summaryrefslogtreecommitdiffstats
path: root/src/util-decode-mime.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/util-decode-mime.c3591
1 files changed, 3591 insertions, 0 deletions
diff --git a/src/util-decode-mime.c b/src/util-decode-mime.c
new file mode 100644
index 0000000..5e7a8d5
--- /dev/null
+++ b/src/util-decode-mime.c
@@ -0,0 +1,3591 @@
+/* Copyright (C) 2012 BAE Systems
+ * Copyright (C) 2020-2021 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author David Abarbanel <david.abarbanel@baesystems.com>
+ *
+ */
+
+#include "suricata-common.h"
+#include "suricata.h"
+#include "app-layer-smtp.h"
+#include "util-decode-mime.h"
+#include "util-ip.h"
+#include "util-spm-bs.h"
+#include "util-unittest.h"
+#include "util-memcmp.h"
+#include "util-print.h"
+#include "util-validate.h"
+#include "rust.h"
+
+/* Character constants */
+#ifndef CR
+#define CR 13
+#define LF 10
+#endif
+
+#define CRLF "\r\n"
+#define COLON 58
+#define DASH 45
+#define PRINTABLE_START 33
+#define PRINTABLE_END 126
+#define UC_START 65
+#define UC_END 90
+#define LC_START 97
+#define LC_END 122
+#define UC_LC_DIFF 32
+#define EOL_LEN 2
+
+/* Base-64 constants */
+#define BASE64_STR "Base64"
+
+/* Mime Constants */
+#define MAX_LINE_LEN 998 /* Def in RFC 2045, excluding CRLF sequence */
+#define MAX_ENC_LINE_LEN 76 /* Def in RFC 2045, excluding CRLF sequence */
+#define MAX_HEADER_NAME 75 /* 75 + ":" = 76 */
+#define MAX_HEADER_VALUE 2000 /* Default - arbitrary limit */
+#define BOUNDARY_BUF 256
+#define CTNT_TYPE_STR "content-type"
+#define CTNT_DISP_STR "content-disposition"
+#define CTNT_TRAN_STR "content-transfer-encoding"
+#define MSG_ID_STR "message-id"
+#define MSG_STR "message/"
+#define MULTIPART_STR "multipart/"
+#define QP_STR "quoted-printable"
+#define TXT_STR "text/plain"
+#define HTML_STR "text/html"
+
+/* Memory Usage Constants */
+#define STACK_FREE_NODES 10
+
+/* Other Constants */
+#define MAX_IP4_CHARS 15
+#define MAX_IP6_CHARS 39
+
+/* Globally hold configuration data */
+static MimeDecConfig mime_dec_config = { true, true, true, NULL, false, false, MAX_HEADER_VALUE };
+
+/* Mime Parser String translation */
+static const char *StateFlags[] = { "NONE",
+ "HEADER_READY",
+ "HEADER_STARTED",
+ "HEADER_DONE",
+ "BODY_STARTED",
+ "BODY_DONE",
+ "BODY_END_BOUND",
+ "PARSE_DONE",
+ "PARSE_ERROR",
+ NULL };
+
+/* URL executable file extensions */
+static const char *UrlExeExts[] = { ".exe", ".vbs", ".bin", ".cmd", ".bat", ".jar", ".js", ".ps",
+ ".ps1", ".sh", ".run", ".hta", ".bin", ".elf", NULL };
+
+/**
+ * \brief Function used to print character strings that are not null-terminated
+ *
+ * \param log_level The logging level in which to print
+ * \param label A label for the string to print
+ * \param src The source string
+ * \param len The length of the string
+ *
+ * \return none
+ */
+static void PrintChars(int log_level, const char *label, const uint8_t *src, uint32_t len)
+{
+#ifdef DEBUG
+ if (log_level <= sc_log_global_log_level) {
+ printf("[%s]\n", label);
+ PrintRawDataFp(stdout, (uint8_t *)src, len);
+ }
+#endif
+}
+
+/**
+ * \brief Set global config policy
+ *
+ * \param config Config policy to set
+ * \return none
+ */
+void MimeDecSetConfig(MimeDecConfig *config)
+{
+ if (config != NULL) {
+ mime_dec_config = *config;
+
+ /* Set to default */
+ if (mime_dec_config.header_value_depth == 0) {
+ mime_dec_config.header_value_depth = MAX_HEADER_VALUE;
+ }
+ } else {
+ SCLogWarning("Invalid null configuration parameters");
+ }
+}
+
+/**
+ * \brief Get global config policy
+ *
+ * \return config data structure
+ */
+MimeDecConfig * MimeDecGetConfig(void)
+{
+ return &mime_dec_config;
+}
+
+/**
+ * \brief Follow the 'next' pointers to the leaf
+ *
+ * \param node The root entity
+ *
+ * \return Pointer to leaf on 'next' side
+ *
+ */
+static MimeDecEntity *findLastSibling(MimeDecEntity *node)
+{
+ if (node == NULL)
+ return NULL;
+ while(node->next != NULL)
+ node = node->next;
+ return node;
+}
+
+/**
+ * \brief Frees a mime entity tree
+ *
+ * \param entity The root entity
+ *
+ * \return none
+ *
+ */
+void MimeDecFreeEntity (MimeDecEntity *entity)
+{
+ if (entity == NULL)
+ return;
+ MimeDecEntity *lastSibling = findLastSibling(entity);
+ while (entity != NULL)
+ {
+ /* move child to next to transform the tree into a list */
+ if (entity->child != NULL) {
+ lastSibling->next = entity->child;
+ entity->child = NULL;
+ lastSibling = findLastSibling(lastSibling);
+ }
+
+ MimeDecEntity *next = entity->next;
+ DEBUG_VALIDATE_BUG_ON(
+ (next != NULL && entity == lastSibling) || (next == NULL && entity != lastSibling));
+ MimeDecFreeField(entity->field_list);
+ MimeDecFreeUrl(entity->url_list);
+ SCFree(entity->filename);
+ SCFree(entity);
+ entity = next;
+ }
+}
+
+/**
+ * \brief Iteratively frees a header field entry list
+ *
+ * \param field The header field
+ *
+ * \return none
+ *
+ */
+void MimeDecFreeField(MimeDecField *field)
+{
+ MimeDecField *temp, *curr;
+
+ if (field != NULL) {
+
+ curr = field;
+ while (curr != NULL) {
+ temp = curr;
+ curr = curr->next;
+
+ /* Free contents of node */
+ SCFree(temp->name);
+ SCFree(temp->value);
+
+ /* Now free node data */
+ SCFree(temp);
+ }
+ }
+}
+
+/**
+ * \brief Iteratively frees a URL entry list
+ *
+ * \param url The url entry
+ *
+ * \return none
+ *
+ */
+void MimeDecFreeUrl(MimeDecUrl *url)
+{
+ MimeDecUrl *temp, *curr;
+
+ if (url != NULL) {
+
+ curr = url;
+ while (curr != NULL) {
+ temp = curr;
+ curr = curr->next;
+
+ /* Now free node data */
+ SCFree(temp->url);
+ SCFree(temp);
+ }
+ }
+}
+
+/**
+ * \brief Creates and adds a header field entry to an entity
+ *
+ * The entity is optional. If NULL is specified, than a new stand-alone field
+ * is created.
+ *
+ * \param entity The parent entity
+ *
+ * \return The field object, or NULL if the operation fails
+ *
+ */
+MimeDecField * MimeDecAddField(MimeDecEntity *entity)
+{
+ MimeDecField *node = SCMalloc(sizeof(MimeDecField));
+ if (unlikely(node == NULL)) {
+ return NULL;
+ }
+ memset(node, 0x00, sizeof(MimeDecField));
+
+ /* If list is empty, then set as head of list */
+ if (entity->field_list == NULL) {
+ entity->field_list = node;
+ } else {
+ /* Otherwise add to beginning of list since these are out-of-order in
+ * the message */
+ node->next = entity->field_list;
+ entity->field_list = node;
+ }
+
+ return node;
+}
+
+
+/**
+ * \brief Searches for header fields with the specified name
+ *
+ * \param entity The entity to search
+ * \param name The header name (lowercase)
+ *
+ * \return number of items found
+ *
+ */
+int MimeDecFindFieldsForEach(const MimeDecEntity *entity, const char *name, int (*DataCallback)(const uint8_t *val, const size_t, void *data), void *data)
+{
+ MimeDecField *curr = entity->field_list;
+ int found = 0;
+
+ while (curr != NULL) {
+ /* name is stored lowercase */
+ if (strlen(name) == curr->name_len) {
+ if (SCMemcmp(curr->name, name, curr->name_len) == 0) {
+ if (DataCallback(curr->value, curr->value_len, data))
+ found++;
+ }
+ }
+ curr = curr->next;
+ }
+
+ return found;
+}
+
+/**
+ * \brief Searches for a header field with the specified name
+ *
+ * \param entity The entity to search
+ * \param name The header name (lowercase)
+ *
+ * \return The field object, or NULL if not found
+ *
+ */
+MimeDecField * MimeDecFindField(const MimeDecEntity *entity, const char *name) {
+ MimeDecField *curr = entity->field_list;
+
+ while (curr != NULL) {
+ /* name is stored lowercase */
+ if (strlen(name) == curr->name_len) {
+ if (SCMemcmp(curr->name, name, curr->name_len) == 0) {
+ break;
+ }
+ }
+ curr = curr->next;
+ }
+
+ return curr;
+}
+
+/**
+ * \brief Creates and adds a URL entry to the specified entity
+ *
+ * The entity is optional and if NULL is specified, then a new list will be created.
+ *
+ * \param entity The entity
+ *
+ * \return URL entry or NULL if the operation fails
+ *
+ */
+static MimeDecUrl * MimeDecAddUrl(MimeDecEntity *entity, uint8_t *url, uint32_t url_len, uint8_t flags)
+{
+ MimeDecUrl *node = SCMalloc(sizeof(MimeDecUrl));
+ if (unlikely(node == NULL)) {
+ return NULL;
+ }
+ memset(node, 0x00, sizeof(MimeDecUrl));
+
+ node->url = url;
+ node->url_len = url_len;
+ node->url_flags = flags;
+
+ /* If list is empty, then set as head of list */
+ if (entity->url_list == NULL) {
+ entity->url_list = node;
+ } else {
+ /* Otherwise add to beginning of list since these are out-of-order in
+ * the message */
+ node->next = entity->url_list;
+ entity->url_list = node;
+ }
+
+ return node;
+}
+
+/**
+ * \brief Creates and adds a child entity to the specified parent entity
+ *
+ * \param parent The parent entity
+ *
+ * \return The child entity, or NULL if the operation fails
+ *
+ */
+MimeDecEntity * MimeDecAddEntity(MimeDecEntity *parent)
+{
+ MimeDecEntity *node = SCMalloc(sizeof(MimeDecEntity));
+ if (unlikely(node == NULL)) {
+ return NULL;
+ }
+ memset(node, 0x00, sizeof(MimeDecEntity));
+
+ /* If parent is NULL then just return the new pointer */
+ if (parent != NULL) {
+ if (parent->child == NULL) {
+ parent->child = node;
+ parent->last_child = node;
+ } else {
+ parent->last_child->next = node;
+ parent->last_child = node;
+ }
+ }
+
+ return node;
+}
+
+/**
+ * \brief Creates a mime header field and fills in its values and adds it to the
+ * specified entity
+ *
+ * \param entity Entity in which to add the field
+ * \param name String containing the name
+ * \param nlen Length of the name
+ * \param value String containing the value
+ * \param vlen Length of the value
+ *
+ * \return The field or NULL if the operation fails
+ *
+ * name and val are passed as ptr to ptr and each will be set to NULL
+ * only if the pointer is consumed. This gives the caller an easy way
+ * to free the memory if not consumed.
+ */
+static MimeDecField *MimeDecFillField(
+ MimeDecEntity *entity, uint8_t **name, uint32_t nlen, uint8_t **value, uint32_t vlen)
+{
+ if (nlen == 0 && vlen == 0)
+ return NULL;
+
+ MimeDecField *field = MimeDecAddField(entity);
+ if (unlikely(field == NULL)) {
+ return NULL;
+ }
+
+ if (nlen > 0) {
+ uint8_t *n = *name;
+
+ /* convert to lowercase and store */
+ for (uint32_t u = 0; u < nlen; u++)
+ n[u] = u8_tolower(n[u]);
+
+ field->name = (uint8_t *)n;
+ field->name_len = nlen;
+ *name = NULL;
+ }
+
+ if (vlen > 0) {
+ field->value = (uint8_t *)*value;
+ field->value_len = vlen;
+ *value = NULL;
+ }
+
+ return field;
+}
+
+/**
+ * \brief Pushes a node onto a stack and returns the new node.
+ *
+ * \param stack The top of the stack
+ *
+ * \return pointer to a new node, otherwise NULL if it fails
+ */
+static MimeDecStackNode * PushStack(MimeDecStack *stack)
+{
+ /* Attempt to pull from free nodes list */
+ MimeDecStackNode *node = stack->free_nodes;
+ if (node == NULL) {
+ node = SCMalloc(sizeof(MimeDecStackNode));
+ if (unlikely(node == NULL)) {
+ return NULL;
+ }
+ } else {
+ /* Move free nodes pointer over */
+ stack->free_nodes = stack->free_nodes->next;
+ stack->free_nodes_cnt--;
+ }
+ memset(node, 0x00, sizeof(MimeDecStackNode));
+
+ /* Push to top of stack */
+ node->next = stack->top;
+ stack->top = node;
+
+ /* Return a pointer to the top of the stack */
+ return node;
+}
+
+/**
+ * \brief Pops the top node from the stack and returns the next node.
