From 2a858d252e56267d3cf2b8d850fb4ae6f24ec5a9 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 15 Jan 2024 21:06:24 +0100
Subject: [PATCH] MIME: Cap nested MIME analysis depth to 100

OSS-Fuzz managed to produce a MIME multipart message construction with
thousands of nested entities (or that's what Zeek makes out of it anyhow).
Prevent such deep analysis by capping at a nesting depth of 100,
preventing unnecessary resource usage. A new weird named exceeded_mime_max_depth
is reported when this limit is reached.

This change reduces the runtime of the OSS-Fuzz reproducer from ~45 seconds
to ~2.5 seconds.

The test PCAP was produced from a Python script using the email package
and sending the rendered version via POST to a HTTP server.

Closes #208
---
 NEWS                                          |   4 ++++
 scripts/base/init-bare.zeek                   |  10 +++++++++
 src/analyzer/protocol/mime/CMakeLists.txt     |   1 +
 src/analyzer/protocol/mime/MIME.cc            |  19 +++++++++++++++++-
 src/analyzer/protocol/mime/MIME.h             |   2 ++
 src/analyzer/protocol/mime/consts.bif         |   1 +
 .../canonified_loaded_scripts.log             |   1 +
 .../canonified_loaded_scripts.log             |   1 +
 testing/btest/Baseline/plugins.hooks/output   |   6 ++++++
 .../http.log                                  |  12 +++++++++++
 .../weird.log                                 |  11 ++++++++++
 .../btest/Traces/http/deeply-nested-mime.pcap | Bin 0 -> 45183 bytes
 .../protocols/http/deeply-nested-mime.zeek    |   7 +++++++
 13 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 src/analyzer/protocol/mime/consts.bif
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.deeply-nested-mime/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.deeply-nested-mime/weird.log
 create mode 100644 testing/btest/Traces/http/deeply-nested-mime.pcap
 create mode 100644 testing/btest/scripts/base/protocols/http/deeply-nested-mime.zeek

diff --git a/NEWS b/NEWS
index 330270c755..351cd9bc79 100644
--- a/NEWS
+++ b/NEWS
@@ -184,6 +184,10 @@ Changed Functionality
   two encapsulation layers. Two layers are already easily reached in AWS GLB
   environments.
 
+- Nested MIME message analysis is now capped at a maximum depth of 100 to prevent
+  unbounded MIME message nesting. This limit is configurable with ``MIME::max_depth``.
+  A new weird named ``exceeded_mime_max_depth`` is reported when reached.
+
 Removed Functionality
 ---------------------
 
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 95cc63ec78..ef0dba7ab4 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -2780,6 +2780,16 @@ export {
 } # end export
 
 
+module MIME;
+export {
+	## Stop analysis of nested multipart MIME entities if this depth is
+	## reached. Setting this value to 0 removes the limit.
+	const max_depth = 100 &redef;
+
+} # end export
+
+
+
 module MOUNT3;
 export {
 
diff --git a/src/analyzer/protocol/mime/CMakeLists.txt b/src/analyzer/protocol/mime/CMakeLists.txt
index 774766d2d8..86cccb9b2e 100644
--- a/src/analyzer/protocol/mime/CMakeLists.txt
+++ b/src/analyzer/protocol/mime/CMakeLists.txt
@@ -10,4 +10,5 @@ zeek_add_plugin(
     MIME.cc
     Plugin.cc
     BIFS
+    consts.bif
     events.bif)
diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc
index e375529565..e0773ee159 100644
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@@ -7,6 +7,7 @@
 #include "zeek/Base64.h"
 #include "zeek/NetVar.h"
 #include "zeek/Reporter.h"
+#include "zeek/analyzer/protocol/mime/consts.bif.h"
 #include "zeek/analyzer/protocol/mime/events.bif.h"
 #include "zeek/digest.h"
 #include "zeek/file_analysis/Manager.h"
@@ -450,8 +451,10 @@ MIME_Entity::MIME_Entity(MIME_Message* output_message, MIME_Entity* parent_entit
     init();
     parent = parent_entity;
     message = output_message;
-    if ( parent )
+    if ( parent ) {
         content_encoding = parent->ContentTransferEncoding();
+        depth = parent->Depth() + 1;
+    }
 
     want_all_headers = (bool)mime_all_headers;
 }
@@ -479,6 +482,7 @@ void MIME_Entity::init() {
 
     base64_decoder = nullptr;
 
+    depth = 0;
     data_buf_length = 0;
     data_buf_data = nullptr;
     data_buf_offset = -1;
@@ -1070,6 +1074,19 @@ void MIME_Entity::SubmitAllHeaders() { message->SubmitAllHeaders(headers); }
 
 void MIME_Entity::BeginChildEntity() {
     ASSERT(current_child_entity == nullptr);
+
+    // If the maximum depth for analysis is reached, don't create a new
+    // child entity. Instead, its header/body will be delivered to the
+    // current entity.
+    if ( zeek::BifConst::MIME::max_depth > 0 && Depth() >= zeek::BifConst::MIME::max_depth ) {
+        if ( message->GetAnalyzer() ) {
+            const char* addl = zeek::util::fmt("%" PRIu64, Depth());
+            message->GetAnalyzer()->Weird("exceeded_mime_max_depth", addl);
+        }
+
+        return;
+    }
+
     current_child_entity = NewChildEntity();
     message->BeginEntity(current_child_entity);
 }
diff --git a/src/analyzer/protocol/mime/MIME.h b/src/analyzer/protocol/mime/MIME.h
index 2ecdae6122..9b8ea9a7b2 100644
--- a/src/analyzer/protocol/mime/MIME.h
+++ b/src/analyzer/protocol/mime/MIME.h
@@ -101,6 +101,7 @@ public:
     virtual void EndOfData();
 
