Merge pull request #2314 in SNORT/snort3 from ~KATHARVE/snort3:http_mime to master

Squashed commit of the following:

commit 0db5c997317984094889e7202890c4d9ab26f89f
Author: Katura Harvey <katharve@cisco.com>
Date:   Tue Jun 30 15:53:48 2020 -0400

    mime: mime no longer overwrites file_data buffer for http packets

diff --git a/src/mime/file_mime_process.cc b/src/mime/file_mime_process.cc
index 8e028bfceb5f6e51475ca6ad91ee9eaed63cdcff..8d137dfa169e5fbb44411bbf024770f82eab4f7c 100644 (file)
--- a/src/mime/file_mime_process.cc
+++ b/src/mime/file_mime_process.cc
@@ -541,7 +541,7 @@ const uint8_t* MimeSession::process_mime_data_paf(
 
     // FIXIT-L why is this being set?  we don't search file data until
     // we set it again below after decoding.  can it be deleted?
-    if ( decode_conf && (!decode_conf->is_ignore_data()))
+    if ( !is_http && decode_conf && (!decode_conf->is_ignore_data()))
         set_file_data(start, (end - start));
 
     if (data_state == STATE_DATA_HEADER)
@@ -594,7 +594,8 @@ const uint8_t* MimeSession::process_mime_data_paf(
             if ( result != DECODE_SUCCESS )
                 decompress_alert();
 
-            set_file_data(decomp_buffer, decomp_buf_size);
+            if (!is_http)
+                set_file_data(decomp_buffer, decomp_buf_size);
         }
 
         /*Process file type/file signature*/
@@ -800,12 +801,14 @@ void MimeSession::exit()
         delete mime_hdr_search_mpse;
 }
 
-MimeSession::MimeSession(DecodeConfig* dconf, MailLogConfig* lconf, uint64_t base_file_id)
+MimeSession::MimeSession(DecodeConfig* dconf, MailLogConfig* lconf, uint64_t base_file_id,
+    bool session_is_http)
 {
     decode_conf = dconf;
     log_config =  lconf;
     log_state = new MailLogState(log_config);
     session_base_file_id = base_file_id;
+    is_http = session_is_http;
     reset_mime_paf_state(&mime_boundary);
 }
 

diff --git a/src/mime/file_mime_process.h b/src/mime/file_mime_process.h
index 6aa7328cc4b1a1ba40d3775acb7bcb7d8c10405a..f44c1b23174b85aaa732a9290170b5a52711f3f0 100644 (file)
--- a/src/mime/file_mime_process.h
+++ b/src/mime/file_mime_process.h
@@ -55,7 +55,7 @@ namespace snort
 class SO_PUBLIC MimeSession
 {
 public:
-    MimeSession(DecodeConfig*, MailLogConfig*, uint64_t base_file_id=0);
+    MimeSession(DecodeConfig*, MailLogConfig*, uint64_t base_file_id=0, bool session_is_http=false);
     virtual ~MimeSession();
 
     MimeSession(const MimeSession&) = delete;
@@ -84,6 +84,7 @@ private:
     MailLogState* log_state = nullptr;
     MimeStats* mime_stats = nullptr;
     std::string filename;
+    bool is_http = false;
     bool continue_inspecting_file = true;
     // This counter is not an accurate count of files; used only for creating a unique mime_file_id
     uint32_t file_counter = 0;

diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc
index f612a22ee6a54c1724d00394b47cc2f80228759e..256750a0123d1df81021232e71cb2625b5d5b038 100644 (file)
--- a/src/service_inspectors/http_inspect/http_msg_header.cc
+++ b/src/service_inspectors/http_inspect/http_msg_header.cc
@@ -419,8 +419,8 @@ void HttpMsgHeader::setup_file_processing()
         {
             if (boundary_present(content_type))
             {
-                session_data->mime_state[source_id] = new MimeSession(&FileService::decode_conf, &mime_conf,
-                    transaction->get_file_processing_id(source_id));
+                session_data->mime_state[source_id] = new MimeSession(&FileService::decode_conf,
+                    &mime_conf, transaction->get_file_processing_id(source_id), true);
                 // Show file processing the Content-Type header as if it were regular data.
                 // This will enable it to find the boundary string.
                 // FIXIT-L develop a proper interface for passing the boundary string.