+ *
+ * \param stack The top of the stack
+ *
+ * \return pointer to the next node, otherwise NULL if no nodes remain
+ */
+static MimeDecStackNode * PopStack(MimeDecStack *stack)
+{
+ /* Move stack pointer to next item */
+ MimeDecStackNode *curr = stack->top;
+ if (curr != NULL) {
+ curr = curr->next;
+ }
+
+ /* Always free alloc'd memory */
+ SCFree(stack->top->bdef);
+
+ /* Now move head to free nodes list */
+ if (stack->free_nodes_cnt < STACK_FREE_NODES) {
+ stack->top->next = stack->free_nodes;
+ stack->free_nodes = stack->top;
+ stack->free_nodes_cnt++;
+ } else {
+ SCFree(stack->top);
+ }
+ stack->top = curr;
+
+ /* Return a pointer to the top of the stack */
+ return curr;
+}
+
+/**
+ * \brief Frees the stack along with the free-nodes list
+ *
+ * \param stack The stack pointer
+ *
+ * \return none
+ */
+static void FreeMimeDecStack(MimeDecStack *stack)
+{
+ MimeDecStackNode *temp, *curr;
+
+ if (stack != NULL) {
+ /* Top of stack */
+ curr = stack->top;
+ while (curr != NULL) {
+ temp = curr;
+ curr = curr->next;
+
+ /* Now free node */
+ SCFree(temp->bdef);
+ SCFree(temp);
+ }
+
+ /* Free nodes */
+ curr = stack->free_nodes;
+ while (curr != NULL) {
+ temp = curr;
+ curr = curr->next;
+
+ /* Now free node */
+ SCFree(temp);
+ }
+
+ SCFree(stack);
+ }
+}
+
+/**
+ * \brief Adds a data value to the data values linked list
+ *
+ * \param dv The head of the linked list (NULL if new list)
+ *
+ * \return pointer to a new node, otherwise NULL if it fails
+ */
+static DataValue * AddDataValue(DataValue *dv)
+{
+ DataValue *curr, *node = SCMalloc(sizeof(DataValue));
+ if (unlikely(node == NULL)) {
+ return NULL;
+ }
+ memset(node, 0x00, sizeof(DataValue));
+
+ if (dv != NULL) {
+ curr = dv;
+ while (curr->next != NULL) {
+ curr = curr->next;
+ }
+
+ curr->next = node;
+ }
+
+ return node;
+}
+
+/**
+ * \brief Frees a linked list of data values starting at the head
+ *
+ * \param dv The head of the linked list
+ *
+ * \return none
+ */
+static void FreeDataValue(DataValue *dv)
+{
+ DataValue *temp, *curr;
+
+ if (dv != NULL) {
+ curr = dv;
+ while (curr != NULL) {
+ temp = curr;
+ curr = curr->next;
+
+ /* Now free node */
+ SCFree(temp->value);
+ SCFree(temp);
+ }
+ }
+}
+
+/**
+ * \brief Converts a list of data values into a single value (returns dynamically
+ * allocated memory)
+ *
+ * \param dv The head of the linked list (NULL if new list)
+ * \param olen The output length of the single value
+ *
+ * \return pointer to a single value, otherwise NULL if it fails or is zero-length
+ */
+static uint8_t *GetFullValue(const DataValue *dv, uint32_t *olen)
+{
+ uint32_t offset = 0;
+ uint8_t *val = NULL;
+ uint32_t len = 0;
+ *olen = 0;
+
+ /* First calculate total length */
+ for (const DataValue *curr = dv; curr != NULL; curr = curr->next) {
+ len += curr->value_len;
+ }
+ /* Must have at least one character in the value */
+ if (len > 0) {
+ val = SCCalloc(1, len);
+ if (unlikely(val == NULL)) {
+ return NULL;
+ }
+ for (const DataValue *curr = dv; curr != NULL; curr = curr->next) {
+ memcpy(val + offset, curr->value, curr->value_len);
+ offset += curr->value_len;
+ }
+ }
+ *olen = len;
+ return val;
+}
+
+/**
+ * \brief Find a string while searching up to N characters within a source
+ * buffer
+ *
+ * \param src The source string (not null-terminated)
+ * \param len The length of the source string
+ * \param find The string to find (null-terminated)
+ * \param find_len length of the 'find' string
+ *
+ * \return Pointer to the position it was found, otherwise NULL if not found
+ */
+static inline uint8_t *FindBuffer(
+ const uint8_t *src, uint32_t len, const uint8_t *find, uint16_t find_len)
+{
+ /* Use utility search function */
+ return BasicSearchNocase(src, len, find, find_len);
+}
+
+/**
+ * \brief Get a line (CRLF or just CR or LF) from a buffer (similar to GetToken)
+ *
+ * \param buf The input buffer (not null-terminated)
+ * \param blen The length of the input buffer
+ * \param remainPtr Pointer to remaining after tokenizing iteration
+ * \param tokLen Output token length (if non-null line)
+ *
+ * \return Pointer to line
+ */
+static uint8_t * GetLine(uint8_t *buf, uint32_t blen, uint8_t **remainPtr,
+ uint32_t *tokLen)
+{
+ uint32_t i;
+ uint8_t *tok;
+
+ /* So that it can be used just like strtok_r */
+ if (buf == NULL) {
+ buf = *remainPtr;
+ } else {
+ *remainPtr = buf;
+ }
+ if (buf == NULL)
+ return NULL;
+
+ tok = buf;
+
+ /* length must be specified */
+ for (i = 0; i < blen && buf[i] != 0; i++) {
+
+ /* Found delimiter */
+ if (buf[i] == CR || buf[i] == LF) {
+
+ /* Add another if we find either CRLF or LFCR */
+ *remainPtr += (i + 1);
+ if ((i + 1 < blen) && buf[i] != buf[i + 1] &&
+ (buf[i + 1] == CR || buf[i + 1] == LF)) {
+ (*remainPtr)++;
+ }
+ break;
+ }
+ }
+
+ /* If no delimiter found, then point to end of buffer */
+ if (buf == *remainPtr) {
+ (*remainPtr) += i;
+ }
+
+ /* Calculate token length */
+ *tokLen = (buf + i) - tok;
+
+ return tok;
+}
+
+/**
+ * \brief Get token from buffer and return pointer to it
+ *
+ * \param buf The input buffer (not null-terminated)
+ * \param blen The length of the input buffer
+ * \param delims Character delimiters (null-terminated)
+ * \param remainPtr Pointer to remaining after tokenizing iteration
+ * \param tokLen Output token length (if non-null line)
+ *
+ * \return Pointer to token, or NULL if not found
+ */
+static uint8_t * GetToken(uint8_t *buf, uint32_t blen, const char *delims,
+ uint8_t **remainPtr, uint32_t *tokenLen)
+{
+ uint32_t i, j, delimFound = 0;
+ uint8_t *tok = NULL;
+
+ /* So that it can be used just like strtok_r */
+ if (buf == NULL) {
+ buf = *remainPtr;
+ } else {
+ *remainPtr = buf;
+ }
+ if (buf == NULL)
+ return NULL;
+
+ /* Must specify length */
+ for (i = 0; i < blen && buf[i] != 0; i++) {
+
+ /* Look for delimiters */
+ for (j = 0; delims[j] != 0; j++) {
+ if (buf[i] == delims[j]) {
+ /* Data must be found before delimiter matters */
+ if (tok != NULL) {
+ (*remainPtr) += (i + 1);
+ }
+ delimFound = 1;
+ break;
+ }
+ }
+
+ /* If at least one non-delimiter found, then a token is found */
+ if (tok == NULL && !delimFound) {
+ tok = buf + i;
+ } else {
+ /* Reset delimiter */
+ delimFound = 0;
+ }
+
+ /* If delimiter found, then break out of loop */
+ if (buf != *remainPtr) {
+ break;
+ }
+ }
+
+ /* Make sure remaining points to end of buffer if delimiters not found */
+ if (tok != NULL) {
+ if (buf == *remainPtr) {
+ (*remainPtr) += i;
+ }
+
+ /* Calculate token length */
+ *tokenLen = (buf + i) - tok;
+ }
+
+ return tok;
+}
+
+/**
+ * \brief Stores the final MIME header value into the current entity on the
+ * stack.
+ *
+ * \param state The parser state
+ *
+ * \return MIME_DEC_OK if stored, otherwise a negative number indicating error
+ */
+static int StoreMimeHeader(MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+
+ /* Lets save the most recent header */
+ if (state->hname != NULL || state->hvalue != NULL) {
+ SCLogDebug("Storing last header");
+ uint32_t vlen;
+ uint8_t *val = GetFullValue(state->hvalue, &vlen);
+ if (val != NULL) {
+ if (state->hname == NULL) {
+ SCLogDebug("Error: Invalid parser state - header value without"
+ " name");
+ ret = MIME_DEC_ERR_PARSE;
+
+ } else if (state->stack->top != NULL) {
+ /* Store each header name and value */
+ if (MimeDecFillField(state->stack->top->data, &state->hname, state->hlen, &val,
+ vlen) == NULL) {
+ ret = MIME_DEC_ERR_MEM;
+ }
+ } else {
+ SCLogDebug("Error: Stack pointer missing");
+ ret = MIME_DEC_ERR_DATA;
+ }
+ } else {
+ if (state->hvalue != NULL) {
+ /* Memory allocation must have failed since val is NULL */
+ ret = MIME_DEC_ERR_MEM;
+ }
+ }
+
+ SCFree(val);
+ SCFree(state->hname);
+ state->hname = NULL;
+ FreeDataValue(state->hvalue);
+ state->hvalue = NULL;
+ state->hvlen = 0;
+ }
+
+ return ret;
+}
+
+/**
+ * \brief Function determines whether a url string points to an executable
+ * based on file extension only.
+ *
+ * \param url The url string
+ * \param len The url string length
+ *
+ * \retval 1 The url points to an EXE
+ * \retval 0 The url does NOT point to an EXE
+ */
+static int IsExeUrl(const uint8_t *url, uint32_t len)
+{
+ int isExeUrl = 0;
+ uint32_t i, extLen;
+ uint8_t *ext;
+
+ /* Now check for executable extensions and if not found, cut off at first '/' */
+ for (i = 0; UrlExeExts[i] != NULL; i++) {
+ extLen = strlen(UrlExeExts[i]);
+ ext = FindBuffer(url, len, (uint8_t *)UrlExeExts[i], (uint16_t)strlen(UrlExeExts[i]));
+ if (ext != NULL && (ext + extLen - url == (int)len || ext[extLen] == '?')) {
+ isExeUrl = 1;
+ break;
+ }
+ }
+
+ return isExeUrl;
+}
+
+/**
+ * \brief Function determines whether a host string is a numeric IP v4 address
+ *
+ * \param urlhost The host string
+ * \param len The host string length
+ *
+ * \retval 1 The host is a numeric IP
+ * \retval 0 The host is NOT a numeric IP
+ */
+static int IsIpv4Host(const uint8_t *urlhost, uint32_t len)
+{
+ struct sockaddr_in sa;
+ char tempIp[MAX_IP4_CHARS + 1];
+
+ /* Cut off at '/' */
+ uint32_t i = 0;
+ for ( ; i < len && urlhost[i] != 0; i++) {
+
+ if (urlhost[i] == '/') {
+ break;
+ }
+ }
+
+ /* Too many chars */
+ if (i > MAX_IP4_CHARS) {
+ return 0;
+ }
+
+ /* Create null-terminated string */
+ memcpy(tempIp, urlhost, i);
+ tempIp[i] = '\0';
+
+ if (!IPv4AddressStringIsValid(tempIp))
+ return 0;
+
+ return inet_pton(AF_INET, tempIp, &(sa.sin_addr));
+}
+
+/**
+ * \brief Function determines whether a host string is a numeric IP v6 address
+ *
+ * \param urlhost The host string
+ * \param len The host string length
+ *
+ * \retval 1 The host is a numeric IP
+ * \retval 0 The host is NOT a numeric IP
+ */
+static int IsIpv6Host(const uint8_t *urlhost, uint32_t len)
+{
+ struct in6_addr in6;
+ char tempIp[MAX_IP6_CHARS + 1];
+
+ /* Cut off at '/' */
+ uint32_t i = 0;
+ for (i = 0; i < len && urlhost[i] != 0; i++) {
+ if (urlhost[i] == '/') {
+ break;
+ }
+ }
+
+ /* Too many chars */
+ if (i > MAX_IP6_CHARS) {
+ return 0;
+ }
+
+ /* Create null-terminated string */
+ memcpy(tempIp, urlhost, i);
+ tempIp[i] = '\0';
+
+ if (!IPv6AddressStringIsValid(tempIp))
+ return 0;
+
+ return inet_pton(AF_INET6, tempIp, &in6);
+}
+
+/**
+ * \brief Traverses through the list of URLs for an exact match of the specified
+ * string
+ *
+ * \param entity The MIME entity
+ * \param url The matching URL string (lowercase)
+ * \param url_len The matching URL string length
+ *
+ * \return URL object or NULL if not found
+ */
+static MimeDecUrl *FindExistingUrl(MimeDecEntity *entity, uint8_t *url, uint32_t url_len)
+{
+ MimeDecUrl *curr = entity->url_list;
+
+ while (curr != NULL) {
+ if (url_len == curr->url_len) {
+ /* search url and stored url are both in
+ * lowercase, so we can do an exact match */
+ if (SCMemcmp(curr->url, url, url_len) == 0) {
+ break;
+ }
+ }
+ curr = curr->next;
+ }
+
+ return curr;
+}
+
+/**
+ * \brief This function searches a text or html line for a URL string
+ *
+ * The URL strings are searched for using the URL schemes defined in the global
+ * MIME config e.g. "http", "https".
+ *
+ * The found URL strings are stored in lowercase and with their schemes
+ * stripped unless the MIME config flag for log_url_scheme is set.
+ *
+ * Numeric IPs, malformed numeric IPs, and URLs pointing to executables are
+ * also flagged as URLs of interest.
