diff --git a/nfq2/darkmagic.c b/nfq2/darkmagic.c index 81bc70a..8e13001 100644 --- a/nfq2/darkmagic.c +++ b/nfq2/darkmagic.c @@ -622,7 +622,7 @@ BOOL LowMandatoryLevel(void) label_low.Label.Sid = (PSID)buf1; InitializeSid(label_low.Label.Sid, &label_authority, 1); - label_low.Label.Attributes = 0; + label_low.Label.Attributes = SE_GROUP_INTEGRITY; *GetSidSubAuthority(label_low.Label.Sid, 0) = SECURITY_MANDATORY_LOW_RID; // S-1-16-12288 : Mandatory Label\High Mandatory Level @@ -892,7 +892,7 @@ bool win_dark_init(const struct str_list_head *ssid_filter, const struct str_lis wlan_filter_ssid = ssid_filter; return true; } -bool win_dark_deinit(void) +void win_dark_deinit(void) { if (pNetworkListManager) { @@ -997,11 +997,12 @@ bool nlm_list(bool bAll) } else bRet = false; + + CoUninitialize(); } else bRet = false; - CoUninitialize(); return bRet; } @@ -1171,8 +1172,11 @@ static HANDLE windivert_init_filter(const char *filter, UINT64 flags) FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, w_win32_error, MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), (LPSTR)&errormessage, 0, NULL); - DLOG_ERR("windivert: error opening filter: %s", errormessage); - LocalFree(errormessage); + if (errormessage) + { + DLOG_ERR("windivert: error opening filter: %s", errormessage); + LocalFree(errormessage); + } if (w_win32_error == ERROR_INVALID_IMAGE_HASH) DLOG_ERR("windivert: try to disable secure boot and install OS patches\n"); diff --git a/nfq2/darkmagic.h b/nfq2/darkmagic.h index 3dcab06..3f1bdb8 100644 --- a/nfq2/darkmagic.h +++ b/nfq2/darkmagic.h @@ -94,7 +94,7 @@ bool ensure_dir_access(const char *filename); bool prepare_low_appdata(); bool win_sandbox(void); bool win_dark_init(const struct str_list_head *ssid_filter, const struct str_list_head *nlm_filter); -bool win_dark_deinit(void); +void win_dark_deinit(void); bool logical_net_filter_present(void); bool logical_net_filter_match(void); bool nlm_list(bool bAll); diff --git a/nfq2/desync.c b/nfq2/desync.c index 0f17dd2..e8a86d7 100644 --- a/nfq2/desync.c +++ b/nfq2/desync.c @@ -1117,7 +1117,7 @@ static uint8_t dpi_desync_tcp_packet_play( } } // in absence of conntrack guess direction by presence of interface names. won't work on BSD - bReverseFixed = ctrack ? (bReverse ^ params.server) : (bReverse = ifin && ifin && (!ifout || !*ifout)); + bReverseFixed = ctrack ? (bReverse ^ params.server) : (bReverse = ifin && *ifin && (!ifout || !*ifout)); setup_direction(dis, bReverseFixed, &src, &dst, &sdip4, &sdip6, &sdport); ifname = bReverse ? ifin : ifout; #ifdef HAS_FILTER_SSID @@ -1663,7 +1663,7 @@ static uint8_t dpi_desync_udp_packet_play( } } // in absence of conntrack guess direction by presence of interface names. won't work on BSD - bReverseFixed = ctrack ? (bReverse ^ params.server) : (bReverse = ifin && ifin && (!ifout || !*ifout)); + bReverseFixed = ctrack ? (bReverse ^ params.server) : (bReverse = ifin && *ifin && (!ifout || !