From: Pranav Bhalerao (prbhaler) <prbhaler@cisco.com>
Date: Tue, 23 Nov 2021 03:05:49 +0000 (+0000)
Subject: Pull request #3170: http_inspect: Storing ole data in msg_body
X-Git-Tag: 3.1.18.0~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6755043c9af3c55fa9264d63ab2eb02530e8da2;p=thirdparty%2Fsnort3.git

Pull request #3170: http_inspect: Storing ole data in msg_body

Merge in SNORT/snort3 from ~VIGNVISW/snort3:vignvisw_CSCwa20585 to master

Squashed commit of the following:

commit d87b2ece8def9c857d29df967934418cda85b897
Author: Vigneshwari Viswanathan <vignvisw@cisco.com>
Date:   Wed Nov 17 04:47:56 2021 -0500

    http_inspect: Storing ole data in msg_body
---

diff --git a/src/decompress/file_decomp.cc b/src/decompress/file_decomp.cc
index 78371587d..7c3e48c94 100644
--- a/src/decompress/file_decomp.cc
+++ b/src/decompress/file_decomp.cc
@@ -303,7 +303,7 @@ fd_session_t* File_Decomp_New()
     New_Session->File_Type = FILE_TYPE_NONE;
     New_Session->vba_analysis = false;
     New_Session->ole_data_ptr = nullptr;
-    New_Session->ole_data_ptr = 0;
+    New_Session->ole_data_len = 0;
 
     return New_Session;
 }
diff --git a/src/decompress/file_decomp.h b/src/decompress/file_decomp.h
index f5a8cda10..275f60ac9 100644
--- a/src/decompress/file_decomp.h
+++ b/src/decompress/file_decomp.h
@@ -142,7 +142,19 @@ struct fd_session_t
     uint8_t State;       // main state machine
     uint8_t* ole_data_ptr; // compressed ole file.
     uint32_t ole_data_len; 
-    bool vba_analysis;   
+    bool vba_analysis;
+
+    void get_ole_data(uint8_t*& ole_data_ptr, uint32_t& ole_data_len)
+    {
+        ole_data_ptr = this->ole_data_ptr;
+        ole_data_len = this->ole_data_len;
+    }
+
+    void ole_data_reset()
+    {
+        ole_data_ptr = nullptr;
+        ole_data_len = 0;
+    } 
 };
 
 /* Macros */
diff --git a/src/service_inspectors/http_inspect/http_msg_body.cc b/src/service_inspectors/http_inspect/http_msg_body.cc
index 0d3205ce1..a86830c9c 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.cc
+++ b/src/service_inspectors/http_inspect/http_msg_body.cc
@@ -255,6 +255,22 @@ void HttpMsgBody::do_utf_decoding(const Field& input, Field& output)
         output.set(input);
 }
 
+void HttpMsgBody::get_ole_data()
+{
+    uint8_t* ole_data_ptr;
+    uint32_t ole_len;
+
+    session_data->fd_state->get_ole_data(ole_data_ptr, ole_len);
+
+    if (ole_data_ptr)
+    {
+        ole_data.set(ole_len, ole_data_ptr, false);
+
+        //Reset the ole data ptr once it is stored in msg body
+        session_data->fd_state->ole_data_reset();
+    }
+}
+    
 void HttpMsgBody::do_file_decompression(const Field& input, Field& output)
 {
     if ((source_id == SRC_CLIENT) || (session_data->fd_state == nullptr))
@@ -295,6 +311,8 @@ void HttpMsgBody::do_file_decompression(const Field& input, Field& output)
         assert((uint64_t)session_data->file_decomp_buffer_size_remaining[source_id] >=
             output_length);
         session_data->file_decomp_buffer_size_remaining[source_id] -= output_length;
+        get_ole_data();
+
         break;
     }
 }
@@ -515,26 +533,26 @@ const Field& HttpMsgBody::get_decomp_vba_data()
     if (decompressed_vba_data.length() != STAT_NOT_COMPUTE)
         return decompressed_vba_data;
 
-    if (!session_data->fd_state->ole_data_ptr || !session_data->fd_state->ole_data_len)
-        return Field::FIELD_NULL;
+    if (ole_data.length() <= 0)
+    {
+        decompressed_vba_data.set(STAT_NO_SOURCE);
+        return decompressed_vba_data;
+    }
 
     uint8_t* buf = nullptr;
     uint32_t buf_len = 0;
 
     VBA_DEBUG(vba_data_trace, DEFAULT_TRACE_OPTION_ID, TRACE_INFO_LEVEL, CURRENT_PACKET,
                "Found OLE file. Sending %d bytes for the processing.\n",
-                session_data->fd_state->ole_data_len);
+                ole_data.length());
+
+    oleprocess(ole_data.start(), ole_data.length(), buf, buf_len);
 
-    oleprocess(session_data->fd_state->ole_data_ptr, session_data->fd_state->ole_data_len, buf,
-        buf_len);
     if (buf && buf_len)
         decompressed_vba_data.set(buf_len, buf, true);
     else
         decompressed_vba_data.set(STAT_NOT_PRESENT);
 
-    session_data->fd_state->ole_data_ptr = nullptr;
-    session_data->fd_state->ole_data_len = 0;
-
     return decompressed_vba_data;
 }
 
diff --git a/src/service_inspectors/http_inspect/http_msg_body.h b/src/service_inspectors/http_inspect/http_msg_body.h
index e3a0461fb..664c148af 100644
--- a/src/service_inspectors/http_inspect/http_msg_body.h
+++ b/src/service_inspectors/http_inspect/http_msg_body.h
@@ -73,6 +73,7 @@ private:
         int32_t detect_length);
     void get_file_info( FileDirection dir, const uint8_t*& filename_buffer,
         uint32_t& filename_length, const uint8_t*& uri_buffer, uint32_t& uri_length);
+    void get_ole_data();
 
     // In order of generation
     Field msg_text_new;
@@ -84,6 +85,7 @@ private:
     Field norm_js_data;
     Field classic_client_body;   // URI normalization applied
     Field decompressed_vba_data;
+    Field ole_data;
 
     int32_t publish_length = HttpCommon::STAT_NOT_PRESENT;
 };
diff --git a/src/service_inspectors/http_inspect/http_msg_section.cc b/src/service_inspectors/http_inspect/http_msg_section.cc
index 5abd6d9c4..e115e8409 100644
--- a/src/service_inspectors/http_inspect/http_msg_section.cc
+++ b/src/service_inspectors/http_inspect/http_msg_section.cc
@@ -385,7 +385,7 @@ const Field& HttpMsgSection::get_classic_buffer(Cursor& c, const HttpBufferInfo&
     case BUFFER_VBA_DATA:
       {
         HttpMsgBody* msg_body = get_body();
-        if (session_data->fd_state and msg_body)
+        if (msg_body)
             return msg_body->get_decomp_vba_data(); 
         else
             return Field::FIELD_NULL;