+ *
+ * \param line the line
+ * \param len the line length
+ * \param state The current parser state
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+static int FindUrlStrings(const uint8_t *line, uint32_t len,
+ MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+ MimeDecEntity *entity = (MimeDecEntity *) state->stack->top->data;
+ MimeDecConfig *mdcfg = MimeDecGetConfig();
+ uint8_t *fptr, *remptr, *tok = NULL, *tempUrl, *urlHost;
+ uint32_t tokLen = 0, i, tempUrlLen, urlHostLen;
+ uint16_t schemeStrLen = 0;
+ uint8_t flags = 0;
+ ConfNode *scheme = NULL;
+ char *schemeStr = NULL;
+
+ if (mdcfg != NULL && mdcfg->extract_urls_schemes == NULL) {
+ SCLogDebug("Error: MIME config extract_urls_schemes was NULL.");
+ return MIME_DEC_ERR_DATA;
+ }
+
+ TAILQ_FOREACH (scheme, &mdcfg->extract_urls_schemes->head, next) {
+ schemeStr = scheme->val;
+ // checked against UINT16_MAX when setting in SMTPConfigure
+ schemeStrLen = (uint16_t)strlen(schemeStr);
+
+ remptr = (uint8_t *)line;
+ do {
+ SCLogDebug("Looking for URL String starting with: %s", schemeStr);
+
+ /* Check for token definition */
+ fptr = FindBuffer(remptr, len - (remptr - line), (uint8_t *)schemeStr, schemeStrLen);
+ if (fptr != NULL) {
+ if (!mdcfg->log_url_scheme) {
+ fptr += schemeStrLen; /* Strip scheme from stored URL */
+ }
+ tok = GetToken(fptr, len - (fptr - line), " \"\'<>]\t", &remptr, &tokLen);
+ if (tok == fptr) {
+ SCLogDebug("Found url string");
+
+ /* First copy to temp URL string */
+ tempUrl = SCMalloc(tokLen);
+ if (unlikely(tempUrl == NULL)) {
+ return MIME_DEC_ERR_MEM;
+ }
+
+ PrintChars(SC_LOG_DEBUG, "RAW URL", tok, tokLen);
+
+ /* Copy over to temp URL while decoding */
+ tempUrlLen = 0;
+ for (i = 0; i < tokLen && tok[i] != 0; i++) {
+ /* url is all lowercase */
+ tempUrl[tempUrlLen] = u8_tolower(tok[i]);
+ tempUrlLen++;
+ }
+
+ urlHost = tempUrl;
+ urlHostLen = tempUrlLen;
+ if (mdcfg->log_url_scheme) {
+ /* tempUrl contains the scheme in the string but
+ * IsIpv4Host & IsPv6Host methods below require
+ * an input URL string with scheme stripped. Get a
+ * reference sub-string urlHost which starts with
+ * the host instead of the scheme. */
+ urlHost += schemeStrLen;
+ urlHostLen -= schemeStrLen;
+ }
+
+ /* Determine if URL points to an EXE */
+ if (IsExeUrl(tempUrl, tempUrlLen)) {
+ flags |= URL_IS_EXE;
+
+ PrintChars(SC_LOG_DEBUG, "EXE URL", tempUrl, tempUrlLen);
+ }
+
+ /* Make sure remaining URL exists */
+ if (tempUrlLen > 0) {
+ if (!(FindExistingUrl(entity, tempUrl, tempUrlLen))) {
+ /* Now look for numeric IP */
+ if (IsIpv4Host(urlHost, urlHostLen)) {
+ flags |= URL_IS_IP4;
+
+ PrintChars(SC_LOG_DEBUG, "IP URL4", tempUrl, tempUrlLen);
+ } else if (IsIpv6Host(urlHost, urlHostLen)) {
+ flags |= URL_IS_IP6;
+
+ PrintChars(SC_LOG_DEBUG, "IP URL6", tempUrl, tempUrlLen);
+ }
+
+ /* Add URL list item */
+ MimeDecAddUrl(entity, tempUrl, tempUrlLen, flags);
+ } else {
+ SCFree(tempUrl);
+ }
+ } else {
+ SCFree(tempUrl);
+ }
+
+ /* Reset flags for next URL */
+ flags = 0;
+ }
+ }
+ } while (fptr != NULL);
+ }
+
+ return ret;
+}
+
+/**
+ * \brief This function is a pre-processor for handling decoded data chunks that
+ * then invokes the caller's callback function for further processing
+ *
+ * \param chunk The decoded chunk
+ * \param len The decoded chunk length (varies)
+ * \param state The current parser state
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+static int ProcessDecodedDataChunk(const uint8_t *chunk, uint32_t len,
+ MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+ uint8_t *remainPtr, *tok;
+ uint32_t tokLen;
+
+ if ((state->stack != NULL) && (state->stack->top != NULL) &&
+ (state->stack->top->data != NULL)) {
+ MimeDecConfig *mdcfg = MimeDecGetConfig();
+ if (mdcfg != NULL && mdcfg->extract_urls) {
+ MimeDecEntity *entity = (MimeDecEntity *) state->stack->top->data;
+ /* If plain text or html, then look for URLs */
+ if (((entity->ctnt_flags & CTNT_IS_TEXT) ||
+ (entity->ctnt_flags & CTNT_IS_MSG) ||
+ (entity->ctnt_flags & CTNT_IS_HTML)) &&
+ ((entity->ctnt_flags & CTNT_IS_ATTACHMENT) == 0)) {
+
+ /* Parse each line one by one */
+ remainPtr = (uint8_t *)chunk;
+ do {
+ tok = GetLine(
+ remainPtr, len - (remainPtr - (uint8_t *)chunk), &remainPtr, &tokLen);
+ if (tok != remainPtr) {
+ /* Search line for URL */
+ ret = FindUrlStrings(tok, tokLen, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: FindUrlStrings() function"
+ " failed: %d",
+ ret);
+ break;
+ }
+ }
+ } while (tok != remainPtr && remainPtr - (uint8_t *)chunk < (int)len);
+ }
+ }
+
+ /* Now invoke callback */
+ if (state->DataChunkProcessorFunc != NULL) {
+ ret = state->DataChunkProcessorFunc(chunk, len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: state->dataChunkProcessor() callback function"
+ " failed");
+ }
+ }
+ } else {
+ SCLogDebug("Error: Stack pointer missing");
+ ret = MIME_DEC_ERR_DATA;
+ }
+
+ /* Reset data chunk buffer */
+ state->data_chunk_len = 0;
+
+ /* Mark body / file as no longer at beginning */
+ state->body_begin = 0;
+
+ return ret;
+}
+
+/**
+ * \brief Processes a remainder (line % 4 = remainder) from the previous line
+ * such that all base64 decoding attempts are divisible by 4
+ *
+ * \param buf The current line
+ * \param len The length of the line
+ * \param state The current parser state
+ * \param force Flag indicating whether decoding should always occur
+ *
+ * \return Number of bytes consumed from `buf`
+ */
+static uint32_t ProcessBase64Remainder(
+ const uint8_t *buf, const uint32_t len, MimeDecParseState *state, int force)
+{
+ uint32_t buf_consumed = 0; /* consumed bytes from 'buf' */
+ uint8_t cnt = 0;
+ uint8_t block[B64_BLOCK];
+
+ SCLogDebug("len %u force %d", len, force);
+
+ /* should be impossible, but lets be defensive */
+ DEBUG_VALIDATE_BUG_ON(state->bvr_len > B64_BLOCK);
+ if (state->bvr_len > B64_BLOCK) {
+ state->bvr_len = 0;
+ return 0;
+ }
+
+ /* Strip spaces in remainder */
+ for (uint8_t i = 0; i < state->bvr_len; i++) {
+ if (IsBase64Alphabet(state->bvremain[i])) {
+ block[cnt++] = state->bvremain[i];
+ }
+ }
+
+ /* if we don't have 4 bytes see if we can fill it from `buf` */
+ if (buf && len > 0 && cnt != B64_BLOCK) {
+ for (uint32_t i = 0; i < len && cnt < B64_BLOCK; i++) {
+ if (IsBase64Alphabet(buf[i])) {
+ block[cnt++] = buf[i];
+ }
+ buf_consumed++;
+ }
+ DEBUG_VALIDATE_BUG_ON(cnt > B64_BLOCK);
+ for (uint32_t i = 0; i < cnt; i++) {
+ state->bvremain[i] = block[i];
+ }
+ state->bvr_len = cnt;
+ } else if (!force && cnt != B64_BLOCK) {
+ SCLogDebug("incomplete data and no buffer to backfill");
+ return 0;
+ }
+
+ /* in force mode pad the block */
+ if (force && cnt != B64_BLOCK) {
+ SCLogDebug("force and cnt %u != %u", cnt, B64_BLOCK);
+ for (uint8_t i = state->bvr_len; i < B64_BLOCK; i++) {
+ state->bvremain[state->bvr_len++] = '=';
+ }
+ }
+
+ /* If data chunk buffer will be full, then clear it now */
+ if (DATA_CHUNK_SIZE - state->data_chunk_len < ASCII_BLOCK) {
+
+ /* Invoke pre-processor and callback */
+ uint32_t ret = ProcessDecodedDataChunk(state->data_chunk, state->data_chunk_len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessDecodedDataChunk() function failed");
+ }
+ }
+
+ if (state->bvr_len == B64_BLOCK || force) {
+ uint32_t consumed_bytes = 0;
+ uint32_t remdec = 0;
+ const uint32_t avail_space = DATA_CHUNK_SIZE - state->data_chunk_len;
+ PrintChars(SC_LOG_DEBUG, "BASE64 INPUT (bvremain)", state->bvremain, state->bvr_len);
+ Base64Ecode code = DecodeBase64(state->data_chunk + state->data_chunk_len, avail_space,
+ state->bvremain, state->bvr_len, &consumed_bytes, &remdec, BASE64_MODE_RFC2045);
+ SCLogDebug("DecodeBase64 result %u", code);
+ if (remdec > 0 && (code == BASE64_ECODE_OK || code == BASE64_ECODE_BUF)) {
+ PrintChars(SC_LOG_DEBUG, "BASE64 DECODED (bvremain)",
+ state->data_chunk + state->data_chunk_len, remdec);
+
+ state->data_chunk_len += remdec;
+
+ /* If data chunk buffer is now full, then clear */
+ if (DATA_CHUNK_SIZE - state->data_chunk_len < ASCII_BLOCK) {
+
+ /* Invoke pre-processor and callback */
+ uint32_t ret =
+ ProcessDecodedDataChunk(state->data_chunk, state->data_chunk_len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessDecodedDataChunk() function "
+ "failed");
+ }
+ }
+ } else if (code == BASE64_ECODE_ERR) {
+ /* Track failed base64 */
+ state->stack->top->data->anomaly_flags |= ANOM_INVALID_BASE64;
+ state->msg->anomaly_flags |= ANOM_INVALID_BASE64;
+ SCLogDebug("Error: DecodeBase64() function failed");
+ PrintChars(SC_LOG_DEBUG, "Base64 failed string", state->bvremain, state->bvr_len);
+ }
+
+ /* Reset remaining */
+ state->bvr_len = 0;
+ }
+
+ DEBUG_VALIDATE_BUG_ON(buf_consumed > len);
+ return buf_consumed;
+}
+
+static inline MimeDecRetCode ProcessBase64BodyLineCopyRemainder(
+ const uint8_t *buf, const uint32_t buf_len, const uint32_t offset, MimeDecParseState *state)
+{
+ DEBUG_VALIDATE_BUG_ON(offset > buf_len);
+ if (offset > buf_len)
+ return MIME_DEC_ERR_DATA;
+
+ for (uint32_t i = offset; i < buf_len; i++) {
+ // Skip any characters outside of the base64 alphabet as per RFC 2045
+ if (IsBase64Alphabet(buf[i])) {
+ DEBUG_VALIDATE_BUG_ON(state->bvr_len >= B64_BLOCK);
+ if (state->bvr_len >= B64_BLOCK)
+ return MIME_DEC_ERR_DATA;
+ state->bvremain[state->bvr_len++] = buf[i];
+ }
+ }
+ return MIME_DEC_OK;
+}
+
+/**
+ * \brief Processes a body line by base64-decoding and passing to the data chunk
+ * processing callback function when the buffer is read
+ *
+ * \param buf The current line
+ * \param len The length of the line
+ * \param state The current parser state
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+static int ProcessBase64BodyLine(const uint8_t *buf, uint32_t len,
+ MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+ uint32_t numDecoded, remaining = len, offset = 0;
+
+ /* Track long line TODO should we count space padding too? */
+ if (len > MAX_ENC_LINE_LEN) {
+ state->stack->top->data->anomaly_flags |= ANOM_LONG_ENC_LINE;
+ state->msg->anomaly_flags |= ANOM_LONG_ENC_LINE;
+ SCLogDebug("max encoded input line length exceeded %u > %u", len, MAX_ENC_LINE_LEN);
+ }
+
+ if (state->bvr_len + len < B64_BLOCK) {
+ return ProcessBase64BodyLineCopyRemainder(buf, len, 0, state);
+ }
+
+ /* First process remaining from previous line. We will consume
+ * state->bvremain, filling it from 'buf' until we have a properly
+ * sized block. Spaces are skipped (rfc2045). If state->bvr_len
+ * is not 0 after processing we have no data left at 'buf'. */
+ if (state->bvr_len > 0) {
+ uint32_t consumed = ProcessBase64Remainder(buf, len, state, 0);
+ DEBUG_VALIDATE_BUG_ON(consumed > len);
+ if (consumed > len)
+ return MIME_DEC_ERR_PARSE;
+
+ uint32_t left = len - consumed;
+ if (left < B64_BLOCK) {
+ DEBUG_VALIDATE_BUG_ON(left + state->bvr_len > B64_BLOCK);
+ return ProcessBase64BodyLineCopyRemainder(buf, len, consumed, state);
+ }
+
+ remaining -= consumed;
+ offset = consumed;
+ }
+
+ while (remaining > 0 && remaining >= B64_BLOCK) {
+ uint32_t consumed_bytes = 0;
+ uint32_t avail_space = DATA_CHUNK_SIZE - state->data_chunk_len;
+ PrintChars(SC_LOG_DEBUG, "BASE64 INPUT (line)", buf + offset, remaining);
+ Base64Ecode code = DecodeBase64(state->data_chunk + state->data_chunk_len, avail_space,
+ buf + offset, remaining, &consumed_bytes, &numDecoded, BASE64_MODE_RFC2045);
+ SCLogDebug("DecodeBase64 result %u", code);
+ DEBUG_VALIDATE_BUG_ON(consumed_bytes > remaining);
+ if (consumed_bytes > remaining)
+ return MIME_DEC_ERR_PARSE;
+
+ uint32_t leftover_bytes = remaining - consumed_bytes;
+ if (numDecoded > 0 && (code == BASE64_ECODE_OK || code == BASE64_ECODE_BUF)) {
+ PrintChars(SC_LOG_DEBUG, "BASE64 DECODED (line)",
+ state->data_chunk + state->data_chunk_len, numDecoded);
+
+ state->data_chunk_len += numDecoded;
+
+ if ((int)(DATA_CHUNK_SIZE - state->data_chunk_len) < 0) {
+ SCLogDebug("Error: Invalid Chunk length: %u", state->data_chunk_len);
+ return MIME_DEC_ERR_PARSE;
+ }
+ /* If buffer full, then invoke callback */
+ if (DATA_CHUNK_SIZE - state->data_chunk_len < ASCII_BLOCK) {
+ /* Invoke pre-processor and callback */
+ ret = ProcessDecodedDataChunk(state->data_chunk, state->data_chunk_len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessDecodedDataChunk() function failed");
+ break;
+ }
+ }
+ } else if (code == BASE64_ECODE_ERR) {
+ /* Track failed base64 */
+ state->stack->top->data->anomaly_flags |= ANOM_INVALID_BASE64;
+ state->msg->anomaly_flags |= ANOM_INVALID_BASE64;
+ SCLogDebug("Error: DecodeBase64() function failed");
+ return MIME_DEC_ERR_DATA;
+ }
+
+ /* corner case: multiples spaces in the last data, leading it to exceed the block
+ * size. We strip of spaces this while storing it in bvremain */
+ if (consumed_bytes == 0 && leftover_bytes > B64_BLOCK) {
+ DEBUG_VALIDATE_BUG_ON(state->bvr_len != 0);
+ ret = ProcessBase64BodyLineCopyRemainder(buf, len, offset, state);
+ break;
+ } else if (leftover_bytes > 0 && leftover_bytes <= B64_BLOCK) {
+ /* If remaining is 4 by this time, we encountered spaces during processing */
+ DEBUG_VALIDATE_BUG_ON(state->bvr_len != 0);
