From: Pranav Bhalerao (prbhaler) <prbhaler@cisco.com>
Date: Tue, 22 Mar 2022 05:22:22 +0000 (+0000)
Subject: Pull request #3305: http_inspect, mime: VBA macro decompression for HTTP MIME file... 
X-Git-Tag: 3.1.26.0~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e31d4d3a85873ac2c82c8c5adde149176f78f2d;p=thirdparty%2Fsnort3.git

Pull request #3305: http_inspect, mime: VBA macro decompression for HTTP MIME file uploads

Merge in SNORT/snort3 from ~AMARNAYA/snort3:vba_upload to master

Squashed commit of the following:

commit e03395379f228c35acfbbe8e1777e415182e1140
Author: Amarnath Nayak <amarnaya@cisco.com>
Date:   Tue Feb 8 16:55:17 2022 +0000

    http_inspect, mime: VBA macro decompression for HTTP MIME file uploads
---

diff --git a/src/mime/file_mime_decode.cc b/src/mime/file_mime_decode.cc
index 43b4a5cfc..7d388777b 100644
--- a/src/mime/file_mime_decode.cc
+++ b/src/mime/file_mime_decode.cc
@@ -232,6 +232,13 @@ void MimeDecode::clear_decomp_vba_data()
     decompressed_vba_data.reset();
 }
 
+const BufferData& MimeDecode::_get_ole_buf()
+{
+    if (ole_data.length() <= 0)
+        return BufferData::buffer_null;
+    return ole_data;
+}
+
 void MimeDecode::file_decomp_reset()
 {
     if ( fd_state == nullptr )
diff --git a/src/mime/file_mime_decode.h b/src/mime/file_mime_decode.h
index 3851c693c..3095bff96 100644
--- a/src/mime/file_mime_decode.h
+++ b/src/mime/file_mime_decode.h
@@ -82,6 +82,7 @@ public:
 
     DecodeResult decompress_data(const uint8_t* buf_in, uint32_t size_in,
                                  const uint8_t*& buf_out, uint32_t& size_out);
+    const BufferData& _get_ole_buf();
     const BufferData& get_decomp_vba_data();
     void clear_decomp_vba_data();
 
diff --git a/src/mime/file_mime_process.cc b/src/mime/file_mime_process.cc
index d5cdd86a5..6e29cf22b 100644
--- a/src/mime/file_mime_process.cc
+++ b/src/mime/file_mime_process.cc
@@ -706,6 +706,14 @@ void MimeSession::set_mime_stats(MimeStats* stats)
     mime_stats = stats;
 }
 
+const BufferData& MimeSession::get_ole_buf()
+{
+    if (!decode_state)
+        return BufferData::buffer_null;
+
+    return decode_state->_get_ole_buf();
+}
+
 const BufferData& MimeSession::get_vba_inspect_buf()
 {
     if (!decode_state)
diff --git a/src/mime/file_mime_process.h b/src/mime/file_mime_process.h
index 94ddd2ce1..616a947e4 100644
--- a/src/mime/file_mime_process.h
+++ b/src/mime/file_mime_process.h
@@ -73,6 +73,7 @@ public:
     MailLogState* get_log_state();
     void set_mime_stats(MimeStats*);
 
+    const BufferData& get_ole_buf();
     const BufferData& get_vba_inspect_buf();
 
 protected:
diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 2c7e3156e..dd44d0460 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -26,6 +26,7 @@
 #include "decompress/file_olefile.h"
 #include "file_api/file_flows.h"
 #include "file_api/file_service.h"
+#include "helpers/buffer_data.h"
 #include "pub_sub/http_request_body_event.h"
 
 #include "http_api.h"
@@ -482,7 +483,11 @@ void HttpMsgBody::do_file_processing(const Field& file_data)
                 (section_end - ptr), true, SNORT_FILE_POSITION_UNKNOWN);
             ptr++;
         }
-
+        
+        const BufferData& vba_buf = session_data->mime_state[source_id]->get_ole_buf();
+        if (vba_buf.data_ptr())
+            ole_data.set(vba_buf.length(), vba_buf.data_ptr());
+        
         session_data->file_octets[source_id] += file_data.length();
     }
 }