smtp: handle following cmd if LF was found in long line

If a long line had LF post the limit, it should be considered complete
and not wait for the next line to complete it. However, currently, any
following lines were skipped which could sometimes also be important
commands for the entire transaction.

Fix this by setting a flag in case we're truncating a long line but
after having found the LF character.

Bug 5989

diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c
index 14d0f38eeb01149ef0cef9228dce2f2b4e03e2ac..5d702a17fa4f6ec30b433955e212d50089b1427e 100644 (file)
--- a/src/app-layer-smtp.c
+++ b/src/app-layer-smtp.c
@@ -574,6 +574,7 @@ static AppLayerResult SMTPGetLine(SMTPState *state)
         uint32_t o_consumed = state->consumed;
         state->consumed = lf_idx - state->input + 1;
         state->current_line_len = state->consumed - o_consumed;
+        state->current_line_lf_found = true;
         DEBUG_VALIDATE_BUG_ON(state->current_line_len < 0);
         if (state->current_line_len < 0)
             SCReturnStruct(APP_LAYER_ERROR);
@@ -1338,7 +1339,10 @@ static AppLayerResult SMTPParse(int direction, Flow *f, SMTPState *state,
     state->consumed = 0;
     state->current_line_len = 0;
     state->current_line_delimiter_len = 0;
+    state->current_line_lf_found = false;
     state->direction = direction;
+
+    /* toserver */
     if (direction == 0) {
         if (((state->current_command == SMTP_COMMAND_DATA) ||
                     (state->current_command == SMTP_COMMAND_BDAT)) &&
@@ -1362,7 +1366,9 @@ static AppLayerResult SMTPParse(int direction, Flow *f, SMTPState *state,
                 SCReturnStruct(APP_LAYER_ERROR);
             if (state->current_line_delimiter_len == 0 &&
                     state->current_line_len == SMTP_LINE_BUFFER_LIMIT) {
-                state->discard_till_lf = true;
+                if (!state->current_line_lf_found) {
+                    state->discard_till_lf = true;
+                }
                 state->consumed = state->input_len + 1; // For the newly found LF
                 SMTPSetEvent(state, SMTP_DECODER_EVENT_TRUNCATED_LINE);
                 break;
@@ -1396,7 +1402,9 @@ static AppLayerResult SMTPParse(int direction, Flow *f, SMTPState *state,
                 SCReturnStruct(APP_LAYER_ERROR);
             if (state->current_line_delimiter_len == 0 &&
                     state->current_line_len == SMTP_LINE_BUFFER_LIMIT) {
-                state->discard_till_lf = true;
+                if (!state->current_line_lf_found) {
+                    state->discard_till_lf = true;
+                }
                 state->consumed = state->input_len + 1; // For the newly found LF
                 SMTPSetEvent(state, SMTP_DECODER_EVENT_TRUNCATED_LINE);
                 break;

diff --git a/src/app-layer-smtp.h b/src/app-layer-smtp.h
index 310fbe430fe882059f94ed6e1b1a5258bc69a584..a58c9685023028e76283244d8e16baf8ab3f634e 100644 (file)
--- a/src/app-layer-smtp.h
+++ b/src/app-layer-smtp.h
@@ -130,6 +130,7 @@ typedef struct SMTPState_ {
     /** length of the line in current_line.  Doesn't include the delimiter */
     int32_t current_line_len;
     uint8_t current_line_delimiter_len;
+    bool current_line_lf_found;
     /* Consumed bytes till current line */
     int32_t consumed;
     /* If rest of the bytes should be discarded in case of long line w/o LF */