+ ret = ProcessBase64BodyLineCopyRemainder(buf, len, offset + consumed_bytes, state);
+ break;
+ }
+
+ /* Update counts */
+ remaining = leftover_bytes;
+ offset += consumed_bytes;
+ }
+ if (ret == MIME_DEC_OK && state->data_chunk_len > 0) {
+ ret = ProcessDecodedDataChunk(state->data_chunk, state->data_chunk_len, state);
+ }
+ return ret;
+}
+
+/**
+ * \brief Decoded a hex character into its equivalent byte value for
+ * quoted-printable decoding
+ *
+ * \param h The hex char
+ *
+ * \return byte value on success, -1 if failed
+ **/
+static int8_t DecodeQPChar(char h)
+{
+ int8_t res = 0;
+
+ /* 0-9 */
+ if (h >= 48 && h <= 57) {
+ res = h - 48;
+ } else if (h >= 65 && h <= 70) {
+ /* A-F */
+ res = h - 55;
+ } else {
+ /* Invalid */
+ res = -1;
+ }
+
+ return res;
+
+}
+
+/**
+ * \brief Processes a quoted-printable encoded body line by decoding and passing
+ * to the data chunk processing callback function when the buffer is read
+ *
+ * \param buf The current line
+ * \param len The length of the line
+ * \param state The current parser state
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+static int ProcessQuotedPrintableBodyLine(const uint8_t *buf, uint32_t len,
+ MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+ uint32_t remaining, offset;
+ MimeDecEntity *entity = (MimeDecEntity *) state->stack->top->data;
+ uint8_t c, h1, h2, val;
+ int16_t res;
+
+ /* Track long line */
+ if (len > MAX_ENC_LINE_LEN) {
+ state->stack->top->data->anomaly_flags |= ANOM_LONG_ENC_LINE;
+ state->msg->anomaly_flags |= ANOM_LONG_ENC_LINE;
+ SCLogDebug("Error: Max encoded input line length exceeded %u > %u",
+ len, MAX_ENC_LINE_LEN);
+ }
+ if (len == 0) {
+ memcpy(state->data_chunk + state->data_chunk_len, buf + len,
+ state->current_line_delimiter_len);
+ state->data_chunk_len += state->current_line_delimiter_len;
+ return ProcessDecodedDataChunk(state->data_chunk, state->data_chunk_len, state);
+ }
+
+ remaining = len;
+ offset = 0;
+ while (remaining > 0) {
+
+ c = *(buf + offset);
+
+ /* Copy over normal character */
+ if (c != '=') {
+ state->data_chunk[state->data_chunk_len] = c;
+ state->data_chunk_len++;
+
+ /* Add CRLF sequence if end of line, unless its a partial line */
+ if (remaining == 1 && state->current_line_delimiter_len > 0) {
+ memcpy(state->data_chunk + state->data_chunk_len, CRLF, EOL_LEN);
+ state->data_chunk_len += EOL_LEN;
+ }
+ } else if (remaining > 1) {
+ /* If last character handle as soft line break by ignoring,
+ otherwise process as escaped '=' character */
+
+ /* Not enough characters */
+ if (remaining < 3) {
+ entity->anomaly_flags |= ANOM_INVALID_QP;
+ state->msg->anomaly_flags |= ANOM_INVALID_QP;
+ SCLogDebug("Error: Quoted-printable decoding failed");
+ } else {
+ h1 = *(buf + offset + 1);
+ res = DecodeQPChar(h1);
+ if (res < 0) {
+ entity->anomaly_flags |= ANOM_INVALID_QP;
+ state->msg->anomaly_flags |= ANOM_INVALID_QP;
+ SCLogDebug("Error: Quoted-printable decoding failed");
+ } else {
+ val = (uint8_t)(res << 4); /* Shift result left */
+ h2 = *(buf + offset + 2);
+ res = DecodeQPChar(h2);
+ if (res < 0) {
+ entity->anomaly_flags |= ANOM_INVALID_QP;
+ state->msg->anomaly_flags |= ANOM_INVALID_QP;
+ SCLogDebug("Error: Quoted-printable decoding failed");
+ } else {
+ /* Decoding sequence succeeded */
+ val += res;
+
+ state->data_chunk[state->data_chunk_len] = val;
+ state->data_chunk_len++;
+
+ /* Add CRLF sequence if end of line, unless for partial lines */
+ if (remaining == 3 && state->current_line_delimiter_len > 0) {
+ memcpy(state->data_chunk + state->data_chunk_len,
+ CRLF, EOL_LEN);
+ state->data_chunk_len += EOL_LEN;
+ }
+
+ /* Account for extra 2 characters in 3-character QP
+ * sequence */
+ remaining -= 2;
+ offset += 2;
+ }
+ }
+ }
+ }
+
+ /* Change by 1 */
+ remaining--;
+ offset++;
+
+ /* If buffer full, then invoke callback */
+ if (DATA_CHUNK_SIZE - state->data_chunk_len < EOL_LEN + 1) {
+
+ /* Invoke pre-processor and callback */
+ ret = ProcessDecodedDataChunk(state->data_chunk, state->data_chunk_len,
+ state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessDecodedDataChunk() function "
+ "failed");
+ }
+ }
+ }
+
+ return ret;
+}
+
+/**
+ * \brief Processes a body line by base64-decoding (if applicable) and passing to
+ * the data chunk processing callback function
+ *
+ * \param buf The current line
+ * \param len The length of the line
+ * \param state The current parser state
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+static int ProcessBodyLine(const uint8_t *buf, uint32_t len,
+ MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+ uint32_t remaining, offset, avail, tobuf;
+ MimeDecEntity *entity = (MimeDecEntity *) state->stack->top->data;
+
+ SCLogDebug("Processing body line");
+
+ /* Process base-64 content if enabled */
+ MimeDecConfig *mdcfg = MimeDecGetConfig();
+ if (mdcfg != NULL && mdcfg->decode_base64 &&
+ (entity->ctnt_flags & CTNT_IS_BASE64)) {
+
+ ret = ProcessBase64BodyLine(buf, len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessBase64BodyLine() function failed");
+ }
+ } else if (mdcfg != NULL && mdcfg->decode_quoted_printable &&
+ (entity->ctnt_flags & CTNT_IS_QP)) {
+ /* Process quoted-printable content if enabled */
+ ret = ProcessQuotedPrintableBodyLine(buf, len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessQuotedPrintableBodyLine() function "
+ "failed");
+ }
+ } else {
+ /* Process non-decoded content */
+ remaining = len;
+ offset = 0;
+ while (remaining > 0) {
+ /* Plan to add CRLF to the end of each line */
+ avail = DATA_CHUNK_SIZE - state->data_chunk_len;
+ tobuf = avail > remaining ? remaining : avail;
+
+ /* Copy over to buffer */
+ memcpy(state->data_chunk + state->data_chunk_len, buf + offset, tobuf);
+ state->data_chunk_len += tobuf;
+
+ if ((int) (DATA_CHUNK_SIZE - state->data_chunk_len) < 0) {
+ SCLogDebug("Error: Invalid Chunk length: %u",
+ state->data_chunk_len);
+ ret = MIME_DEC_ERR_PARSE;
+ break;
+ }
+
+ /* If buffer full, then invoke callback */
+ if (DATA_CHUNK_SIZE - state->data_chunk_len == 0) {
+ /* Invoke pre-processor and callback */
+ ret = ProcessDecodedDataChunk(state->data_chunk,
+ state->data_chunk_len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessDecodedDataChunk() function "
+ "failed");
+ }
+ }
+
+ remaining -= tobuf;
+ offset += tobuf;
+ }
+ if (ret == MIME_DEC_OK) {
+ ret = ProcessDecodedDataChunk(state->data_chunk, state->data_chunk_len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessDecodedDataChunk() function "
+ "failed");
+ }
+ }
+ // keep end of line for next call (and skip it on completion)
+ memcpy(state->data_chunk, buf + offset, state->current_line_delimiter_len);
+ state->data_chunk_len = state->current_line_delimiter_len;
+ }
+
+ return ret;
+}
+
+/**
+ * \brief Find the start of a header name on the current line
+ *
+ * \param buf The input line (not null-terminated)
+ * \param blen The length of the input line
+ * \param glen The output length of the header name
+ *
+ * \return Pointer to header name, or NULL if not found
+ */
+static uint8_t * FindMimeHeaderStart(const uint8_t *buf, uint32_t blen, uint32_t *hlen)
+{
+ uint32_t i, valid = 0;
+ uint8_t *hname = NULL;
+
+ /* Init */
+ *hlen = 0;
+
+ /* Look for sequence of printable characters followed by ':', or
+ CRLF then printable characters followed by ':' */
+ for (i = 0; i < blen && buf[i] != 0; i++) {
+
+ /* If ready for printable characters and found one, then increment */
+ if (buf[i] != COLON && buf[i] >= PRINTABLE_START &&
+ buf[i] <= PRINTABLE_END) {
+ valid++;
+ } else if (valid > 0 && buf[i] == COLON) {
+ /* If ready for printable characters, found some, and found colon
+ * delimiter, then a match is found */
+ hname = (uint8_t *) buf + i - valid;
+ *hlen = valid;
+ break;
+ } else {
+ /* Otherwise reset and quit */
+ break;
+ }
+ }
+
+ return hname;
+}
+
+/**
+ * \brief Find full header name and value on the current line based on the
+ * current state
+ *
+ * \param buf The current line (no CRLF)
+ * \param blen The length of the current line
+ * \param state The current state
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+static int FindMimeHeader(const uint8_t *buf, uint32_t blen,
+ MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+ uint8_t *hname, *hval = NULL;
+ DataValue *dv;
+ uint32_t hlen, vlen;
+ int finish_header = 0, new_header = 0;
+ MimeDecConfig *mdcfg = MimeDecGetConfig();
+
+ DEBUG_VALIDATE_BUG_ON(state->current_line_delimiter_len == 0 && blen < SMTP_LINE_BUFFER_LIMIT);
+
+ /* Find first header */
+ hname = FindMimeHeaderStart(buf, blen, &hlen);
+ if (hname != NULL) {
+
+ /* Warn and track but don't do anything yet */
+ if (hlen > MAX_HEADER_NAME) {
+ state->stack->top->data->anomaly_flags |= ANOM_LONG_HEADER_NAME;
+ state->msg->anomaly_flags |= ANOM_LONG_HEADER_NAME;
+ SCLogDebug("Error: Header name exceeds limit (%u > %u)",
+ hlen, MAX_HEADER_NAME);
+ }
+
+ /* Value starts after 'header:' (normalize spaces) */
+ hval = hname + hlen + 1;
+ if (hval - buf >= (int)blen) {
+ SCLogDebug("No Header value found");
+ hval = NULL;
+ } else {
+ while (hval[0] == ' ') {
+
+ /* If last character before end of bounds, set to NULL */
+ if (hval - buf >= (int)blen - 1) {
+ SCLogDebug("No Header value found");
+ hval = NULL;
+ break;
+ }
+
+ hval++;
+ }
+ }
+
+ /* If new header found, then previous header is finished */
+ if (state->state_flag == HEADER_STARTED) {
+ finish_header = 1;
+ }
+
+ /* Now process new header */
+ new_header = 1;
+
+ /* Must wait for next line to determine if finished */
+ state->state_flag = HEADER_STARTED;
+ } else if (blen == 0) {
+ /* Found body */
+ /* No more headers */
+ state->state_flag = HEADER_DONE;
+
+ finish_header = 1;
+
+ SCLogDebug("All Header processing finished");
+ } else if (state->state_flag == HEADER_STARTED) {
+ /* Found multi-line value (ie. Received header) */
+ /* If max header value exceeded, flag it */
+ vlen = blen;
+ if ((mdcfg != NULL) && (state->hvlen + vlen > mdcfg->header_value_depth)) {
+ SCLogDebug("Error: Header value of length (%u) is too long",
+ state->hvlen + vlen);
+ vlen = mdcfg->header_value_depth - state->hvlen;
+ state->stack->top->data->anomaly_flags |= ANOM_LONG_HEADER_VALUE;
+ state->msg->anomaly_flags |= ANOM_LONG_HEADER_VALUE;
+ }
+ if (vlen > 0) {
+ dv = AddDataValue(state->hvalue);
+ if (dv == NULL) {
+ return MIME_DEC_ERR_MEM;
+ }
+ if (state->hvalue == NULL) {
+ state->hvalue = dv;
+ }
+
+ dv->value = SCMalloc(vlen);
+ if (unlikely(dv->value == NULL)) {
+ return MIME_DEC_ERR_MEM;
+ }
+ memcpy(dv->value, buf, vlen);
+ dv->value_len = vlen;
+ state->hvlen += vlen;
+ }
+ } else {
+ /* Likely a body without headers */
+ SCLogDebug("No headers found");
+
+ state->state_flag = BODY_STARTED;
+
+ /* Flag beginning of body */
+ state->body_begin = 1;
+ state->body_end = 0;
+
+ // Begin the body md5 computation if config asks so
+ if (MimeDecGetConfig()->body_md5 && state->md5_ctx == NULL) {
+ state->md5_ctx = SCMd5New();
+ SCMd5Update(state->md5_ctx, buf, blen + state->current_line_delimiter_len);
+ }
+
+ ret = ProcessBodyLine(buf, blen, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessBodyLine() function failed");
+ return ret;
+ }
+ }
+
+ /* If we need to finish a header, then do so below and then cleanup */
+ if (finish_header) {
+ /* Store the header value */
+ ret = StoreMimeHeader(state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: StoreMimeHeader() function failed");
+ return ret;
+ }
+ }
+
+ /* When next header is found, we always create a new one */
+ if (new_header) {
+ /* Copy name and value to state */
+ state->hname = SCMalloc(hlen);
+ if (unlikely(state->hname == NULL)) {
+ return MIME_DEC_ERR_MEM;
+ }
+ memcpy(state->hname, hname, hlen);
+ state->hlen = hlen;
+
+ if (state->hvalue != NULL) {
+ SCLogDebug("Error: Parser failed due to unexpected header "
+ "value");
+ return MIME_DEC_ERR_DATA;
+ }
+
+ if (hval != NULL) {
+ /* If max header value exceeded, flag it */
+ vlen = blen - (hval - buf);
+ if ((mdcfg != NULL) && (state->hvlen + vlen > mdcfg->header_value_depth)) {
+ SCLogDebug("Error: Header value of length (%u) is too long",
+ state->hvlen + vlen);
+ vlen = mdcfg->header_value_depth - state->hvlen;
+ state->stack->top->data->anomaly_flags |= ANOM_LONG_HEADER_VALUE;
+ state->msg->anomaly_flags |= ANOM_LONG_HEADER_VALUE;
+ }
+
+ if (vlen > 0) {
+ state->hvalue = AddDataValue(NULL);
+ if (state->hvalue == NULL) {
+ return MIME_DEC_ERR_MEM;
+ }
+ state->hvalue->value = SCMalloc(vlen);
+ if (unlikely(state->hvalue->value == NULL)) {
+ return MIME_DEC_ERR_MEM;
+ }
+ memcpy(state->hvalue->value, hval, vlen);
+ state->hvalue->value_len = vlen;
+ state->hvlen += vlen;
+ }
+ }
+ }
+
+ return ret;
+}
+
+/**
+ * \brief Processes the current line for mime headers and also does post-processing
+ * when all headers found
+ *
+ * \param buf The current line
+ * \param len The length of the line
+ * \param state The current parser state
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+static int ProcessMimeHeaders(const uint8_t *buf, uint32_t len,
+ MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+ MimeDecField *field;