*ifout)); setup_direction(dis, bReverseFixed, &src, &dst, &sdip4, &sdip6, &sdport); ifname = bReverse ? ifin : ifout; diff --git a/nfq2/gzip.c b/nfq2/gzip.c index 6e4805d..0cbf868 100644 --- a/nfq2/gzip.c +++ b/nfq2/gzip.c @@ -31,7 +31,12 @@ int z_readfile(FILE *F, char **buf, size_t *size, size_t extra_alloc) r = Z_ERRNO; goto zerr; } - if (!zs.avail_in) break; + if (!zs.avail_in) + { + // file is not full + r = Z_DATA_ERROR; + goto zerr; + } zs.next_in = in; do { diff --git a/nfq2/hostlist.c b/nfq2/hostlist.c index d91a30b..81067f7 100644 --- a/nfq2/hostlist.c +++ b/nfq2/hostlist.c @@ -79,7 +79,7 @@ bool AppendHostList(hostlist_pool **hostlist, const char *filename) } else { - DLOG_ERR("zlib decompression failed : result %d\n",r); + DLOG_ERR("zlib decompression failed : result %d\n", r); return false; } } diff --git a/nfq2/ipset.c b/nfq2/ipset.c index 3473c6f..79a516a 100644 --- a/nfq2/ipset.c +++ b/nfq2/ipset.c @@ -4,7 +4,6 @@ #include "helpers.h" -// inplace tolower() and add to pool static bool addpool(ipset *ips, char **s, const char *end, int *ct) { char *p, cidr[128]; diff --git a/nfq2/lua.c b/nfq2/lua.c index 1372ec5..a237e37 100644 --- a/nfq2/lua.c +++ b/nfq2/lua.c @@ -2159,8 +2159,9 @@ static int luacall_reconstruct_dissect(lua_State *L) LUA_STACK_GUARD_ENTER(L) + size_t l; uint8_t buf[RECONSTRUCT_MAX_SIZE]; - size_t l = sizeof(buf); + l = sizeof(buf); bool ip6_preserve_next, badsum; lua_reconstruct_extract_options(L, 2, &badsum, &ip6_preserve_next, NULL); @@ -2412,13 +2413,14 @@ static int luacall_rawsend_dissect(lua_State *L) LUA_STACK_GUARD_ENTER(L) - uint8_t buf[RECONSTRUCT_MAX_SIZE]; - size_t len=sizeof(buf); + size_t len; const char *ifout; int repeats; uint32_t fwmark; sockaddr_in46 sa; bool b, badsum, ip6_preserve_next; + uint8_t buf[RECONSTRUCT_MAX_SIZE]; + len = sizeof(buf); luaL_checktype(L,1,LUA_TTABLE); lua_rawsend_extract_options(L,2, &repeats, &fwmark, &ifout); @@ -3031,7 +3033,7 @@ static int luaL_doZfile(lua_State *L, const char *filename) return r; } else - return luaL_dofile(L, filename); + return luaL_dofile(L, fname); } static bool lua_init_scripts(void) diff --git a/nfq2/nfqws.c b/nfq2/nfqws.c index edb52e2..2dee899 100644 --- a/nfq2/nfqws.c +++ b/nfq2/nfqws.c @@ -156,13 +156,14 @@ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_da uint8_t *data; uint32_t ifidx_out, ifidx_in; char ifout[IFNAMSIZ], ifin[IFNAMSIZ]; - uint8_t mod[RECONSTRUCT_MAX_SIZE]; size_t modlen; + uint32_t mark; + uint8_t mod[RECONSTRUCT_MAX_SIZE]; ph = nfq_get_msg_packet_hdr(nfa); id = ph ? ntohl(ph->packet_id) : 0; - uint32_t mark = nfq_get_nfmark(nfa); + mark = nfq_get_nfmark(nfa); ilen = nfq_get_payload(nfa, &data); ifidx_out = nfq_get_outdev(nfa); @@ -282,12 +283,12 @@ static void notify_ready(void) static int nfq_main(void) { - uint8_t buf[RECONSTRUCT_MAX_SIZE] __attribute__((aligned)); struct nfq_handle *h = NULL; struct nfq_q_handle *qh = NULL; int res, fd, e; ssize_t rd; FILE *Fpid = NULL; + uint8_t buf[RECONSTRUCT_MAX_SIZE] __attribute__((aligned)); if (*params.pidfile && !