverse, const struct dissect * if (!((direct->pos - direct->uppos) & 0x80000000)) direct->uppos = direct->pos; } - direct->winsize_calc = direct->winsize = ntohs(dis->tcp->th_win); - if (scale != SCALE_NONE) direct->scale = scale; - if (direct->scale != SCALE_NONE) direct->winsize_calc <<= direct->scale; - if (mss && !direct->mss) direct->mss = mss; if (!direct->rseq_over_2G && ((direct->seq_last - direct->seq0) & 0x80000000)) direct->rseq_over_2G = true; diff --git a/nfq2/desync.c b/nfq2/desync.c index a28d2cc..ad99589 100644 --- a/nfq2/desync.c +++ b/nfq2/desync.c @@ -1574,8 +1574,9 @@ static uint8_t dpi_desync_tcp_packet_play( if (!bReqFull && ReasmIsEmpty(&ps.ctrack->reasm_client) && !is_retransmission(&ps.ctrack->pos.client)) { // do not reconstruct unexpected large payload (they are feeding garbage ?) + // also do not reconstruct if server window size is low if (!reasm_client_start(ps.ctrack, IPPROTO_TCP, TLSRecordLen(dis->data_payload), TCP_MAX_REASM, dis->data_payload, dis->len_payload)) - goto pass_reasm_cancel; + goto rediscover; } if (!ReasmIsEmpty(&ps.ctrack->reasm_client)) @@ -1601,6 +1602,7 @@ static uint8_t dpi_desync_tcp_packet_play( } } +rediscover: if (!dp_rediscovery(&ps)) goto pass_reasm_cancel; @@ -1661,7 +1663,8 @@ static const uint8_t *dns_extract_name(const uint8_t *a, const uint8_t *b, const if (p>=e) return NULL; for (nl=0; *p ;) { - if ((p+*p+1)>=e || (*p+1)>=(name_size-nl)) return NULL; + // do not support mixed ptr+real + if ((*p & 0xC0) || (p+*p+1)>=e || (*p+1)>=(name_size-nl)) return NULL; if (nl) name[nl++] = '.'; memcpy(name + nl, p + 1, *p); nl += *p; diff --git a/nfq2/gzip.c b/nfq2/gzip.c index 98401f6..92c0622 100644 --- a/nfq2/gzip.c +++ b/nfq2/gzip.c @@ -40,7 +40,8 @@ int z_readfile(FILE *F, char **buf, size_t *size, size_t extra_alloc) } zs.avail_in = rd; zs.next_in = in; - do +printf("\nCHUNK\n"); + for(;;) { if ((bufsize - *size) < BUFMIN) { @@ -55,10 +56,23 @@ int z_readfile(FILE *F, char **buf, size_t *size, size_t extra_alloc) } zs.avail_out = bufsize - *size; zs.next_out = (unsigned char*)(*buf + *size); + r = inflate(&zs, Z_NO_FLUSH); - if (r != Z_OK && r != Z_STREAM_END) goto zerr; + *size = bufsize - zs.avail_out; - } while (r == Z_OK && zs.avail_in); + if (r==Z_STREAM_END) break; + if (r==Z_BUF_ERROR) + { + if (zs.avail_in) + goto zerr; + else + { + r = Z_OK; + break; + } + } + if (r!=Z_OK) goto zerr; + } } while (r == Z_OK); if (*size < bufsize) @@ -68,7 +82,7 @@ int z_readfile(FILE *F, char **buf, size_t *size, size_t extra_alloc) } inflateEnd(&zs); - return Z_OK; + return r; zerr: inflateEnd(&zs); diff --git a/nfq2/hostlist.c b/nfq2/hostlist.c index ff0c0f1..9078155 100644 --- a/nfq2/hostlist.c +++ b/nfq2/hostlist.c @@ -60,7 +60,7 @@ bool AppendHostList(hostlist_pool **hostlist, const char *filename) { r = z_readfile(F,&zbuf,&zsize,0); fclose(F); - if (r==Z_OK) + if (r==Z_STREAM_END) { DLOG_CONDUP("zlib compression detected. uncompressed size : %zu\n", zsize); diff --git a/nfq2/ipset.c b/nfq2/ipset.c index 6fe9485..7ec063f 100644 --- a/nfq2/ipset.c +++ b/nfq2/ipset.c @@ -77,7 +77,7 @@ static bool AppendIpset(ipset *ips, const char *filename) { r = z_readfile(F,&zbuf,&zsize,0); fclose(F); - if (r==Z_OK) + if (r==Z_STREAM_END) { DLOG_CONDUP("zlib compression detected. uncompressed size : %zu\n", zsize); diff --git a/nfq2/lua.c b/nfq2/lua.c index d56eb33..fcb5559 100644 --- a/nfq2/lua.c +++ b/nfq2/lua.c @@ -1901,7 +1901,7 @@ static bool lua_reconstruct_ip6exthdr(lua_State *L, int idx, struct ip6_hdr *ip6 lua_getfield(L,-1, "data"); if (lua_type(L,-1)!