+ uint8_t *rptr = NULL;
+ uint32_t blen = 0;
+ MimeDecEntity *entity = (MimeDecEntity *) state->stack->top->data;
+ uint8_t bptr[RS_MIME_MAX_TOKEN_LEN];
+
+ /* Look for mime header in current line */
+ ret = FindMimeHeader(buf, len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: FindMimeHeader() function failed: %d", ret);
+ return ret;
+ }
+
+ /* Post-processing after all headers done */
+ if (state->state_flag == HEADER_DONE) {
+ /* First determine encoding by looking at Content-Transfer-Encoding */
+ field = MimeDecFindField(entity, CTNT_TRAN_STR);
+ if (field != NULL) {
+ /* Look for base64 */
+ if (FindBuffer(field->value, field->value_len, (const uint8_t *)BASE64_STR,
+ (uint16_t)strlen(BASE64_STR))) {
+ SCLogDebug("Base64 encoding found");
+ entity->ctnt_flags |= CTNT_IS_BASE64;
+ } else if (FindBuffer(field->value, field->value_len, (const uint8_t *)QP_STR,
+ (uint16_t)strlen(QP_STR))) {
+ /* Look for quoted-printable */
+ SCLogDebug("quoted-printable encoding found");
+ entity->ctnt_flags |= CTNT_IS_QP;
+ }
+ }
+
+ /* Check for file attachment in content disposition */
+ field = MimeDecFindField(entity, CTNT_DISP_STR);
+ if (field != NULL) {
+ bool truncated_name = false;
+ if (rs_mime_find_header_token(field->value, field->value_len,
+ (const uint8_t *)"filename", strlen("filename"), &bptr, &blen)) {
+ SCLogDebug("File attachment found in disposition");
+ entity->ctnt_flags |= CTNT_IS_ATTACHMENT;
+
+ if (blen > RS_MIME_MAX_TOKEN_LEN) {
+ blen = RS_MIME_MAX_TOKEN_LEN;
+ truncated_name = true;
+ }
+
+ /* Copy over using dynamic memory */
+ entity->filename = SCMalloc(blen);
+ if (unlikely(entity->filename == NULL)) {
+ return MIME_DEC_ERR_MEM;
+ }
+ memcpy(entity->filename, bptr, blen);
+ entity->filename_len = blen;
+
+ if (truncated_name) {
+ state->stack->top->data->anomaly_flags |= ANOM_LONG_FILENAME;
+ state->msg->anomaly_flags |= ANOM_LONG_FILENAME;
+ }
+ }
+ }
+
+ /* Check for boundary, encapsulated message, and file name in Content-Type */
+ field = MimeDecFindField(entity, CTNT_TYPE_STR);
+ if (field != NULL) {
+ /* Check if child entity boundary definition found */
+ // RS_MIME_MAX_TOKEN_LEN is RS_MIME_MAX_TOKEN_LEN on the rust side
+ if (rs_mime_find_header_token(field->value, field->value_len,
+ (const uint8_t *)"boundary", strlen("boundary"), &bptr, &blen)) {
+ state->found_child = 1;
+ entity->ctnt_flags |= CTNT_IS_MULTIPART;
+
+ if (blen > (BOUNDARY_BUF - 2)) {
+ state->stack->top->data->anomaly_flags |= ANOM_LONG_BOUNDARY;
+ return MIME_DEC_ERR_PARSE;
+ }
+
+ /* Store boundary in parent node */
+ state->stack->top->bdef = SCMalloc(blen);
+ if (unlikely(state->stack->top->bdef == NULL)) {
+ return MIME_DEC_ERR_MEM;
+ }
+ memcpy(state->stack->top->bdef, bptr, blen);
+ state->stack->top->bdef_len = (uint16_t)blen;
+ }
+
+ /* Look for file name (if not already found) */
+ if (!(entity->ctnt_flags & CTNT_IS_ATTACHMENT)) {
+ bool truncated_name = false;
+ if (rs_mime_find_header_token(field->value, field->value_len,
+ (const uint8_t *)"name", strlen("name"), &bptr, &blen)) {
+ SCLogDebug("File attachment found");
+ entity->ctnt_flags |= CTNT_IS_ATTACHMENT;
+
+ if (blen > RS_MIME_MAX_TOKEN_LEN) {
+ blen = RS_MIME_MAX_TOKEN_LEN;
+ truncated_name = true;
+ }
+
+ /* Copy over using dynamic memory */
+ entity->filename = SCMalloc(blen);
+ if (unlikely(entity->filename == NULL)) {
+ return MIME_DEC_ERR_MEM;
+ }
+ memcpy(entity->filename, bptr, blen);
+ entity->filename_len = blen;
+
+ if (truncated_name) {
+ state->stack->top->data->anomaly_flags |= ANOM_LONG_FILENAME;
+ state->msg->anomaly_flags |= ANOM_LONG_FILENAME;
+ }
+ }
+ }
+
+ /* Pull out short-hand content type */
+ entity->ctnt_type = GetToken(field->value, field->value_len, " \r\n;",
+ &rptr, &entity->ctnt_type_len);
+ if (entity->ctnt_type != NULL) {
+ /* Check for encapsulated message */
+ if (FindBuffer(entity->ctnt_type, entity->ctnt_type_len, (const uint8_t *)MSG_STR,
+ (uint16_t)strlen(MSG_STR))) {
+ SCLogDebug("Found encapsulated message entity");
+
+ entity->ctnt_flags |= CTNT_IS_ENV;
+
+ /* Create and push child to stack */
+ MimeDecEntity *child = MimeDecAddEntity(entity);
+ if (child == NULL)
+ return MIME_DEC_ERR_MEM;
+ child->ctnt_flags |= (CTNT_IS_ENCAP | CTNT_IS_MSG);
+ PushStack(state->stack);
+ state->stack->top->data = child;
+
+ /* Mark as encapsulated child */
+ state->stack->top->is_encap = 1;
+
+ /* Ready to parse headers */
+ state->state_flag = HEADER_READY;
+ } else if (FindBuffer(entity->ctnt_type, entity->ctnt_type_len,
+ (const uint8_t *)MULTIPART_STR,
+ (uint16_t)strlen(MULTIPART_STR))) {
+ /* Check for multipart */
+ SCLogDebug("Found multipart entity");
+ entity->ctnt_flags |= CTNT_IS_MULTIPART;
+ } else if (FindBuffer(entity->ctnt_type, entity->ctnt_type_len,
+ (const uint8_t *)TXT_STR, (uint16_t)strlen(TXT_STR))) {
+ /* Check for plain text */
+ SCLogDebug("Found plain text entity");
+ entity->ctnt_flags |= CTNT_IS_TEXT;
+ } else if (FindBuffer(entity->ctnt_type, entity->ctnt_type_len,
+ (const uint8_t *)HTML_STR, (uint16_t)strlen(HTML_STR))) {
+ /* Check for html */
+ SCLogDebug("Found html entity");
+ entity->ctnt_flags |= CTNT_IS_HTML;
+ }
+ }
+ }
+
+ /* Store pointer to Message-ID */
+ field = MimeDecFindField(entity, MSG_ID_STR);
+ if (field != NULL) {
+ entity->msg_id = field->value;
+ entity->msg_id_len = field->value_len;
+ }
+
+ /* Flag beginning of body */
+ state->body_begin = 1;
+ state->body_end = 0;
+ }
+
+ return ret;
+}
+
+/**
+ * \brief Indicates to the parser that the body of an entity has completed
+ * processing on the previous line
+ *
+ * \param state The current parser state
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+
+static int ProcessBodyComplete(MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+
+ SCLogDebug("Process body complete called");
+
+ /* Mark the file as hitting the end */
+ state->body_end = 1;
+
+ if (state->bvr_len > 0) {
+ SCLogDebug("Found (%u) remaining base64 bytes not processed",
+ state->bvr_len);
+
+ /* Process the remainder */
+ ret = ProcessBase64Remainder(NULL, 0, state, 1);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessBase64BodyLine() function failed");
+ }
+ }
+
+ MimeDecEntity *entity = (MimeDecEntity *)state->stack->top->data;
+ if ((entity->ctnt_flags & (CTNT_IS_BASE64 | CTNT_IS_QP)) == 0) {
+ // last eol of plaintext is the beginning of the boundary
+ state->data_chunk_len = 0;
+ }
+ /* Invoke pre-processor and callback with remaining data */
+ ret = ProcessDecodedDataChunk(state->data_chunk, state->data_chunk_len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessDecodedDataChunk() function failed");
+ }
+
+ /* Now reset */
+ state->body_begin = 0;
+ state->body_end = 0;
+
+ return ret;
+}
+
+/**
+ * \brief When a mime boundary is found, look for end boundary and also do stack
+ * management
+ *
+ * \param buf The current line
+ * \param len The length of the line
+ * \param bdef_len The length of the current boundary
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+static int ProcessMimeBoundary(
+ const uint8_t *buf, uint32_t len, uint16_t bdef_len, MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+ uint8_t *rptr;
+ MimeDecEntity *child;
+
+ SCLogDebug("PROCESSING BOUNDARY - START: %d",
+ state->state_flag);
+
+ /* If previous line was not an end boundary, then we process the body as
+ * completed */
+ if (state->state_flag != BODY_END_BOUND) {
+
+ /* First lets complete the body */
+ ret = ProcessBodyComplete(state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessBodyComplete() function failed");
+ return ret;
+ }
+ } else {
+ /* If last line was an end boundary, then now we are ready to parse
+ * headers again */
+ state->state_flag = HEADER_READY;
+ }
+
+ /* Update remaining buffer */
+ rptr = (uint8_t *) buf + bdef_len + 2;
+
+ /* If entity is encapsulated and current and parent didn't define the boundary,
+ * then pop out */
+ if (state->stack->top->is_encap && state->stack->top->bdef_len == 0) {
+
+ if (state->stack->top->next == NULL) {
+ SCLogDebug("Error: Missing parent entity from stack");
+ return MIME_DEC_ERR_DATA;
+ }
+
+ if (state->stack->top->next->bdef_len == 0) {
+
+ SCLogDebug("POPPED ENCAPSULATED CHILD FROM STACK: %p=%p",
+ state->stack->top, state->stack->top->data);
+
+ /* If end of boundary found, pop the child off the stack */
+ PopStack(state->stack);
+ if (state->stack->top == NULL) {
+ SCLogDebug("Error: Message is malformed");
+ return MIME_DEC_ERR_DATA;
+ }
+ }
+ }
+
+ /* Now check for end of nested boundary */
+ if (len - (rptr - buf) > 1 && rptr[0] == DASH && rptr[1] == DASH) {
+ SCLogDebug("FOUND END BOUNDARY, POPPING: %p=%p",
+ state->stack->top, state->stack->top->data);
+
+ /* If end of boundary found, pop the child off the stack */
+ PopStack(state->stack);
+ if (state->stack->top == NULL) {
+ SCLogDebug("Error: Message is malformed");
+ return MIME_DEC_ERR_DATA;
+ }
+
+ /* If current is an encapsulated message with a boundary definition,
+ * then pop him as well */
+ if (state->stack->top->is_encap && state->stack->top->bdef_len != 0) {
+ SCLogDebug("FOUND END BOUNDARY AND ENCAP, POPPING: %p=%p",
+ state->stack->top, state->stack->top->data);
+
+ PopStack(state->stack);
+ if (state->stack->top == NULL) {
+ SCLogDebug("Error: Message is malformed");
+ return MIME_DEC_ERR_DATA;
+ }
+ }
+
+ state->state_flag = BODY_END_BOUND;
+ } else if (state->found_child) {
+ /* Otherwise process new child */
+ SCLogDebug("Child entity created");
+
+ /* Create and push child to stack */
+ child = MimeDecAddEntity(state->stack->top->data);
+ if (child == NULL)
+ return MIME_DEC_ERR_MEM;
+ child->ctnt_flags |= CTNT_IS_BODYPART;
+ PushStack(state->stack);
+ state->stack->top->data = child;
+
+ /* Reset flag */
+ state->found_child = 0;
+ } else {
+ /* Otherwise process sibling */
+ if (state->stack->top->next == NULL) {
+ SCLogDebug("Error: Missing parent entity from stack");
+ return MIME_DEC_ERR_DATA;
+ }
+
+ SCLogDebug("SIBLING CREATED, POPPING PARENT: %p=%p",
+ state->stack->top, state->stack->top->data);
+
+ /* First pop current to get access to parent */
+ PopStack(state->stack);
+ if (state->stack->top == NULL) {
+ SCLogDebug("Error: Message is malformed");
+ return MIME_DEC_ERR_DATA;
+ }
+
+ /* Create and push child to stack */
+ child = MimeDecAddEntity(state->stack->top->data);
+ if (child == NULL)
+ return MIME_DEC_ERR_MEM;
+ child->ctnt_flags |= CTNT_IS_BODYPART;
+ PushStack(state->stack);
+ state->stack->top->data = child;
+ }
+
+ /* After boundary look for headers */
+ if (state->state_flag != BODY_END_BOUND) {
+ state->state_flag = HEADER_READY;
+ }
+
+ SCLogDebug("PROCESSING BOUNDARY - END: %d", state->state_flag);
+ return ret;
+}
+
+/**
+ * \brief Processes the MIME Entity body based on the input line and current
+ * state of the parser
+ *
+ * \param buf The current line
+ * \param len The length of the line
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+static int ProcessMimeBody(const uint8_t *buf, uint32_t len,
+ MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+ uint8_t temp[BOUNDARY_BUF];
+ uint8_t *bstart;
+ int body_found = 0;
+ uint16_t tlen;
+
+ /* pass empty lines on if we're parsing the body, otherwise we have no use
+ * for them, and in fact they would disrupt the state tracking */
+ if (len == 0) {
+ /* don't start a new body after an end bound based on an empty line */
+ if (state->state_flag == BODY_END_BOUND) {
+ SCLogDebug("skip empty line");
+ return MIME_DEC_OK;
+ } else if (state->state_flag == HEADER_DONE) {
+ SCLogDebug("empty line, lets see if we skip it. We're in state %s",
+ MimeDecParseStateGetStatus(state));
+ MimeDecEntity *entity = (MimeDecEntity *)state->stack->top->data;
+ MimeDecConfig *mdcfg = MimeDecGetConfig();
+ if (entity != NULL && mdcfg != NULL) {
+ if (mdcfg->decode_base64 && (entity->ctnt_flags & CTNT_IS_BASE64)) {
+ SCLogDebug("skip empty line");
+ return MIME_DEC_OK;
+ }
+ SCLogDebug("not skipping empty line");
+ }
+ } else {
+ SCLogDebug("not skipping line at state %s", MimeDecParseStateGetStatus(state));
+ }
+ }
+
+ /* First look for boundary */
+ MimeDecStackNode *node = state->stack->top;
+ if (node == NULL) {
+ SCLogDebug("Error: Invalid stack state");
+ return MIME_DEC_ERR_PARSE;
+ }
+
+ /* Traverse through stack to find a boundary definition */
+ if (state->state_flag == BODY_END_BOUND || node->bdef == NULL) {
+
+ /* If not found, then use parent's boundary */
+ node = node->next;
+ while (node != NULL && node->bdef == NULL) {
+ SCLogDebug("Traversing through stack for node with boundary");
+ node = node->next;
+ }
+ }
+
+ /* This means no boundary / parent w/boundary was found so we are in the body */
+ if (node == NULL) {
+ body_found = 1;
+ } else {
+
+ /* Now look for start of boundary */
+ if (len > 1 && buf[0] == '-' && buf[1] == '-') {
+
+ tlen = node->bdef_len + 2;
+ if (tlen > BOUNDARY_BUF) {
+ if (state->stack->top->data)
+ state->stack->top->data->anomaly_flags |= ANOM_LONG_BOUNDARY;
+ SCLogDebug("Error: Long boundary: tlen %u > %d. Set ANOM_LONG_BOUNDARY", tlen,
+ BOUNDARY_BUF);
