From c591018afcea639b90b5db641f985d642b6d593b Mon Sep 17 00:00:00 2001
From: lns <matzeton@googlemail.com>
Date: Tue, 16 May 2023 15:07:43 +0200
Subject: [PATCH] Improved missing usage of nDPIs malloc wrapper. Fixes #1978.

 * added CI check

Signed-off-by: lns <matzeton@googlemail.com>
---
 .github/workflows/build.yml            |  8 +++++-
 src/lib/ndpi_content_match.c.inc       |  1 +
 src/lib/ndpi_main.c                    |  4 ++-
 src/lib/ndpi_serializer.c              |  4 +--
 src/lib/ndpi_utils.c                   |  6 ++---
 src/lib/third_party/src/gcrypt/aesni.c |  2 +-
 src/lib/third_party/src/gcrypt_light.c |  2 +-
 utils/check_symbols.sh                 | 36 ++++++++++++++++++++++++++
 8 files changed, 54 insertions(+), 9 deletions(-)
 create mode 100755 utils/check_symbols.sh

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 20ddbeacd34..ec607ef5b3c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -300,12 +300,18 @@ jobs:
       - name: Print nDPI long help
         if: startsWith(matrix.arch, 'x86_64') && !startsWith(matrix.os, 'windows')
         run: |
-         ./example/ndpiReader -H
+          ./example/ndpiReader -H
       - name: Install nDPI
         if: startsWith(matrix.arch, 'x86_64') && !startsWith(matrix.os, 'windows')
         run: |
           make install DESTDIR=$(realpath _install)
           ls -alhHR _install
+      - name: Test nDPI [LIBRARY]
+        if: startsWith(matrix.os, 'ubuntu') || startsWith(matrix.os, 'mac')
+        run: |
+          ./utils/check_symbols.sh || echo "::error file=${NDPI_LIB}::Unwanted libc symbols found"
+        env:
+          NDPI_LIB: src/lib/libndpi.a
       - name: Test nDPI [DIFF]
         if: startsWith(matrix.arch, 'x86_64') && !startsWith(matrix.os, 'windows')
         run: |
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 01ef9199821..315f19e23ea 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -1164,6 +1164,7 @@ static ndpi_protocol_match host_match[] =
    { "zattosecurehd2-f.akamaihd.net",    "Zattoo", NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { "classroom.google.com",             "GoogleClassroom", NDPI_PROTOCOL_GOOGLE_CLASSROOM, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+   { "backup.googleapis.com",            "GoogleCloud", NDPI_PROTOCOL_GOOGLE_CLOUD, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
 
    { "fortinet.com",                     "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
    { "sophos.com",                       "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 0c9e2eca95b..3932925cd37 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -623,6 +623,8 @@ static int addDefaultPort(struct ndpi_detection_module_struct *ndpi_str,
 			  int _line) {
   u_int32_t port;
 
+void *p=malloc(100);
+(void)p;
   for(port = range->port_low; port <= range->port_high; port++) {
     ndpi_default_ports_tree_node_t *node =
       (ndpi_default_ports_tree_node_t *) ndpi_malloc(sizeof(ndpi_default_ports_tree_node_t));
@@ -3345,7 +3347,7 @@ static void free_ptree_data(void *data) {
   while(item != NULL) {
     struct patricia_uv16_list *next = item->next;
 
-    free(item);
+    ndpi_free(item);
     item = next;
   }
 }
diff --git a/src/lib/ndpi_serializer.c b/src/lib/ndpi_serializer.c
index 9d3fe98924d..08b7734f7d0 100644
--- a/src/lib/ndpi_serializer.c
+++ b/src/lib/ndpi_serializer.c
@@ -432,13 +432,13 @@ void ndpi_term_serializer(ndpi_serializer *_serializer) {
   ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer;
 
   if(serializer->buffer.data) {
-    free(serializer->buffer.data);
+    ndpi_free(serializer->buffer.data);
     serializer->buffer.size = 0;
     serializer->buffer.data = NULL;
   }
 
   if(serializer->header.data) {
-    free(serializer->header.data);
+    ndpi_free(serializer->header.data);
     serializer->header.size = 0;
     serializer->header.data = NULL;
   }
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 8020ea54014..c527cefb14b 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -1738,7 +1738,7 @@ static void ndpi_compile_rce_regex() {
 #endif
   }
 