=LUA_TSTRING) goto err; if (!(p=(uint8_t*)lua_tolstring(L,-1,&l))) l=0; - if (!l || (l+2)>left || ((type==IPPROTO_AH) ? (l<6 || ((l+2) & 3)) : ((l+2) & 7))) goto err; + if (l<6 || (l+2)>left || (type==IPPROTO_AH ? (l>=1024 || ((l+2) & 3)) : (l>=2048 || ((l+2) & 7)))) goto err; memcpy(data+2,p,l); l+=2; data[0] = next; // may be overwritten later @@ -3470,7 +3470,7 @@ static int luacall_gunzip_inflate(lua_State *L) size_t increment = bufchunk / 2; if (increment < Z_INFL_BUF_INCREMENT) increment = Z_INFL_BUF_INCREMENT; - do + for(;;) { if ((bufsize - size) < BUFMIN) { @@ -3493,11 +3493,20 @@ static int luacall_gunzip_inflate(lua_State *L) } uzs->zs.avail_out = bufsize - size; uzs->zs.next_out = buf + size; - r = inflate(&uzs->zs, Z_NO_FLUSH); - if (r != Z_OK && r != Z_STREAM_END) goto zerr; - size = bufsize - uzs->zs.avail_out; - } while (r == Z_OK && uzs->zs.avail_in); + r = inflate(&uzs->zs, Z_NO_FLUSH); + + size = bufsize - uzs->zs.avail_out; + if (r==Z_STREAM_END) break; + if (r==Z_BUF_ERROR) + { + if (uzs->zs.avail_in) + goto zerr; + else + break; // OK + } + if (r!=Z_OK) goto zerr; + } lua_pushlstring(L, (const char*)buf, size); lua_pushboolean(L, r==Z_STREAM_END); end: @@ -3571,7 +3580,7 @@ static int luacall_gzip_deflate(lua_State *L) int argc=lua_gettop(L); size_t l=0; - int r; + int r, flush; size_t bufsize=0, size=0; uint8_t *buf=NULL, *newbuf; struct userdata_zs *uzs = lua_uzs(L, 1, false); @@ -3584,7 +3593,8 @@ static int luacall_gzip_deflate(lua_State *L) size_t increment = bufchunk / 2; if (increment < Z_DEFL_BUF_INCREMENT) increment = Z_DEFL_BUF_INCREMENT; - do + flush = l ? Z_NO_FLUSH : Z_FINISH; + for(;;) { if ((bufsize - size) < BUFMIN) { @@ -3607,10 +3617,19 @@ static int luacall_gzip_deflate(lua_State *L) } uzs->zs.avail_out = bufsize - size; uzs->zs.next_out = buf + size; - r = deflate(&uzs->zs, l ? Z_NO_FLUSH : Z_FINISH); - if (r != Z_OK && r != Z_STREAM_END) goto zerr; + + r = deflate(&uzs->zs, flush); + size = bufsize - uzs->zs.avail_out; - } while (r == Z_OK && (uzs->zs.avail_in || !uzs->zs.avail_out)); + if (r==Z_STREAM_END) break; + if (r==Z_OK) + { + if (uzs->zs.avail_out && !uzs->zs.avail_in && flush != Z_FINISH) + break; + } + else + goto zerr; + } lua_pushlstring(L, (const char*)buf, size); lua_pushboolean(L, r==Z_STREAM_END); @@ -3938,7 +3957,7 @@ static int luaL_doZfile(lua_State *L, const char *filename) luaL_error(L, "could not open lua file '%s'", fname); r = z_readfile(F, &buf, &size, 0); fclose(F); - if (r != Z_OK) + if (r != Z_STREAM_END) luaL_error(L, "could not unzip lua file '%s'", fname); r = luaL_loadbuffer(L, buf, size, fname); free(buf); diff --git a/nfq2/protocol.c b/nfq2/protocol.c index 9646bb8..b280fae 100644 --- a/nfq2/protocol.c +++ b/nfq2/protocol.c @@ -145,7 +145,6 @@ bool posmarker_parse(const char *s, struct proto_pos *m) m->pos = 0; } return true; - } bool posmarker_list_parse(const char *s, struct proto_pos *m, int *mct) {