+ return MIME_DEC_ERR_PARSE;
+ }
+
+ memcpy(temp, "--", 2);
+ memcpy(temp + 2, node->bdef, node->bdef_len);
+
+ /* Find either next boundary or end boundary */
+ bstart = FindBuffer(buf, len, temp, tlen);
+ if (bstart != NULL) {
+ ret = ProcessMimeBoundary(buf, len, node->bdef_len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessMimeBoundary() function "
+ "failed");
+ return ret;
+ }
+ } else {
+ /* Otherwise add value to body */
+ body_found = 1;
+ }
+ } else {
+ /* Otherwise add value to body */
+ body_found = 1;
+ }
+ }
+
+ /* Process body line */
+ if (body_found) {
+ state->state_flag = BODY_STARTED;
+
+ ret = ProcessBodyLine(buf, len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessBodyLine() function failed");
+ return ret;
+ }
+ }
+
+ return ret;
+}
+
+const char *MimeDecParseStateGetStatus(MimeDecParseState *state)
+{
+ return StateFlags[state->state_flag];
+}
+
+/**
+ * \brief Processes the MIME Entity based on the input line and current state of
+ * the parser
+ *
+ * \param buf The current line
+ * \param len The length of the line
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+static int ProcessMimeEntity(const uint8_t *buf, uint32_t len,
+ MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+
+ SCLogDebug("START FLAG: %s", StateFlags[state->state_flag]);
+
+ if (state->state_flag == PARSE_ERROR) {
+ SCLogDebug("START FLAG: PARSE_ERROR, bail");
+ return MIME_DEC_ERR_STATE;
+ }
+
+ /* Track long line */
+ if (len > MAX_LINE_LEN) {
+ state->stack->top->data->anomaly_flags |= ANOM_LONG_LINE;
+ state->msg->anomaly_flags |= ANOM_LONG_LINE;
+ SCLogDebug("Error: Max input line length exceeded %u > %u", len,
+ MAX_LINE_LEN);
+ }
+
+ if (!g_disable_hashing) {
+ if ((state->state_flag != HEADER_READY && state->state_flag != HEADER_STARTED) ||
+ (state->stack->top->data->ctnt_flags & CTNT_IS_BODYPART)) {
+ if (MimeDecGetConfig()->body_md5) {
+ if (state->body_begin == 1 && state->md5_ctx == NULL) {
+ state->md5_ctx = SCMd5New();
+ }
+ SCMd5Update(state->md5_ctx, buf, len + state->current_line_delimiter_len);
+ }
+ }
+ }
+
+ /* Looking for headers */
+ if (state->state_flag == HEADER_READY ||
+ state->state_flag == HEADER_STARTED) {
+
+ SCLogDebug("Processing Headers");
+
+ /* Process message headers */
+ ret = ProcessMimeHeaders(buf, len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessMimeHeaders() function failed: %d",
+ ret);
+ return ret;
+ }
+ } else {
+ /* Processing body */
+ SCLogDebug("Processing Body of: %p", state->stack->top);
+
+ ret = ProcessMimeBody(buf, len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessMimeBody() function failed: %d",
+ ret);
+ return ret;
+ }
+ }
+
+ SCLogDebug("END FLAG: %s", StateFlags[state->state_flag]);
+
+ return ret;
+}
+
+/**
+ * \brief Init the parser by allocating memory for the state and top-level entity
+ *
+ * \param data A caller-specified pointer to data for access within the data chunk
+ * processor callback function
+ * \param dcpfunc The data chunk processor callback function
+ *
+ * \return A pointer to the state object, or NULL if the operation fails
+ */
+MimeDecParseState * MimeDecInitParser(void *data,
+ int (*DataChunkProcessorFunc)(const uint8_t *chunk, uint32_t len,
+ MimeDecParseState *state))
+{
+ MimeDecParseState *state;
+ MimeDecEntity *mimeMsg;
+
+ state = SCMalloc(sizeof(MimeDecParseState));
+ if (unlikely(state == NULL)) {
+ return NULL;
+ }
+ memset(state, 0x00, sizeof(MimeDecParseState));
+
+ state->stack = SCMalloc(sizeof(MimeDecStack));
+ if (unlikely(state->stack == NULL)) {
+ SCFree(state);
+ return NULL;
+ }
+ memset(state->stack, 0x00, sizeof(MimeDecStack));
+
+ mimeMsg = SCMalloc(sizeof(MimeDecEntity));
+ if (unlikely(mimeMsg == NULL)) {
+ SCFree(state->stack);
+ SCFree(state);
+ return NULL;
+ }
+ memset(mimeMsg, 0x00, sizeof(MimeDecEntity));
+ mimeMsg->ctnt_flags |= CTNT_IS_MSG;
+
+ /* Init state */
+ state->msg = mimeMsg;
+ PushStack(state->stack);
+ if (state->stack->top == NULL) {
+ SCFree(state->stack);
+ SCFree(state);
+ return NULL;
+ }
+ state->stack->top->data = mimeMsg;
+ state->state_flag = HEADER_READY;
+ state->data = data;
+ state->DataChunkProcessorFunc = DataChunkProcessorFunc;
+
+ return state;
+}
+
+/**
+ * \brief De-Init parser by freeing up any residual memory
+ *
+ * \param state The parser state
+ *
+ * \return none
+ */
+void MimeDecDeInitParser(MimeDecParseState *state)
+{
+ uint32_t cnt = 0;
+
+ while (state->stack->top != NULL) {
+ SCLogDebug("Remaining on stack: [%p]=>[%p]",
+ state->stack->top, state->stack->top->data);
+
+ PopStack(state->stack);
+ cnt++;
+ }
+
+ if (cnt > 1) {
+ state->msg->anomaly_flags |= ANOM_MALFORMED_MSG;
+ SCLogDebug("Warning: Stack is not empty upon completion of "
+ "processing (%u items remaining)", cnt);
+ }
+
+ SCFree(state->hname);
+ FreeDataValue(state->hvalue);
+ FreeMimeDecStack(state->stack);
+ if (state->md5_ctx)
+ SCMd5Free(state->md5_ctx);
+ SCFree(state);
+}
+
+/**
+ * \brief Called to indicate that the last message line has been processed and
+ * the parsing operation is complete
+ *
+ * This function should be called directly by the caller.
+ *
+ * \param state The parser state
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+int MimeDecParseComplete(MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+
+ SCLogDebug("Parsing flagged as completed");
+
+ if (state->state_flag == PARSE_ERROR) {
+ SCLogDebug("parser in error state: PARSE_ERROR");
+ return MIME_DEC_ERR_STATE;
+ }
+
+ /* Store the header value */
+ ret = StoreMimeHeader(state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: StoreMimeHeader() function failed");
+ return ret;
+ }
+
+ /* Lets complete the body */
+ ret = ProcessBodyComplete(state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: ProcessBodyComplete() function failed");
+ return ret;
+ }
+
+ if (state->md5_ctx) {
+ SCMd5Finalize(state->md5_ctx, state->md5, sizeof(state->md5));
+ state->md5_ctx = NULL;
+ state->has_md5 = true;
+ }
+
+ if (state->stack->top == NULL) {
+ state->msg->anomaly_flags |= ANOM_MALFORMED_MSG;
+ SCLogDebug("Error: Message is malformed");
+ return MIME_DEC_ERR_DATA;
+ }
+
+ /* If encapsulated, pop off the stack */
+ if (state->stack->top->is_encap) {
+ PopStack(state->stack);
+ if (state->stack->top == NULL) {
+ state->msg->anomaly_flags |= ANOM_MALFORMED_MSG;
+ SCLogDebug("Error: Message is malformed");
+ return MIME_DEC_ERR_DATA;
+ }
+ }
+
+ /* Look extra stack items remaining */
+ if (state->stack->top->next != NULL) {
+ state->msg->anomaly_flags |= ANOM_MALFORMED_MSG;
+ SCLogDebug("Warning: Message has unclosed message part boundary");
+ }
+
+ state->state_flag = PARSE_DONE;
+
+ return ret;
+}
+
+/**
+ * \brief Parse a line of a MIME message and update the parser state
+ *
+ * \param line A string representing the line (w/out CRLF)
+ * \param len The length of the line
+ * \param delim_len The length of the line end delimiter
+ * \param state The parser state
+ *
+ * \return MIME_DEC_OK on success, otherwise < 0 on failure
+ */
+int MimeDecParseLine(const uint8_t *line, const uint32_t len,
+ const uint8_t delim_len, MimeDecParseState *state)
+{
+ int ret = MIME_DEC_OK;
+
+ /* For debugging purposes */
+ if (len > 0) {
+ PrintChars(SC_LOG_DEBUG, "SMTP LINE", line, len);
+ } else {
+ SCLogDebug("SMTP LINE - EMPTY");
+ }
+
+ state->current_line_delimiter_len = delim_len;
+ /* Process the entity */
+ ret = ProcessMimeEntity(line, len, state);
+ if (ret != MIME_DEC_OK) {
+ state->state_flag = PARSE_ERROR;
+ SCLogDebug("Error: ProcessMimeEntity() function failed: %d", ret);
+ }
+
+ return ret;
+}
+
+/**
+ * \brief Parses an entire message when available in its entirety (wraps the
+ * line-based parsing functions)
+ *
+ * \param buf Buffer pointing to the full message
+ * \param blen Length of the buffer
+ * \param data Caller data to be available in callback
+ * \param dcpfunc Callback for processing each decoded body data chunk
+ *
+ * \return A pointer to the decoded MIME message, or NULL if the operation fails
+ */
+MimeDecEntity * MimeDecParseFullMsg(const uint8_t *buf, uint32_t blen, void *data,
+ int (*dcpfunc)(const uint8_t *chunk, uint32_t len,
+ MimeDecParseState *state))
+{
+ int ret = MIME_DEC_OK;
+ uint8_t *remainPtr, *tok;
+ uint32_t tokLen;
+
+ MimeDecParseState *state = MimeDecInitParser(data, dcpfunc);
+ if (state == NULL) {
+ SCLogDebug("Error: MimeDecInitParser() function failed to create "
+ "state");
+ return NULL;
+ }
+
+ MimeDecEntity *msg = state->msg;
+
+ /* Parse each line one by one */
+ remainPtr = (uint8_t *) buf;
+ uint8_t *line = NULL;
+ do {
+ tok = GetLine(remainPtr, blen - (remainPtr - buf), &remainPtr, &tokLen);
+ if (tok != remainPtr) {
+
+ line = tok;
+
+ if ((remainPtr - tok) - tokLen > UINT8_MAX) {
+ SCLogDebug("Error: MimeDecParseLine() overflow: %ld", (remainPtr - tok) - tokLen);
+ ret = MIME_DEC_ERR_OVERFLOW;
+ break;
+ }
+ state->current_line_delimiter_len = (uint8_t)((remainPtr - tok) - tokLen);
+ /* Parse the line */
+ ret = MimeDecParseLine(line, tokLen, state->current_line_delimiter_len, state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: MimeDecParseLine() function failed: %d",
+ ret);
+ break;
+ }
+ }
+
+ } while (tok != remainPtr && remainPtr - buf < (int)blen);
+
+ if (ret == MIME_DEC_OK) {
+ SCLogDebug("Message parser was successful");
+
+ /* Now complete message */
+ ret = MimeDecParseComplete(state);
+ if (ret != MIME_DEC_OK) {
+ SCLogDebug("Error: MimeDecParseComplete() function failed");
+ }
+ }
+
+ /* De-allocate memory for parser */
+ MimeDecDeInitParser(state);
+
+ if (ret != MIME_DEC_OK) {
+ MimeDecFreeEntity(msg);
+ msg = NULL;
+ }
+
+ return msg;
+}
+
+#ifdef UNITTESTS
+
+/* Helper body chunk callback function */
+static int TestDataChunkCallback(const uint8_t *chunk, uint32_t len,
+ MimeDecParseState *state)
+{
+ uint32_t *line_count = (uint32_t *) state->data;
+
+ if (state->body_begin) {
+ SCLogDebug("Body begin (len=%u)", len);
+ }
+
+ /* Add up the line counts */
+ if (len > 0) {
+ if ((*line_count) == 0) {
+ (*line_count)++;
+ }
+ PrintChars(SC_LOG_DEBUG, "CHUNK", chunk, len);
+ for (uint32_t i = 0; i < len; i++) {
+ if (chunk[i] == CR || chunk[i] == LF) {
+ if (i + 1 < len && chunk[i] != chunk[i + 1] &&
+ (chunk[i + 1] == CR || chunk[i + 1] == LF)) {
+ i++;
+ }
+ (*line_count)++;
+ }
+ }
+
+ SCLogDebug("line count (len=%u): %u", len, *line_count);
+ }
+
+ if (state->body_end) {
+ SCLogDebug("Body end (len=%u)", len);
+ }
+
+ return MIME_DEC_OK;
+}
+
+/* Test simple case of line counts */
+static int MimeDecParseLineTest01(void)
+{
+ uint32_t line_count = 0;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count,
+ TestDataChunkCallback);
+
+ const char *str = "From: Sender1\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 1, 1, state) == MIME_DEC_OK);
+
+ str = "To: Recipient1\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 1, 1, state) == MIME_DEC_OK);
+
+ str = "Content-Type: text/plain\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 1, 1, state) == MIME_DEC_OK);
+
+ str = "\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 1, 1, state) == MIME_DEC_OK);
+
+ str = "A simple message line 1\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 1, 1, state) == MIME_DEC_OK);
+
+ str = "A simple message line 2\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 1, 1, state) == MIME_DEC_OK);
+
+ str = "A simple message line 3\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 1, 1, state) == MIME_DEC_OK);
+
+ /* Completed */
+ FAIL_IF_NOT(MimeDecParseComplete(state) == MIME_DEC_OK);
+
+ MimeDecEntity *msg = state->msg;
+ FAIL_IF_NOT_NULL(msg->next);
+ FAIL_IF_NOT_NULL(msg->child);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ FAIL_IF_NOT(line_count == 3);
+ PASS;
+}
+
+/* Test simple case of EXE URL extraction */
+static int MimeDecParseLineTest02(void)
+{
+ uint32_t line_count = 0;
+
+ ConfNode *url_schemes = ConfNodeNew();
+ ConfNode *scheme = ConfNodeNew();
+ FAIL_IF_NULL(url_schemes);
+ FAIL_IF_NULL(scheme);
+
+ url_schemes->is_seq = 1;
+ scheme->val = SCStrdup("http://");
+ FAIL_IF_NULL(scheme->val);
+ TAILQ_INSERT_TAIL(&url_schemes->head, scheme, next);
+
+ MimeDecGetConfig()->decode_base64 = true;
+ MimeDecGetConfig()->decode_quoted_printable = true;
+ MimeDecGetConfig()->extract_urls = true;
+ MimeDecGetConfig()->extract_urls_schemes = url_schemes;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count,
+ TestDataChunkCallback);
+
+ const char *str = "From: Sender1\r\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 2, 2, state) == MIME_DEC_OK);
+
+ str = "To: Recipient1\r\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 2, 2, state) == MIME_DEC_OK);
+
+ str = "Content-Type: text/plain\r\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 2, 2, state) == MIME_DEC_OK);
+
+ str = "\r\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 2, 2, state) == MIME_DEC_OK);
+
+ str = "A simple message line 1\r\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 2, 2, state) == MIME_DEC_OK);
+
+ str = "A simple message line 2 click on http://www.test.com/malware.exe?"
