From: Mike Stepanek (mstepane) Date: Tue, 7 Jul 2020 14:22:36 +0000 (+0000) Subject: Merge pull request #2314 in SNORT/snort3 from ~KATHARVE/snort3:http_mime to master X-Git-Tag: 3.0.2-2~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d5368ac053fd718c7187b92c9a25e030acbae367;p=thirdparty%2Fsnort3.git Merge pull request #2314 in SNORT/snort3 from ~KATHARVE/snort3:http_mime to master Squashed commit of the following: commit 0db5c997317984094889e7202890c4d9ab26f89f Author: Katura Harvey Date: Tue Jun 30 15:53:48 2020 -0400 mime: mime no longer overwrites file_data buffer for http packets --- diff --git a/src/mime/file_mime_process.cc b/src/mime/file_mime_process.cc index 8e028bfce..8d137dfa1 100644 --- a/src/mime/file_mime_process.cc +++ b/src/mime/file_mime_process.cc @@ -541,7 +541,7 @@ const uint8_t* MimeSession::process_mime_data_paf( // FIXIT-L why is this being set? we don't search file data until // we set it again below after decoding. can it be deleted? - if ( decode_conf && (!decode_conf->is_ignore_data())) + if ( !is_http && decode_conf && (!decode_conf->is_ignore_data())) set_file_data(start, (end - start)); if (data_state == STATE_DATA_HEADER) @@ -594,7 +594,8 @@ const uint8_t* MimeSession::process_mime_data_paf( if ( result != DECODE_SUCCESS ) decompress_alert(); - set_file_data(decomp_buffer, decomp_buf_size); + if (!is_http) + set_file_data(decomp_buffer, decomp_buf_size); } /*Process file type/file signature*/ @@ -800,12 +801,14 @@ void MimeSession::exit() delete mime_hdr_search_mpse; } -MimeSession::MimeSession(DecodeConfig* dconf, MailLogConfig* lconf, uint64_t base_file_id) +MimeSession::MimeSession(DecodeConfig* dconf, MailLogConfig* lconf, uint64_t base_file_id, + bool session_is_http) { decode_conf = dconf; log_config = lconf; log_state = new MailLogState(log_config); session_base_file_id = base_file_id; + is_http = session_is_http; reset_mime_paf_state(&mime_boundary); } diff --git a/src/mime/file_mime_process.h b/src/mime/file_mime_process.h index 6aa7328cc..f44c1b231 100644 --- a/src/mime/file_mime_process.h +++ b/src/mime/file_mime_process.h @@ -55,7 +55,7 @@ namespace snort class SO_PUBLIC MimeSession { public: - MimeSession(DecodeConfig*, MailLogConfig*, uint64_t base_file_id=0); + MimeSession(DecodeConfig*, MailLogConfig*, uint64_t base_file_id=0, bool session_is_http=false); virtual ~MimeSession(); MimeSession(const MimeSession&) = delete; @@ -84,6 +84,7 @@ private: MailLogState* log_state = nullptr; MimeStats* mime_stats = nullptr; std::string filename; + bool is_http = false; bool continue_inspecting_file = true; // This counter is not an accurate count of files; used only for creating a unique mime_file_id uint32_t file_counter = 0; diff --git a/src/service_inspectors/http_inspect/http_msg_header.cc b/src/service_inspectors/http_inspect/http_msg_header.cc index f612a22ee..256750a01 100644 --- a/src/service_inspectors/http_inspect/http_msg_header.cc +++ b/src/service_inspectors/http_inspect/http_msg_header.cc @@ -419,8 +419,8 @@ void HttpMsgHeader::setup_file_processing() { if (boundary_present(content_type)) { - session_data->mime_state[source_id] = new MimeSession(&FileService::decode_conf, &mime_conf, - transaction->get_file_processing_id(source_id)); + session_data->mime_state[source_id] = new MimeSession(&FileService::decode_conf, + &mime_conf, transaction->get_file_processing_id(source_id), true); // Show file processing the Content-Type header as if it were regular data. // This will enable it to find the boundary string. // FIXIT-L develop a proper interface for passing the boundary string.