Improved missing usage of nDPIs malloc wrapper. Fixes ntop#1978.

* added CI check Signed-off-by: lns <[email protected]>
utoni · May 19, 2023 · 1afd278 · 1afd278
1 parent 8c224b4
commit 1afd278
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 9 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -300,12 +300,18 @@ jobs:
       - name: Print nDPI long help
         if: startsWith(matrix.arch, 'x86_64') && !startsWith(matrix.os, 'windows')
         run: |
-         ./example/ndpiReader -H
+          ./example/ndpiReader -H
       - name: Install nDPI
         if: startsWith(matrix.arch, 'x86_64') && !startsWith(matrix.os, 'windows')
         run: |
           make install DESTDIR=$(realpath _install)
           ls -alhHR _install
+      - name: Test nDPI [LIBRARY]
+        if: (startsWith(matrix.os, 'ubuntu') || startsWith(matrix.os, 'mac')) && startsWith(matrix.arch, 'x86_64')
+        run: |
+          ./utils/check_symbols.sh || { FAILED=$?; echo "::error file=${NDPI_LIB}::Unwanted libc symbols found: ${FAILED}"; false; }
+        env:
+          NDPI_LIB: src/lib/libndpi.a
       - name: Test nDPI [DIFF]
         if: startsWith(matrix.arch, 'x86_64') && !startsWith(matrix.os, 'windows')
         run: |

diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
@@ -1164,6 +1164,7 @@ static ndpi_protocol_match host_match[] =
    { "zattosecurehd2-f.akamaihd.net",    "Zattoo", NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { "classroom.google.com",             "GoogleClassroom", NDPI_PROTOCOL_GOOGLE_CLASSROOM, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "backup.googleapis.com",            "GoogleCloud", NDPI_PROTOCOL_GOOGLE_CLOUD, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { "fortinet.com",                     "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "sophos.com",                       "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -3345,7 +3345,7 @@ static void free_ptree_data(void *data) {
   while(item != NULL) {
     struct patricia_uv16_list *next = item->next;
 
-    free(item);
+    ndpi_free(item);
     item = next;
   }
 }

diff --git a/src/lib/ndpi_serializer.c b/src/lib/ndpi_serializer.c
@@ -432,13 +432,13 @@ void ndpi_term_serializer(ndpi_serializer *_serializer) {
   ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer;
 
   if(serializer->buffer.data) {
-    free(serializer->buffer.data);
+    ndpi_free(serializer->buffer.data);
     serializer->buffer.size = 0;
     serializer->buffer.data = NULL;
   }
 
   if(serializer->header.data) {
-    free(serializer->header.data);
+    ndpi_free(serializer->header.data);
     serializer->header.size = 0;
     serializer->header.data = NULL;
   }

diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
@@ -1738,7 +1738,7 @@ static void ndpi_compile_rce_regex() {
 #endif
   }
 
-  free((void *)pcreErrorStr);
+  ndpi_free((void *)pcreErrorStr);
 }
 
 static int ndpi_is_rce_injection(char* query) {
@@ -2253,7 +2253,7 @@ void ndpi_hash_free(ndpi_str_hash **h, void (*cleanup_func)(ndpi_str_hash *h))
     {
       cleanup_func((ndpi_str_hash *)current);
     }
-    free(current);
+    ndpi_free(current);
   }
 
   *h = NULL;
@@ -2415,7 +2415,7 @@ static void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndp
 	*/
 	for(i=0; i<flow->num_risk_infos; i++) {
 	  if(flow->risk_infos[i].info != NULL) {
-	    free(flow->risk_infos[i].info);
+	    ndpi_free(flow->risk_infos[i].info);
 	    flow->risk_infos[i].info = NULL;
 	  }
 	}

diff --git a/src/lib/third_party/src/gcrypt/aesni.c b/src/lib/third_party/src/gcrypt/aesni.c
@@ -97,7 +97,7 @@ int mbedtls_aesni_has_support( unsigned int what )
 	  break; /* We giveup */
       }
 
-      free(line);
+      ndpi_free(line);
       fclose(fd);
 
       has_aesni_checked = 1;

diff --git a/src/lib/third_party/src/gcrypt_light.c b/src/lib/third_party/src/gcrypt_light.c
@@ -22,7 +22,7 @@
 /****************************/
 
 #define mbedtls_calloc    ndpi_calloc
-#define mbedtls_free       ndpi_free
+#define mbedtls_free      ndpi_free
 
 #include "gcrypt_light.h"
 

diff --git a/utils/check_symbols.sh b/utils/check_symbols.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env sh
+
+SCRIPT_DIR="$(realpath $(dirname ${0}))"
+NDPI_LIB="${1:-${SCRIPT_DIR}/../src/lib/libndpi.a}"
+
+if [ ! -r "${NDPI_LIB}" ]; then
+    printf '%s\n' "${0}: nDPI static library '$(realpath ${NDPI_LIB})' not found."
+    exit 1
+fi
+
+FAIL_COUNT=0
+CURRENT_OBJECT=''
+for line in `nm -P -u "${NDPI_LIB}"`; do
+    OBJECT="$(printf '%s' "${line}" | grep -E "^${NDPI_LIB}\[.*\.o\]:" | grep -oE "\[.*\.o\]")"
+    if [ ! -z "${OBJECT}" ]; then
+        CURRENT_OBJECT="${OBJECT}"
+    fi
+
+    #printf '%s\n' "${line}"
+    FOUND_SYMBOL="$(printf '%s' "${line}" | grep '^\(malloc\|calloc\|realloc\|free\)$')"
+
+    if [ ! -z "${FOUND_SYMBOL}" ]; then
+        SKIP=0
+        case "${CURRENT_OBJECT}" in
+            '[ndpi_utils.o]'|'[ndpi_memory.o]'|'[roaring.o]') SKIP=1 ;;
+        esac
+
+        if [ ${SKIP} -eq 0 ]; then
+            FAIL_COUNT="$(expr ${FAIL_COUNT} + 1)"
+            printf '%s: %s\n' "${CURRENT_OBJECT}" "${FOUND_SYMBOL}"
+        fi
+    fi
+done
+
+printf 'Unwanted symbols found: %s\n' "${FAIL_COUNT}"
+exit ${FAIL_COUNT}