-  free((void *)pcreErrorStr);
+  ndpi_free((void *)pcreErrorStr);
 }
 
 static int ndpi_is_rce_injection(char* query) {
@@ -2253,7 +2253,7 @@ void ndpi_hash_free(ndpi_str_hash **h, void (*cleanup_func)(ndpi_str_hash *h))
     {
       cleanup_func((ndpi_str_hash *)current);
     }
-    free(current);
+    ndpi_free(current);
   }
 
   *h = NULL;
@@ -2415,7 +2415,7 @@ static void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndp
 	*/
 	for(i=0; i<flow->num_risk_infos; i++) {
 	  if(flow->risk_infos[i].info != NULL) {
-	    free(flow->risk_infos[i].info);
+	    ndpi_free(flow->risk_infos[i].info);
 	    flow->risk_infos[i].info = NULL;
 	  }
 	}
diff --git a/src/lib/third_party/src/gcrypt/aesni.c b/src/lib/third_party/src/gcrypt/aesni.c
index d1379de6f95..3ddf8cabe53 100644
--- a/src/lib/third_party/src/gcrypt/aesni.c
+++ b/src/lib/third_party/src/gcrypt/aesni.c
@@ -97,7 +97,7 @@ int mbedtls_aesni_has_support( unsigned int what )
 	  break; /* We giveup */
       }
 
-      free(line);
+      ndpi_free(line);
       fclose(fd);
 
       has_aesni_checked = 1;
diff --git a/src/lib/third_party/src/gcrypt_light.c b/src/lib/third_party/src/gcrypt_light.c
index 512f67bb5a1..5a4321e751e 100644
--- a/src/lib/third_party/src/gcrypt_light.c
+++ b/src/lib/third_party/src/gcrypt_light.c
@@ -22,7 +22,7 @@
 /****************************/
 
 #define mbedtls_calloc    ndpi_calloc
-#define mbedtls_free       ndpi_free
+#define mbedtls_free      ndpi_free
 
 #include "gcrypt_light.h"
 
diff --git a/utils/check_symbols.sh b/utils/check_symbols.sh
new file mode 100755
index 00000000000..414f769efea
--- /dev/null
+++ b/utils/check_symbols.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env sh
+
+SCRIPT_DIR="$(realpath $(dirname ${0}))"
+NDPI_LIB="${1:-${SCRIPT_DIR}/../src/lib/libndpi.a}"
+
+if [ ! -r "${NDPI_LIB}" ]; then
+    printf '%s\n' "${0}: nDPI static library '$(realpath ${NDPI_LIB})' not found."
+    exit 1
+fi
+
+FAIL_COUNT=0
+CURRENT_OBJECT=''
+for line in `nm -P -u "${NDPI_LIB}"`; do
+    OBJECT="$(printf '%s' "${line}" | grep -E "^${NDPI_LIB}\[.*\.o\]:" | grep -oE "\[.*\.o\]")"
+    if [ ! -z "${OBJECT}" ]; then
+        CURRENT_OBJECT="${OBJECT}"
+    fi
+
+    #printf '%s\n' "${line}"
+    FOUND_SYMBOL="$(printf '%s' "${line}" | grep '^\(malloc\|calloc\|realloc\|free\)$')"
+
+    if [ ! -z "${FOUND_SYMBOL}" ]; then
+        SKIP=0
+        case "${CURRENT_OBJECT}" in
+            '[ndpi_utils.o]'|'[ndpi_memory.o]'|'[roaring.o]') SKIP=1 ;;
+        esac
+
+        if [ ${SKIP} -eq 0 ]; then
+            FAIL_COUNT="$(expr ${FAIL_COUNT} + 1)"
+            printf '%s: %s\n' "${CURRENT_OBJECT}" "${FOUND_SYMBOL}"
+        fi
+    fi
+done
+
+printf 'Unwanted symbols found: %s\n' "${FAIL_COUNT}"
+exit ${FAIL_COUNT}