+ "hahah hopefully you click this link\r\n";
+ FAIL_IF_NOT(MimeDecParseLine((uint8_t *)str, strlen(str) - 2, 2, state) == MIME_DEC_OK);
+
+ /* Completed */
+ FAIL_IF_NOT(MimeDecParseComplete(state) == MIME_DEC_OK);
+
+ MimeDecEntity *msg = state->msg;
+ FAIL_IF_NULL(msg);
+ FAIL_IF_NULL(msg->url_list);
+ FAIL_IF_NOT((msg->url_list->url_flags & URL_IS_EXE));
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+ ConfNodeFree(url_schemes);
+ MimeDecGetConfig()->extract_urls_schemes = NULL;
+
+ FAIL_IF_NOT(line_count == 2);
+ PASS;
+}
+
+/* Test error case where no url schemes set in config */
+static int MimeFindUrlStringsTest01(void)
+{
+ int ret = MIME_DEC_OK;
+ uint32_t line_count = 0;
+
+ MimeDecGetConfig()->extract_urls = true;
+ MimeDecGetConfig()->extract_urls_schemes = NULL;
+ MimeDecGetConfig()->log_url_scheme = false;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count, TestDataChunkCallback);
+
+ const char *str = "test";
+ ret = FindUrlStrings((uint8_t *)str, strlen(str), state);
+ /* Expected error since extract_url_schemes is NULL */
+ FAIL_IF_NOT(ret == MIME_DEC_ERR_DATA);
+
+ /* Completed */
+ ret = MimeDecParseComplete(state);
+ FAIL_IF_NOT(ret == MIME_DEC_OK);
+
+ MimeDecEntity *msg = state->msg;
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ PASS;
+}
+
+/* Test simple case of URL extraction */
+static int MimeFindUrlStringsTest02(void)
+{
+ int ret = MIME_DEC_OK;
+ uint32_t line_count = 0;
+ ConfNode *url_schemes = ConfNodeNew();
+ ConfNode *scheme = ConfNodeNew();
+ FAIL_IF_NULL(url_schemes);
+ FAIL_IF_NULL(scheme);
+
+ url_schemes->is_seq = 1;
+ scheme->val = SCStrdup("http://");
+ FAIL_IF_NULL(scheme->val);
+ TAILQ_INSERT_TAIL(&url_schemes->head, scheme, next);
+
+ MimeDecGetConfig()->extract_urls = true;
+ MimeDecGetConfig()->extract_urls_schemes = url_schemes;
+ MimeDecGetConfig()->log_url_scheme = false;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count, TestDataChunkCallback);
+
+ const char *str = "A simple message click on "
+ "http://www.test.com/malware.exe? "
+ "hahah hopefully you click this link";
+ ret = FindUrlStrings((uint8_t *)str, strlen(str), state);
+ FAIL_IF_NOT(ret == MIME_DEC_OK);
+
+ /* Completed */
+ ret = MimeDecParseComplete(state);
+ FAIL_IF_NOT(ret == MIME_DEC_OK);
+
+ MimeDecEntity *msg = state->msg;
+
+ FAIL_IF(msg->url_list == NULL);
+
+ FAIL_IF_NOT(msg->url_list->url_flags & URL_IS_EXE);
+ FAIL_IF_NOT(
+ memcmp("www.test.com/malware.exe?", msg->url_list->url, msg->url_list->url_len) == 0);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ ConfNodeFree(url_schemes);
+ MimeDecGetConfig()->extract_urls_schemes = NULL;
+
+ PASS;
+}
+
+/* Test URL extraction with multiple schemes and URLs */
+static int MimeFindUrlStringsTest03(void)
+{
+ int ret = MIME_DEC_OK;
+ uint32_t line_count = 0;
+ ConfNode *url_schemes = ConfNodeNew();
+ ConfNode *scheme1 = ConfNodeNew();
+ ConfNode *scheme2 = ConfNodeNew();
+ FAIL_IF_NULL(url_schemes);
+ FAIL_IF_NULL(scheme1);
+ FAIL_IF_NULL(scheme2);
+
+ url_schemes->is_seq = 1;
+ scheme1->val = SCStrdup("http://");
+ FAIL_IF_NULL(scheme1->val);
+ TAILQ_INSERT_TAIL(&url_schemes->head, scheme1, next);
+ scheme2->val = SCStrdup("https://");
+ FAIL_IF_NULL(scheme2->val);
+ TAILQ_INSERT_TAIL(&url_schemes->head, scheme2, next);
+
+ MimeDecGetConfig()->extract_urls = true;
+ MimeDecGetConfig()->extract_urls_schemes = url_schemes;
+ MimeDecGetConfig()->log_url_scheme = false;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count, TestDataChunkCallback);
+
+ const char *str = "A simple message click on "
+ "http://www.test.com/malware.exe? "
+ "hahah hopefully you click this link, or "
+ "you can go to http://www.test.com/test/01.html and "
+ "https://www.test.com/test/02.php";
+ ret = FindUrlStrings((uint8_t *)str, strlen(str), state);
+ FAIL_IF_NOT(ret == MIME_DEC_OK);
+
+ /* Completed */
+ ret = MimeDecParseComplete(state);
+ FAIL_IF_NOT(ret == MIME_DEC_OK);
+
+ MimeDecEntity *msg = state->msg;
+
+ FAIL_IF(msg->url_list == NULL);
+
+ MimeDecUrl *url = msg->url_list;
+ FAIL_IF_NOT(memcmp("www.test.com/test/02.php", url->url, url->url_len) == 0);
+
+ url = url->next;
+ FAIL_IF_NOT(memcmp("www.test.com/test/01.html", url->url, url->url_len) == 0);
+
+ url = url->next;
+ FAIL_IF_NOT(memcmp("www.test.com/malware.exe?", url->url, url->url_len) == 0);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ ConfNodeFree(url_schemes);
+ MimeDecGetConfig()->extract_urls_schemes = NULL;
+
+ PASS;
+}
+
+/* Test URL extraction with multiple schemes and URLs with
+ * log_url_scheme enabled in the MIME config */
+static int MimeFindUrlStringsTest04(void)
+{
+ int ret = MIME_DEC_OK;
+ uint32_t line_count = 0;
+ ConfNode *url_schemes = ConfNodeNew();
+ ConfNode *scheme1 = ConfNodeNew();
+ ConfNode *scheme2 = ConfNodeNew();
+ FAIL_IF_NULL(url_schemes);
+ FAIL_IF_NULL(scheme1);
+ FAIL_IF_NULL(scheme2);
+
+ url_schemes->is_seq = 1;
+ scheme1->val = SCStrdup("http://");
+ FAIL_IF_NULL(scheme1->val);
+ TAILQ_INSERT_TAIL(&url_schemes->head, scheme1, next);
+ scheme2->val = SCStrdup("https://");
+ FAIL_IF_NULL(scheme2->val);
+ TAILQ_INSERT_TAIL(&url_schemes->head, scheme2, next);
+
+ MimeDecGetConfig()->extract_urls = true;
+ MimeDecGetConfig()->extract_urls_schemes = url_schemes;
+ MimeDecGetConfig()->log_url_scheme = true;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count, TestDataChunkCallback);
+
+ const char *str = "A simple message click on "
+ "http://www.test.com/malware.exe? "
+ "hahah hopefully you click this link, or "
+ "you can go to http://www.test.com/test/01.html and "
+ "https://www.test.com/test/02.php";
+ ret = FindUrlStrings((uint8_t *)str, strlen(str), state);
+ FAIL_IF_NOT(ret == MIME_DEC_OK);
+
+ /* Completed */
+ ret = MimeDecParseComplete(state);
+ FAIL_IF_NOT(ret == MIME_DEC_OK);
+
+ MimeDecEntity *msg = state->msg;
+
+ FAIL_IF(msg->url_list == NULL);
+
+ MimeDecUrl *url = msg->url_list;
+ FAIL_IF_NOT(memcmp("https://www.test.com/test/02.php", url->url, url->url_len) == 0);
+
+ url = url->next;
+ FAIL_IF_NOT(memcmp("http://www.test.com/test/01.html", url->url, url->url_len) == 0);
+
+ url = url->next;
+ FAIL_IF_NOT(memcmp("http://www.test.com/malware.exe?", url->url, url->url_len) == 0);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ ConfNodeFree(url_schemes);
+ MimeDecGetConfig()->extract_urls_schemes = NULL;
+
+ PASS;
+}
+
+/* Test URL extraction of IPV4 and IPV6 URLs with log_url_scheme
+ * enabled in the MIME config */
+static int MimeFindUrlStringsTest05(void)
+{
+ int ret = MIME_DEC_OK;
+ uint32_t line_count = 0;
+ ConfNode *url_schemes = ConfNodeNew();
+ ConfNode *scheme = ConfNodeNew();
+ FAIL_IF_NULL(url_schemes);
+ FAIL_IF_NULL(scheme);
+
+ url_schemes->is_seq = 1;
+ scheme->val = SCStrdup("http://");
+ FAIL_IF_NULL(scheme->val);
+ TAILQ_INSERT_TAIL(&url_schemes->head, scheme, next);
+
+ MimeDecGetConfig()->extract_urls = true;
+ MimeDecGetConfig()->extract_urls_schemes = url_schemes;
+ MimeDecGetConfig()->log_url_scheme = true;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count, TestDataChunkCallback);
+
+ const char *str = "A simple message click on "
+ "http://192.168.1.1/test/01.html "
+ "hahah hopefully you click this link or this one "
+ "http://0:0:0:0:0:0:0:0/test/02.php";
+ ret = FindUrlStrings((uint8_t *)str, strlen(str), state);
+ FAIL_IF_NOT(ret == MIME_DEC_OK);
+
+ /* Completed */
+ ret = MimeDecParseComplete(state);
+ FAIL_IF_NOT(ret == MIME_DEC_OK);
+
+ MimeDecEntity *msg = state->msg;
+
+ FAIL_IF(msg->url_list == NULL);
+
+ MimeDecUrl *url = msg->url_list;
+ FAIL_IF_NOT(url->url_flags & URL_IS_IP6);
+ FAIL_IF_NOT(memcmp("http://0:0:0:0:0:0:0:0/test/02.php", url->url, url->url_len) == 0);
+
+ url = url->next;
+ FAIL_IF_NOT(url->url_flags & URL_IS_IP4);
+ FAIL_IF_NOT(memcmp("http://192.168.1.1/test/01.html", url->url, url->url_len) == 0);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ ConfNodeFree(url_schemes);
+ MimeDecGetConfig()->extract_urls_schemes = NULL;
+
+ PASS;
+}
+
+/* Test full message with linebreaks */
+static int MimeDecParseFullMsgTest01(void)
+{
+ uint32_t expected_count = 3;
+ uint32_t line_count = 0;
+
+ char msg[] = "From: Sender1\r\n"
+ "To: Recipient1\r\n"
+ "Content-Type: text/plain\r\n"
+ "\r\n"
+ "Line 1\r\n"
+ "Line 2\r\n"
+ "Line 3\r\n";
+
+ MimeDecEntity *entity = MimeDecParseFullMsg((uint8_t *)msg, strlen(msg), &line_count,
+ TestDataChunkCallback);
+ if (entity == NULL) {
+ SCLogInfo("Warning: Message failed to parse");
+ return 0;
+ }
+
+ MimeDecFreeEntity(entity);
+
+ if (expected_count != line_count) {
+ SCLogInfo("Warning: Line count is invalid: expected - %d actual - %d",
+ expected_count, line_count);
+ return 0;
+ }
+
+ return 1;
+}
+
+/* Test full message with linebreaks */
+static int MimeDecParseFullMsgTest02(void)
+{
+ uint32_t expected_count = 3;
+ uint32_t line_count = 0;
+
+ char msg[] = "From: Sender2\r\n"
+ "To: Recipient2\r\n"
+ "Subject: subject2\r\n"
+ "Content-Type: text/plain\r\n"
+ "\r\n"
+ "Line 1\r\n"
+ "Line 2\r\n"
+ "Line 3\r\n";
+
+ MimeDecEntity *entity = MimeDecParseFullMsg((uint8_t *)msg, strlen(msg), &line_count,
+ TestDataChunkCallback);
+
+ if (entity == NULL) {
+ SCLogInfo("Warning: Message failed to parse");
+ return 0;
+ }
+
+ MimeDecField *field = MimeDecFindField(entity, "subject");
+ if (field == NULL) {
+ SCLogInfo("Warning: Message failed to parse");
+ return 0;
+ }
+
+ if (field->value_len != sizeof("subject2") - 1) {
+ SCLogInfo("Warning: failed to get subject");
+ return 0;
+ }
+
+ if (memcmp(field->value, "subject2", field->value_len) != 0) {
+ SCLogInfo("Warning: failed to get subject");
+ return 0;
+ }
+
+
+ MimeDecFreeEntity(entity);
+
+ if (expected_count != line_count) {
+ SCLogInfo("Warning: Line count is invalid: expected - %d actual - %d", expected_count,
+ line_count);
+ return 0;
+ }
+
+ return 1;
+}
+
+static int MimeBase64DecodeTest01(void)
+{
+ int ret = 0;
+ uint32_t consumed_bytes = 0, num_decoded = 0;
+
+ const char *msg = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890@"
+ "#$%^&*()-=_+,./;'[]<>?:";
+ const char *base64msg = "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXpBQkNERUZHSElKS0xNTk9QU"
+ "VJTVFVWV1hZWjEyMzQ1Njc4OTBAIyQlXiYqKCktPV8rLC4vOydbXTw+Pzo=";
+
+ uint8_t *dst = SCMalloc(strlen(msg) + 1);
+ if (dst == NULL)
+ return 0;
+
+ ret = DecodeBase64(dst, strlen(msg) + 1, (const uint8_t *)base64msg, strlen(base64msg),
+ &consumed_bytes, &num_decoded, BASE64_MODE_RFC2045);
+
+ if (memcmp(dst, msg, strlen(msg)) == 0) {
+ ret = 1;
+ }
+
+ SCFree(dst);
+
+ return ret;
+}
+
+static int MimeIsExeURLTest01(void)
+{
+ int ret = 0;
+ const char *url1 = "http://www.google.com/";
+ const char *url2 = "http://www.google.com/test.exe";
+
