[Snort-devel] Email mime part data_state reassembly problem

Mitesh Jadia mitesh.jadia at ...2499...
Tue Dec 9 02:57:24 EST 2014


I found that when \n character found in mime data following mime header
found in pop paf function flushes stream at that point.

scanning_boundary function is responsible for that.

static inline bool scanning_boundary(MimeDataPafInfo *mime_info, uint32_t
boundary_start, uint32_t* fp)
    if (boundary_start &&
            mime_info->data_state == *MIME_PAF_FOUND_BOUNDARY_STATE* &&
            mime_info->boundary_state != MIME_PAF_BOUNDARY_UNKNOWN)
        *fp = boundary_start;
        return true;

    return false;

current logic says that when \n is found (means mime->info.data_state
= MIME_PAF_BOUNDARY_LF) then if condition will be true (other two
conditions are also true in this case) and flush point will be set. Now it
is possible that \n character can be there in attachment data.

As per my logic when all three characters '\n--' should be there before
setting flush point by this condition. This solution will perform proper
flushing by paf function. Also this problem may be in smtp and imap as
scanning_boundary function is common for them.

Mitesh Jadia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141209/a3de3116/attachment.html>

More information about the Snort-devel mailing list