(Fpid = fopen(params.pidfile, "w"))) { @@ -389,7 +390,6 @@ err: static int dvt_main(void) { - uint8_t buf[RECONSTRUCT_MAX_SIZE] __attribute__((aligned)); struct sockaddr_storage sa_from; int fd[2] = { -1,-1 }; // 4,6 int i, r, res = 1, fdct = 1, fdmax; @@ -398,6 +398,9 @@ static int dvt_main(void) ssize_t rd, wr; fd_set fdset; FILE *Fpid = NULL; + struct sockaddr_in bp4; + struct sockaddr_in6 bp6; + uint8_t buf[RECONSTRUCT_MAX_SIZE] __attribute__((aligned)); if (*params.pidfile && !(Fpid = fopen(params.pidfile, "w"))) { @@ -405,49 +408,42 @@ static int dvt_main(void) return 1; } + bp4.sin_family = AF_INET; + bp4.sin_port = htons(params.port); + bp4.sin_addr.s_addr = INADDR_ANY; + DLOG_CONDUP("creating divert4 socket\n"); + fd[0] = socket_divert(AF_INET); + if (fd[0] == -1) { + DLOG_PERROR("socket (DIVERT4)"); + goto exiterr; + } + DLOG_CONDUP("binding divert4 socket\n"); + if (bind(fd[0], (struct sockaddr*)&bp4, sizeof(bp4)) < 0) { - struct sockaddr_in bp4; - bp4.sin_family = AF_INET; - bp4.sin_port = htons(params.port); - bp4.sin_addr.s_addr = INADDR_ANY; - - DLOG_CONDUP("creating divert4 socket\n"); - fd[0] = socket_divert(AF_INET); - if (fd[0] == -1) { - DLOG_PERROR("socket (DIVERT4)"); - goto exiterr; - } - DLOG_CONDUP("binding divert4 socket\n"); - if (bind(fd[0], (struct sockaddr*)&bp4, sizeof(bp4)) < 0) - { - DLOG_PERROR("bind (DIVERT4)"); - goto exiterr; - } + DLOG_PERROR("bind (DIVERT4)"); + goto exiterr; } #ifdef __OpenBSD__ - { - // in OpenBSD must use separate divert sockets for ipv4 and ipv6 - struct sockaddr_in6 bp6; - memset(&bp6, 0, sizeof(bp6)); - bp6.sin6_family = AF_INET6; - bp6.sin6_port = htons(params.port); + // in OpenBSD must use separate divert sockets for ipv4 and ipv6 + memset(&bp6, 0, sizeof(bp6)); + bp6.sin6_family = AF_INET6; + bp6.sin6_port = htons(params.port); - DLOG_CONDUP("creating divert6 socket\n"); - fd[1] = socket_divert(AF_INET6); - if (fd[1] == -1) { - DLOG_PERROR("socket (DIVERT6)"); - goto exiterr; - } - DLOG_CONDUP("binding divert6 socket\n"); - if (bind(fd[1], (struct sockaddr*)&bp6, sizeof(bp6)) < 0) - { - DLOG_PERROR("bind (DIVERT6)"); - goto exiterr; - } - fdct++; + DLOG_CONDUP("creating divert6 socket\n"); + fd[1] = socket_divert(AF_INET6); + if (fd[1] == -1) { + DLOG_PERROR("socket (DIVERT6)"); + goto exiterr; } + DLOG_CONDUP("binding divert6 socket\n"); + if (bind(fd[1], (struct sockaddr*)&bp6, sizeof(bp6)) < 0) + { + DLOG_PERROR("bind (DIVERT6)"); + goto exiterr; + } + fdct++; #endif fdmax = (fd[0] > fd[1] ? fd[0] : fd[1]) + 1; @@ -590,11 +586,11 @@ static int win_main() unsigned int id; uint8_t verdict; bool bOutbound; - uint8_t packet[RECONSTRUCT_MAX_SIZE]; uint32_t mark; WINDIVERT_ADDRESS wa; char ifname[IFNAMSIZ]; int res=0; + uint8_t packet[RECONSTRUCT_MAX_SIZE]; if (params.daemon) daemonize(); @@ -1340,7 +1336,7 @@ static void exithelp(void) *all_payloads=0; for (t_l7payload pl=0 ; pl