nfqws2: AI inspired fixes

nfq2/darkmagic.c

@@ -622,7 +622,7 @@ BOOL LowMandatoryLevel(void)
 
 	label_low.Label.Sid = (PSID)buf1;
 	InitializeSid(label_low.Label.Sid, &label_authority, 1);
-	label_low.Label.Attributes = 0;
+	label_low.Label.Attributes = SE_GROUP_INTEGRITY;
 	*GetSidSubAuthority(label_low.Label.Sid, 0) = SECURITY_MANDATORY_LOW_RID;
 
 	// S-1-16-12288 : Mandatory Label\High Mandatory Level
@@ -892,7 +892,7 @@ bool win_dark_init(const struct str_list_head *ssid_filter, const struct str_lis
 	wlan_filter_ssid = ssid_filter;
 	return true;
 }
-bool win_dark_deinit(void)
+void win_dark_deinit(void)
 {
 	if (pNetworkListManager)
 	{
@@ -997,11 +997,12 @@ bool nlm_list(bool bAll)
 		}
 		else
 			bRet = false;
+
+		CoUninitialize();
 	}
 	else
 		bRet = false;
 
-	CoUninitialize();
 	return bRet;
 }
 
@@ -1171,8 +1172,11 @@ static HANDLE windivert_init_filter(const char *filter, UINT64 flags)
 
 	FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
 		NULL, w_win32_error, MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), (LPSTR)&errormessage, 0, NULL);
-	DLOG_ERR("windivert: error opening filter: %s", errormessage);
-	LocalFree(errormessage);
+	if (errormessage)
+	{
+		DLOG_ERR("windivert: error opening filter: %s", errormessage);
+		LocalFree(errormessage);
+	}
 	if (w_win32_error == ERROR_INVALID_IMAGE_HASH)
 		DLOG_ERR("windivert: try to disable secure boot and install OS patches\n");
 

nfq2/darkmagic.h

@@ -94,7 +94,7 @@ bool ensure_dir_access(const char *filename);
 bool prepare_low_appdata();
 bool win_sandbox(void);
 bool win_dark_init(const struct str_list_head *ssid_filter, const struct str_list_head *nlm_filter);
-bool win_dark_deinit(void);
+void win_dark_deinit(void);
 bool logical_net_filter_present(void);
 bool logical_net_filter_match(void);
 bool nlm_list(bool bAll);

nfq2/desync.c

@@ -1117,7 +1117,7 @@ static uint8_t dpi_desync_tcp_packet_play(
 			}
 		}
 		// in absence of conntrack guess direction by presence of interface names. won't work on BSD
-		bReverseFixed = ctrack ? (bReverse ^ params.server) : (bReverse = ifin && ifin && (!ifout || !*ifout));
+		bReverseFixed = ctrack ? (bReverse ^ params.server) : (bReverse = ifin && *ifin && (!ifout || !*ifout));
 		setup_direction(dis, bReverseFixed, &src, &dst, &sdip4, &sdip6, &sdport);
 		ifname = bReverse ? ifin : ifout;
 #ifdef HAS_FILTER_SSID
@@ -1663,7 +1663,7 @@ static uint8_t dpi_desync_udp_packet_play(
 			}
 		}
 		// in absence of conntrack guess direction by presence of interface names. won't work on BSD
-		bReverseFixed = ctrack ? (bReverse ^ params.server) : (bReverse = ifin && ifin && (!ifout || !*ifout));
+		bReverseFixed = ctrack ? (bReverse ^ params.server) : (bReverse = ifin && *ifin && (!ifout || !*ifout));
 		setup_direction(dis, bReverseFixed, &src, &dst, &sdip4, &sdip6, &sdport);
 
 		ifname = bReverse ? ifin : ifout;

nfq2/gzip.c

@@ -31,7 +31,12 @@ int z_readfile(FILE *F, char **buf, size_t *size, size_t extra_alloc)
 			r = Z_ERRNO;
 			goto zerr;
 		}
-		if (!zs.avail_in) break;
+		if (!zs.avail_in)
+		{
+			// file is not full
+			r = Z_DATA_ERROR;
+			goto zerr;
+		}
 		zs.next_in = in;
 		do
 		{

nfq2/hostlist.c

@@ -79,7 +79,7 @@ bool AppendHostList(hostlist_pool **hostlist, const char *filename)
 		}
 		else
 		{
-			DLOG_ERR("zlib decompression failed : result %d\n",r);
+			DLOG_ERR("zlib decompression failed : result %d\n", r);
 			return false;
 		}
 	}

nfq2/ipset.c

@@ -4,7 +4,6 @@
 #include "helpers.h"
 
 
-// inplace tolower() and add to pool
 static bool addpool(ipset *ips, char **s, const char *end, int *ct)
 {
 	char *p, cidr[128];

nfq2/lua.c

@@ -2159,8 +2159,9 @@ static int luacall_reconstruct_dissect(lua_State *L)
 
