Pull request #3170: http_inspect: Storing ole data in msg_body

Merge in SNORT/snort3 from ~VIGNVISW/snort3:vignvisw_CSCwa20585 to master

Squashed commit of the following:

commit d87b2ece8def9c857d29df967934418cda85b897
Author: Vigneshwari Viswanathan <vignvisw@cisco.com>
Date:   Wed Nov 17 04:47:56 2021 -0500

    http_inspect: Storing ole data in msg_body

diff --git a/src/decompress/file_decomp.cc b/src/decompress/file_decomp.cc
index 78371587dbc60f9b9d8c36f9ebe02f0c2927743a..7c3e48c94edace6ea7a7f3032386191bac8fcd4e 100644 (file)
--- a/src/decompress/file_decomp.cc
+++ b/src/decompress/file_decomp.cc
@@ -303,7 +303,7 @@ fd_session_t* File_Decomp_New()
     New_Session->File_Type = FILE_TYPE_NONE;
     New_Session->vba_analysis = false;
     New_Session->ole_data_ptr = nullptr;
-    New_Session->ole_data_ptr = 0;
+    New_Session->ole_data_len = 0;
 
     return New_Session;
 }

diff --git a/src/decompress/file_decomp.h b/src/decompress/file_decomp.h
index f5a8cda10256de27cba0272be417b15b985da3d3..275f60ac9778481c234353e95d389a2a2a810252 100644 (file)
--- a/src/decompress/file_decomp.h
+++ b/src/decompress/file_decomp.h
@@ -142,7 +142,19 @@ struct fd_session_t
     uint8_t State;       // main state machine
     uint8_t* ole_data_ptr; // compressed ole file.
     uint32_t ole_data_len; 
-    bool vba_analysis;   
+    bool vba_analysis;
+
+    void get_ole_data(uint8_t*& ole_data_ptr, uint32_t& ole_data_len)
+    {
+        ole_data_ptr = this->ole_data_ptr;
+        ole_data_len = this->ole_data_len;
+    }
+
+    void ole_data_reset()
+    {
+        ole_data_ptr = nullptr;
+        ole_data_len = 0;
+    } 
 };
 
 /* Macros */

diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 0d3205ce156d669fb5d6c18fd8560bfa57aafa1c..a86830c9cf666e307ca0d2bd9b9146ac30860b85 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -255,6 +255,22 @@ void HttpMsgBody::do_utf_decoding(const Field& input, Field& output)
         output.set(input);
 }
 
+void HttpMsgBody::get_ole_data()
+{
+    uint8_t* ole_data_ptr;
+    uint32_t ole_len;
+
+    session_data->fd_state->get_ole_data(ole_data_ptr, ole_len);
+
+    if (ole_data_ptr)
+    {
+        ole_data.set(ole_len, ole_data_ptr, false);
+
+        //Reset the ole data ptr once it is stored in msg body
+        session_data->fd_state->ole_data_reset();
+    }
+}
+    
 void HttpMsgBody::do_file_decompression(const Field& input, Field& output)
 {
     if ((source_id == SRC_CLIENT) || (session_data->fd_state == nullptr))
@@ -295,6 +311,8 @@ void HttpMsgBody::do_file_decompression(const Field& input, Field& output)
         assert((uint64_t)session_data->file_decomp_buffer_size_remaining[source_id] >=
             output_length);
         session_data->file_decomp_buffer_size_remaining[source_id] -= output_length;
+        get_ole_data();
+
         break;
     }
 }
@@ -515,26 +533,26 @@ const Field& HttpMsgBody::get_decomp_vba_data()
     if (decompressed_vba_data.length() != STAT_NOT_COMPUTE)
         return decompressed_vba_data;
 
-    if (!session_data->fd_state->ole_data_ptr || !session_data->fd_state->ole_data_len)
-        return Field::FIELD_NULL;
+    if (ole_data.length() <= 0)
+    {
+        decompressed_vba_data.set(STAT_NO_SOURCE);
+        return decompressed_vba_data;
+    }
 
     uint8_t* buf = nullptr;
     uint32_t buf_len = 0;
 
     VBA_DEBUG(vba_data_trace, DEFAULT_TRACE_OPTION_ID, TRACE_INFO_LEVEL, CURRENT_PACKET,
                "Found OLE file. Sending %d bytes for the processing.\n",
-                session_data->fd_state->ole_data_len);
+                ole_data.length());
+
+    oleprocess(ole_data.start(), ole_data.length(), buf, buf_len);
 
-    oleprocess(session_data->fd_state->ole_data_ptr, session_data->fd_state->ole_data_len, buf,
-        buf_len);
     if (buf && buf_len)
         decompressed_vba_data.set(buf_len, buf, true);
     else
         decompressed_vba_data.set(STAT_NOT_PRESENT);
 
-    session_data->fd_state->ole_data_ptr = nullptr;
-    session_data->fd_state->ole_data_len = 0;
-
     return decompressed_vba_data;
 }
 

diff --git a/src/service_inspectors/http_inspect/http_msg_body.h b/src/service_inspectors/http_inspect/http_msg_body.h
index e3a0461fb7bc3ff7381c4e112e01d7b7737edfcc..664c148af88d8de590da56f6b675c11a2ccf2e11 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_body.h
+++ b/src/service_inspectors/http_inspect/http_msg_body.h
@@ -73,6 +73,7 @@ private:
         int32_t detect_length);
     void get_file_info( FileDirection dir, const uint8_t*& filename_buffer,
         uint32_t& filename_length, const uint8_t*& uri_buffer, uint32_t& uri_length);
+    void get_ole_data();
 
     // In order of generation
     Field msg_text_new;
@@ -84,6 +85,7 @@ private:
     Field norm_js_data;
     Field classic_client_body;   // URI normalization applied
     Field decompressed_vba_data;
+    Field ole_data;
 
     int32_t publish_length = HttpCommon::STAT_NOT_PRESENT;
 };

diff --git a/src/service_inspectors/http_inspect/http_msg_section.cc b/src/service_inspectors/http_inspect/http_msg_section.cc
index 5abd6d9c40e06f31c63631b409f7b476a9b964ee..e115e8409f72fcbf08d740426f30d29e56163175 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_section.cc
+++ b/src/service_inspectors/http_inspect/http_msg_section.cc
@@ -385,7 +385,7 @@ const Field& HttpMsgSection::get_classic_buffer(Cursor& c, const HttpBufferInfo&
     case BUFFER_VBA_DATA:
       {
         HttpMsgBody* msg_body = get_body();
-        if (session_data->fd_state and msg_body)
+        if (msg_body)
             return msg_body->get_decomp_vba_data(); 
         else
             return Field::FIELD_NULL;