From: Victor Julien <vjulien@oisf.net>
Date: Sun, 26 Jun 2022 00:29:34 +0000 (+0200)
Subject: smtp/mime: fix parsing edge case
X-Git-Tag: suricata-6.0.6~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a6c61a564fc1582e6c22860a799887133a681ac;p=thirdparty%2Fsuricata.git

smtp/mime: fix parsing edge case

Correctly track "remaining" bytes after partial base64 decoding.

Add comment clarifications and debug validation checks.

(cherry picked from commit 5953a7d2ebd20be2a9f578fae66face4e172b678)
---

diff --git a/src/util-decode-mime.c b/src/util-decode-mime.c
index 66c1ee21f0..cdb8f336da 100644
--- a/src/util-decode-mime.c
+++ b/src/util-decode-mime.c
@@ -1322,7 +1322,10 @@ static int ProcessBase64BodyLine(const uint8_t *buf, uint32_t len,
         return MIME_DEC_OK;
     }
 
-    /* First process remaining from previous line */
+    /* First process remaining from previous line. We will consume
+     * state->bvremain, filling it from 'buf' until we have a properly
+     * sized block. Spaces are skipped (rfc2045). If state->bvr_len
+     * is not 0 after procesing we have no data left at 'buf'. */
     if (state->bvr_len > 0) {
         uint32_t consumed = ProcessBase64Remainder(buf, len, state, 0);
         DEBUG_VALIDATE_BUG_ON(consumed > len);
@@ -1331,10 +1334,14 @@ static int ProcessBase64BodyLine(const uint8_t *buf, uint32_t len,
 
         uint32_t left = len - consumed;
         if (left < B64_BLOCK) {
+            DEBUG_VALIDATE_BUG_ON(left + state->bvr_len > B64_BLOCK);
+            if (left + state->bvr_len > B64_BLOCK)
+                return MIME_DEC_ERR_PARSE;
             memcpy(state->bvremain, buf + consumed, left);
-            state->bvr_len = left;
+            state->bvr_len += left;
             return MIME_DEC_OK;
         }
+
         remaining -= consumed;
         offset = consumed;
     }