 	LUA_STACK_GUARD_ENTER(L)
 
+	size_t l;
 	uint8_t buf[RECONSTRUCT_MAX_SIZE];
-	size_t l = sizeof(buf);
+	l = sizeof(buf);
 
 	bool ip6_preserve_next, badsum;
 	lua_reconstruct_extract_options(L, 2, &badsum, &ip6_preserve_next, NULL);
@@ -2412,13 +2413,14 @@ static int luacall_rawsend_dissect(lua_State *L)
 
 	LUA_STACK_GUARD_ENTER(L)
 
-	uint8_t buf[RECONSTRUCT_MAX_SIZE];
-	size_t len=sizeof(buf);
+	size_t len;
 	const char *ifout;
 	int repeats;
 	uint32_t fwmark;
 	sockaddr_in46 sa;
 	bool b, badsum, ip6_preserve_next;
+	uint8_t buf[RECONSTRUCT_MAX_SIZE];
+	len = sizeof(buf);
 
 	luaL_checktype(L,1,LUA_TTABLE);
 	lua_rawsend_extract_options(L,2, &repeats, &fwmark, &ifout);
@@ -3031,7 +3033,7 @@ static int luaL_doZfile(lua_State *L, const char *filename)
 		return r;
 	}
 	else
-		return luaL_dofile(L, filename);
+		return luaL_dofile(L, fname);
 }
 
 static bool lua_init_scripts(void)

nfq2/nfqws.c

@@ -156,13 +156,14 @@ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_da
 	uint8_t *data;
 	uint32_t ifidx_out, ifidx_in;
 	char ifout[IFNAMSIZ], ifin[IFNAMSIZ];
-	uint8_t mod[RECONSTRUCT_MAX_SIZE];
 	size_t modlen;
+	uint32_t mark;
+	uint8_t mod[RECONSTRUCT_MAX_SIZE];
 
 	ph = nfq_get_msg_packet_hdr(nfa);
 	id = ph ? ntohl(ph->packet_id) : 0;
 
-	uint32_t mark = nfq_get_nfmark(nfa);
+	mark = nfq_get_nfmark(nfa);
 	ilen = nfq_get_payload(nfa, &data);
 
 	ifidx_out = nfq_get_outdev(nfa);
@@ -282,12 +283,12 @@ static void notify_ready(void)
 
 static int nfq_main(void)
 {
-	uint8_t buf[RECONSTRUCT_MAX_SIZE] __attribute__((aligned));
 	struct nfq_handle *h = NULL;
 	struct nfq_q_handle *qh = NULL;
 	int res, fd, e;
 	ssize_t rd;
 	FILE *Fpid = NULL;
+	uint8_t buf[RECONSTRUCT_MAX_SIZE] __attribute__((aligned));
 
 	if (*params.pidfile && !(Fpid = fopen(params.pidfile, "w")))
 	{
@@ -389,7 +390,6 @@ err:
 
 static int dvt_main(void)
 {
-	uint8_t buf[RECONSTRUCT_MAX_SIZE] __attribute__((aligned));
 	struct sockaddr_storage sa_from;
 	int fd[2] = { -1,-1 }; // 4,6
 	int i, r, res = 1, fdct = 1, fdmax;
@@ -398,6 +398,9 @@ static int dvt_main(void)
 	ssize_t rd, wr;
 	fd_set fdset;
 	FILE *Fpid = NULL;
+	struct sockaddr_in bp4;
+	struct sockaddr_in6 bp6;
+	uint8_t buf[RECONSTRUCT_MAX_SIZE] __attribute__((aligned));
 
 	if (*params.pidfile && !(Fpid = fopen(params.pidfile, "w")))
 	{
@@ -405,49 +408,42 @@ static int dvt_main(void)
 		return 1;
 	}
 
+	bp4.sin_family = AF_INET;
+	bp4.sin_port = htons(params.port);
+	bp4.sin_addr.s_addr = INADDR_ANY;
+	DLOG_CONDUP("creating divert4 socket\n");
+	fd[0] = socket_divert(AF_INET);
+	if (fd[0] == -1) {
+		DLOG_PERROR("socket (DIVERT4)");
+		goto exiterr;
+	}
+	DLOG_CONDUP("binding divert4 socket\n");
+	if (bind(fd[0], (struct sockaddr*)&bp4, sizeof(bp4)) < 0)
 	{
-		struct sockaddr_in bp4;
-		bp4.sin_family = AF_INET;
-		bp4.sin_port = htons(params.port);
-		bp4.sin_addr.s_addr = INADDR_ANY;
-
-		DLOG_CONDUP("creating divert4 socket\n");
-		fd[0] = socket_divert(AF_INET);
-		if (fd[0] == -1) {
-			DLOG_PERROR("socket (DIVERT4)");
-			goto exiterr;
-		}
-		DLOG_CONDUP("binding divert4 socket\n");
-		if (bind(fd[0], (struct sockaddr*)&bp4, sizeof(bp4)) < 0)
-		{
-			DLOG_PERROR("bind (DIVERT4)");
-			goto exiterr;
-		}
+		DLOG_PERROR("bind (DIVERT4)");
+		goto exiterr;
 	}
 
