From: Tom DeCanio Date: Thu, 14 Aug 2014 19:07:53 +0000 (-0700) Subject: eve-log: catch and log URLs in basic text emails without mime encapsulation. X-Git-Tag: suricata-2.1beta2~37 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=746da75615b7d60871b82b86b10a97d54e8eef78;p=thirdparty%2Fsuricata.git eve-log: catch and log URLs in basic text emails without mime encapsulation. expand pointer walk protection. --- diff --git a/src/mime-decode.c b/src/mime-decode.c index 0af3d74e5e..6332ff1450 100644 --- a/src/mime-decode.c +++ b/src/mime-decode.c @@ -1090,7 +1090,6 @@ static int FindUrlStrings(const char *line, uint32_t len, } else { SCFree(tempUrl); } - /* Increment counter */ url->url_cnt++; } else { @@ -1120,12 +1119,14 @@ static int ProcessDecodedDataChunk(const uint8_t *chunk, uint32_t len, char *remainPtr, *tok; uint32_t tokLen; - MimeDecConfig *mdcfg = MimeDecGetConfig(); - if (mdcfg != NULL && mdcfg->extract_urls) { - if ((state->stack != NULL) && (state->stack->top != NULL)) { + if ((state->stack != NULL) && (state->stack->top != NULL) && + (state->stack->top->data != NULL)) { + MimeDecConfig *mdcfg = MimeDecGetConfig(); + if (mdcfg != NULL && mdcfg->extract_urls) { MimeDecEntity *entity = (MimeDecEntity *) state->stack->top->data; /* If plain text or html, then look for URLs */ if (((entity->ctnt_flags & CTNT_IS_TEXT) || + (entity->ctnt_flags & CTNT_IS_MSG) || (entity->ctnt_flags & CTNT_IS_HTML)) && ((entity->ctnt_flags & CTNT_IS_ATTACHMENT) == 0)) { @@ -1161,18 +1162,19 @@ static int ProcessDecodedDataChunk(const uint8_t *chunk, uint32_t len, } while (tok != remainPtr && remainPtr - (char *) chunk < len); } } - } else { - SCLogDebug("Error: Stack pointer missing"); } - } - /* Now invoke callback */ - if (state->dataChunkProcessor != NULL) { - ret = state->dataChunkProcessor(chunk, len, state); - if (ret != MIME_DEC_OK) { - SCLogDebug("Error: state->dataChunkProcessor() callback function" - " failed"); + /* Now invoke callback */ + if (state->dataChunkProcessor != NULL) { + ret = state->dataChunkProcessor(chunk, len, state); + if (ret != MIME_DEC_OK) { + SCLogDebug("Error: state->dataChunkProcessor() callback function" + " failed"); + } } + } else { + SCLogDebug("Error: Stack pointer missing"); + ret = MIME_DEC_ERR_DATA; } /* Reset data chunk buffer */ diff --git a/src/output-json-email-common.c b/src/output-json-email-common.c index 15a8b31436..129eb5df5a 100644 --- a/src/output-json-email-common.c +++ b/src/output-json-email-common.c @@ -166,7 +166,7 @@ static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, /* Subject: */ field = MimeDecFindField(entity, "Subject"); if (field != NULL) { - char *s = strndup(field->value, (int) field->value_len); + char *s = BytesToString((uint8_t *)field->value, (size_t) field->value_len); if (likely(s != NULL)) { //printf("Subject: \"%s\"\n", s); json_object_set_new(sjs, "subject", json_string(s)); @@ -181,6 +181,20 @@ static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft, int url_cnt = 0; json_t *js_attch = json_array(); json_t *js_url = json_array(); + if (entity->url_list != NULL) { + MimeDecUrl *url; + for (url = entity->url_list; url != NULL; url = url->next) { + char *s = BytesToString((uint8_t *)url->url, + (size_t)url->url_len); + if (s != NULL) { + //printf("URL: \"%s\"\n", s); + json_array_append_new(js_url, + json_string(s)); + SCFree(s); + url_cnt += 1; + } + } + } for (entity = entity->child; entity != NULL; entity = entity->next) { if (entity->ctnt_flags & CTNT_IS_ATTACHMENT) {