+ if(IsExeUrl((const uint8_t *)url1, strlen(url1)) != 0){
+ SCLogDebug("Debug: URL1 error");
+ goto end;
+ }
+ if(IsExeUrl((const uint8_t *)url2, strlen(url2)) != 1){
+ SCLogDebug("Debug: URL2 error");
+ goto end;
+ }
+ ret = 1;
+
+ end:
+
+ return ret;
+}
+
+#define TEST(str, len, expect) { \
+ SCLogDebug("str %s", (str)); \
+ int r = IsIpv4Host((const uint8_t *)(str),(len)); \
+ FAIL_IF_NOT(r == (expect)); \
+}
+static int MimeIsIpv4HostTest01(void)
+{
+ TEST("192.168.1.1", 11, 1);
+ TEST("192.168.1.1.4", 13, 0);
+ TEST("999.168.1.1", 11, 0);
+ TEST("1111.168.1.1", 12, 0);
+ TEST("999.oogle.com", 14, 0);
+ TEST("0:0:0:0:0:0:0:0", 15, 0);
+ TEST("192.168.255.255", 15, 1);
+ TEST("192.168.255.255/testurl.html", 28, 1);
+ TEST("www.google.com", 14, 0);
+ PASS;
+}
+#undef TEST
+
+#define TEST(str, len, expect) { \
+ SCLogDebug("str %s", (str)); \
+ int r = IsIpv6Host((const uint8_t *)(str),(len)); \
+ FAIL_IF_NOT(r == (expect)); \
+}
+static int MimeIsIpv6HostTest01(void)
+{
+ TEST("0:0:0:0:0:0:0:0", 19, 1);
+ TEST("0000:0000:0000:0000:0000:0000:0000:0000", 39, 1);
+ TEST("XXXX:0000:0000:0000:0000:0000:0000:0000", 39, 0);
+ TEST("00001:0000:0000:0000:0000:0000:0000:0000", 40, 0);
+ TEST("0:0:0:0:0:0:0:0", 19, 1);
+ TEST("0:0:0:0:0:0:0:0:0", 20, 0);
+ TEST("192:168:1:1:0:0:0:0", 19, 1);
+ TEST("999.oogle.com", 14, 0);
+ TEST("192.168.255.255", 15, 0);
+ TEST("192.168.255.255/testurl.html", 28, 0);
+ TEST("www.google.com", 14, 0);
+ PASS;
+}
+#undef TEST
+
+static int MimeDecParseLongFilename01(void)
+{
+ /* contains 276 character filename -- length restricted to 255 chars */
+ char mimemsg[] = "Content-Disposition: attachment; filename=\""
+ "12characters12characters12characters12characters"
+ "12characters12characters12characters12characters"
+ "12characters12characters12characters12characters"
+ "12characters12characters12characters12characters"
+ "12characters12characters12characters12characters"
+ "12characters12characters12characters.exe\"";
+
+ uint32_t line_count = 0;
+
+ MimeDecGetConfig()->decode_base64 = true;
+ MimeDecGetConfig()->decode_quoted_printable = true;
+ MimeDecGetConfig()->extract_urls = true;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count,
+ TestDataChunkCallback);
+
+ const char *str = "From: Sender1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "To: Recipient1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "Content-Type: text/plain";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ /* Contains 276 character filename */
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)mimemsg, strlen(mimemsg), 1, state));
+
+ str = "";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "A simple message line 1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ /* Completed */
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseComplete(state));
+
+ MimeDecEntity *msg = state->msg;
+ FAIL_IF_NOT(msg);
+
+ FAIL_IF_NOT(msg->anomaly_flags & ANOM_LONG_FILENAME);
+ FAIL_IF_NOT(msg->filename_len == RS_MIME_MAX_TOKEN_LEN);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ PASS;
+}
+
+static int MimeDecParseSmallRemInp(void)
+{
+ // Remainder dA
+ // New input: AAAA
+ char mimemsg[] = "TWltZSBkZWNvZGluZyB pcyBzbyBO T1QgZnV uISBJIGNhbm5vdA";
+
+ uint32_t line_count = 0;
+
+ MimeDecGetConfig()->decode_base64 = true;
+ MimeDecGetConfig()->decode_quoted_printable = true;
+ MimeDecGetConfig()->extract_urls = true;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count, TestDataChunkCallback);
+ state->stack->top->data->ctnt_flags |= CTNT_IS_ATTACHMENT;
+
+ const char *str = "From: Sender1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "To: Recipient1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "Content-Type: text/plain";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "Content-Transfer-Encoding: base64";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)mimemsg, strlen(mimemsg), 1, state));
+
+ str = "AAAA";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ /* Completed */
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseComplete(state));
+
+ MimeDecEntity *msg = state->msg;
+ FAIL_IF_NOT(msg);
+
+ /* filename is not too long */
+ FAIL_IF(msg->anomaly_flags & ANOM_LONG_FILENAME);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ PASS;
+}
+
+static int MimeDecParseRemSp(void)
+{
+ // Should have remainder vd A
+ char mimemsg[] = "TWltZSBkZWNvZGluZyBpc yBzbyBOT1QgZnVuISBJIGNhbm5vd A";
+
+ uint32_t line_count = 0;
+
+ MimeDecGetConfig()->decode_base64 = true;
+ MimeDecGetConfig()->decode_quoted_printable = true;
+ MimeDecGetConfig()->extract_urls = true;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count, TestDataChunkCallback);
+ state->stack->top->data->ctnt_flags |= CTNT_IS_ATTACHMENT;
+
+ const char *str = "From: Sender1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "To: Recipient1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "Content-Type: text/plain";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "Content-Transfer-Encoding: base64";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)mimemsg, strlen(mimemsg), 1, state));
+ /* Completed */
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseComplete(state));
+
+ MimeDecEntity *msg = state->msg;
+ FAIL_IF_NOT(msg);
+
+ /* filename is not too long */
+ FAIL_IF(msg->anomaly_flags & ANOM_LONG_FILENAME);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ PASS;
+}
+
+static int MimeDecVerySmallInp(void)
+{
+ // Remainder: A
+ // New input: aA
+ char mimemsg[] = "TWltZSBkZWNvZGluZyB pcyBzbyBO T1QgZnV uISBJIGNhbm5vA";
+
+ uint32_t line_count = 0;
+
+ MimeDecGetConfig()->decode_base64 = true;
+ MimeDecGetConfig()->decode_quoted_printable = true;
+ MimeDecGetConfig()->extract_urls = true;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count, TestDataChunkCallback);
+ state->stack->top->data->ctnt_flags |= CTNT_IS_ATTACHMENT;
+
+ const char *str = "From: Sender1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "To: Recipient1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "Content-Type: text/plain";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "Content-Transfer-Encoding: base64";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)mimemsg, strlen(mimemsg), 1, state));
+
+ str = "aA";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ /* Completed */
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseComplete(state));
+
+ MimeDecEntity *msg = state->msg;
+ FAIL_IF_NOT(msg);
+
+ /* filename is not too long */
+ FAIL_IF(msg->anomaly_flags & ANOM_LONG_FILENAME);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ PASS;
+}
+
+static int MimeDecParseOddLen(void)
+{
+ char mimemsg[] = "TWltZSBkZWNvZGluZyB pcyBzbyBO T1QgZnV uISBJIGNhbm5vdA";
+
+ uint32_t line_count = 0;
+
+ MimeDecGetConfig()->decode_base64 = true;
+ MimeDecGetConfig()->decode_quoted_printable = true;
+ MimeDecGetConfig()->extract_urls = true;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count, TestDataChunkCallback);
+ state->stack->top->data->ctnt_flags |= CTNT_IS_ATTACHMENT;
+
+ const char *str = "From: Sender1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "To: Recipient1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "Content-Type: text/plain";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "Content-Transfer-Encoding: base64";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)mimemsg, strlen(mimemsg), 1, state));
+ /* Completed */
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseComplete(state));
+
+ MimeDecEntity *msg = state->msg;
+ FAIL_IF_NOT(msg);
+
+ /* filename is not too long */
+ FAIL_IF(msg->anomaly_flags & ANOM_LONG_FILENAME);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ PASS;
+}
+
+static int MimeDecParseLongFilename02(void)
+{
+ /* contains 40 character filename and 500+ characters following filename */
+ char mimemsg[] = "Content-Disposition: attachment; filename=\""
+ "12characters12characters12characters.exe\"; "
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd"
+ "somejunkasfdasfsafasafdsasdasassdssdsd";
+
+ uint32_t line_count = 0;
+
+ MimeDecGetConfig()->decode_base64 = true;
+ MimeDecGetConfig()->decode_quoted_printable = true;
+ MimeDecGetConfig()->extract_urls = true;
+
+ /* Init parser */
+ MimeDecParseState *state = MimeDecInitParser(&line_count,
+ TestDataChunkCallback);
+
+ const char *str = "From: Sender1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "To: Recipient1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "Content-Type: text/plain";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ /* Contains 40 character filename */
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)mimemsg, strlen(mimemsg), 1, state));
+
+ str = "";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ str = "A simple message line 1";
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseLine((uint8_t *)str, strlen(str), 1, state));
+
+ /* Completed */
+ FAIL_IF_NOT(MIME_DEC_OK == MimeDecParseComplete(state));
+
+ MimeDecEntity *msg = state->msg;
+ FAIL_IF_NOT(msg);
+
+ /* filename is not too long */
+ FAIL_IF(msg->anomaly_flags & ANOM_LONG_FILENAME);
+
+ MimeDecFreeEntity(msg);
+
+ /* De Init parser */
+ MimeDecDeInitParser(state);
+
+ PASS;
+}
+
+#endif /* UNITTESTS */
+
+void MimeDecRegisterTests(void)
+{
+#ifdef UNITTESTS
+ UtRegisterTest("MimeDecParseLineTest01", MimeDecParseLineTest01);
+ UtRegisterTest("MimeDecParseLineTest02", MimeDecParseLineTest02);
+ UtRegisterTest("MimeFindUrlStringsTest01", MimeFindUrlStringsTest01);
+ UtRegisterTest("MimeFindUrlStringsTest02", MimeFindUrlStringsTest02);
+ UtRegisterTest("MimeFindUrlStringsTest03", MimeFindUrlStringsTest03);
+ UtRegisterTest("MimeFindUrlStringsTest04", MimeFindUrlStringsTest04);
+ UtRegisterTest("MimeFindUrlStringsTest05", MimeFindUrlStringsTest05);
+ UtRegisterTest("MimeDecParseFullMsgTest01", MimeDecParseFullMsgTest01);
+ UtRegisterTest("MimeDecParseFullMsgTest02", MimeDecParseFullMsgTest02);
+ UtRegisterTest("MimeBase64DecodeTest01", MimeBase64DecodeTest01);
+ UtRegisterTest("MimeIsExeURLTest01", MimeIsExeURLTest01);
+ UtRegisterTest("MimeIsIpv4HostTest01", MimeIsIpv4HostTest01);
+ UtRegisterTest("MimeIsIpv6HostTest01", MimeIsIpv6HostTest01);
+ UtRegisterTest("MimeDecParseLongFilename01", MimeDecParseLongFilename01);
+ UtRegisterTest("MimeDecParseLongFilename02", MimeDecParseLongFilename02);
+ UtRegisterTest("MimeDecParseSmallRemInp", MimeDecParseSmallRemInp);
+ UtRegisterTest("MimeDecParseRemSp", MimeDecParseRemSp);
+ UtRegisterTest("MimeDecVerySmallInp", MimeDecVerySmallInp);
+ UtRegisterTest("MimeDecParseOddLen", MimeDecParseOddLen);
+#endif /* UNITTESTS */
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-23 10:14:54 +0000