 
 #ifdef __OpenBSD__
-	{
-		// in OpenBSD must use separate divert sockets for ipv4 and ipv6
-		struct sockaddr_in6 bp6;
-		memset(&bp6, 0, sizeof(bp6));
-		bp6.sin6_family = AF_INET6;
-		bp6.sin6_port = htons(params.port);
+	// in OpenBSD must use separate divert sockets for ipv4 and ipv6
+	memset(&bp6, 0, sizeof(bp6));
+	bp6.sin6_family = AF_INET6;
+	bp6.sin6_port = htons(params.port);
 
-		DLOG_CONDUP("creating divert6 socket\n");
-		fd[1] = socket_divert(AF_INET6);
-		if (fd[1] == -1) {
-			DLOG_PERROR("socket (DIVERT6)");
-			goto exiterr;
-		}
-		DLOG_CONDUP("binding divert6 socket\n");
-		if (bind(fd[1], (struct sockaddr*)&bp6, sizeof(bp6)) < 0)
-		{
-			DLOG_PERROR("bind (DIVERT6)");
-			goto exiterr;
-		}
-		fdct++;
+	DLOG_CONDUP("creating divert6 socket\n");
+	fd[1] = socket_divert(AF_INET6);
+	if (fd[1] == -1) {
+		DLOG_PERROR("socket (DIVERT6)");
+		goto exiterr;
 	}
+	DLOG_CONDUP("binding divert6 socket\n");
+	if (bind(fd[1], (struct sockaddr*)&bp6, sizeof(bp6)) < 0)
+	{
+		DLOG_PERROR("bind (DIVERT6)");
+		goto exiterr;
+	}
+	fdct++;
 #endif
 	fdmax = (fd[0] > fd[1] ? fd[0] : fd[1]) + 1;
 
@@ -590,11 +586,11 @@ static int win_main()
 	unsigned int id;
 	uint8_t verdict;
 	bool bOutbound;
-	uint8_t packet[RECONSTRUCT_MAX_SIZE];
 	uint32_t mark;
 	WINDIVERT_ADDRESS wa;
 	char ifname[IFNAMSIZ];
 	int res=0;
+	uint8_t packet[RECONSTRUCT_MAX_SIZE];
 
 	if (params.daemon) daemonize();
 
@@ -1340,7 +1336,7 @@ static void exithelp(void)
 	*all_payloads=0;
 	for (t_l7payload pl=0 ; pl<L7P_LAST; pl++)
 	{
-		if (pl) strncat(all_payloads, " ", sizeof(all_payloads)-1-1);
+		if (pl) strncat(all_payloads, " ", sizeof(all_payloads)-strlen(all_payloads)-1);
 		strncat(all_payloads, l7payload_str(pl), sizeof(all_payloads)-strlen(all_payloads)-1);
 	}
 	*all_protos=0;
@@ -2640,7 +2636,8 @@ int main(int argc, char **argv)
 	HANDLE hMutexArg;
 	{
 		char mutex_name[128];
-		snprintf(mutex_name, sizeof(mutex_name), "Global\\winws2_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u_%u", hash_wf_tcp_in, hash_wf_udp_in, hash_wf_tcp_out, hash_wf_udp_out, hash_wf_raw, hash_wf_raw_part, hash_ssid_filter, hash_nlm_filter, IfIdx, SubIfIdx, wf_ipv4, wf_ipv6);
+		snprintf(mutex_name, sizeof(mutex_name), "Global\\winws2_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u_%u_%u_%u",
+			hash_wf_tcp_in, hash_wf_udp_in, hash_wf_tcp_out, hash_wf_udp_out, hash_wf_raw, hash_wf_raw_part, hash_ssid_filter, hash_nlm_filter, IfIdx, SubIfIdx, wf_ipv4, wf_ipv6);
 
 		hMutexArg = CreateMutexA(NULL, TRUE, mutex_name);
 		if (hMutexArg && GetLastError() == ERROR_ALREADY_EXISTS)

nfq2/params.h

@@ -45,7 +45,7 @@
 // this MSS is used for ipv6 in windows and linux
 #define DEFAULT_MSS			1220
 
-#define RECONSTRUCT_MAX_SIZE		16384
+#define RECONSTRUCT_MAX_SIZE		65536
 
 #define LUA_GC_INTERVAL			60