     MIME_Entity* Parent() const { return parent; }
+    zeek_uint_t Depth() const { return depth; };
     int MIMEContentType() const { return content_type; }
     const StringValPtr& GetContentType() const { return content_type_str; }
     const StringValPtr& GetContentSubType() const { return content_subtype_str; }
@@ -172,6 +173,7 @@ protected:
 
     zeek::detail::Base64Converter* base64_decoder;
 
+    zeek_uint_t depth;
     int data_buf_length;
     char* data_buf_data;
     int data_buf_offset;
diff --git a/src/analyzer/protocol/mime/consts.bif b/src/analyzer/protocol/mime/consts.bif
new file mode 100644
index 0000000000..c8d7317c2e
--- /dev/null
+++ b/src/analyzer/protocol/mime/consts.bif
@@ -0,0 +1 @@
+const MIME::max_depth: count;
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 37b0ea5102..13a58ed17e 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -176,6 +176,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek
     build/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 18aacdd010..43d87b3515 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -176,6 +176,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek
     build/scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index f40858f96c..386e891e7a 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -385,6 +385,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_MIME.consts.bif.zeek, <...>/Zeek_MIME.consts.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek) -> -1
@@ -673,6 +674,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MIME.consts.bif.zeek, <...>/Zeek_MIME.consts.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek) -> (-1, <no content>)
@@ -1309,6 +1311,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_MIME.consts.bif.zeek, <...>/Zeek_MIME.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek)
@@ -1597,6 +1600,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MIME.consts.bif.zeek, <...>/Zeek_MIME.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek)
@@ -2232,6 +2236,7 @@
 0.000000 | HookLoadFile  ./Zeek_KRB.types.bif.zeek <...>/Zeek_KRB.types.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Login.events.bif.zeek <...>/Zeek_Login.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Login.functions.bif.zeek <...>/Zeek_Login.functions.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_MIME.consts.bif.zeek <...>/Zeek_MIME.consts.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_MIME.events.bif.zeek <...>/Zeek_MIME.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_MQTT.events.bif.zeek <...>/Zeek_MQTT.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_MQTT.types.bif.zeek <...>/Zeek_MQTT.types.bif.zeek
@@ -2520,6 +2525,7 @@
 0.000000 | HookLoadFileExtended ./Zeek_KRB.types.bif.zeek <...>/Zeek_KRB.types.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Login.events.bif.zeek <...>/Zeek_Login.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Login.functions.bif.zeek <...>/Zeek_Login.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_MIME.consts.bif.zeek <...>/Zeek_MIME.consts.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_MIME.events.bif.zeek <...>/Zeek_MIME.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_MQTT.events.bif.zeek <...>/Zeek_MQTT.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_MQTT.types.bif.zeek <...>/Zeek_MQTT.types.bif.zeek
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.deeply-nested-mime/http.log b/testing/btest/Baseline/scripts.base.protocols.http.deeply-nested-mime/http.log
new file mode 100644
index 0000000000..f4096b6a73
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.deeply-nested-mime/http.log
@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	48724	127.0.0.1	8080	1	POST	localhost:8080	/	-	1.0	python-requests/2.25.1	-	0	497	501	Unsupported method ('POST')	-	-	(empty)	-	-	-	Fx3nQj3PL606RGh4A5,Fdjahd1XxlaUKC7vn8,Fe52j84XySnHI9mUz3,FxA6cG3PA85BxWwwue,FXB5842rxVtgRiI2Vb,Fw9fsX12UMGC0mGdXa,Fl4MFh2QO56Q341Pta,FYZdwQ25lK4xMv9Qob,FTr1zV3F6Fwdhnw5Ik,F6LDXlarWo5lMUQOi,F7m83Od9JOgipOzrc,FVzPLi3cocOyPUvib5,FH7s3jYnZ1R4gqO1g,FrlqlF3HqNAWohppk1,FobeqY2mIbUTMYzkva	-	text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain,text/plain	FWhx6m3AbtxIJtthb	-	text/html
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	48724	127.0.0.1	8080	2	-	-	-	-	-	-	-	39686	0	-	-	-	-	(empty)	-	-	-	-	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.deeply-nested-mime/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.deeply-nested-mime/weird.log
new file mode 100644
index 0000000000..0c85ed52de
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.deeply-nested-mime/weird.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	48724	127.0.0.1	8080	exceeded_mime_max_depth	100	F	zeek	HTTP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/http/deeply-nested-mime.pcap b/testing/btest/Traces/http/deeply-nested-mime.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..021acd6991400003cc33bb25f7097ea170eae833
GIT binary patch
literal 45183
zcmd5_e~=|rb$+|Bf>Uk@(Te_)qBF)UATzJ~_U~basO*Hr+GQv1tXmif_4ZBg%!HZu
z-oDqvvPmc{%2X&SrKB)1D27diu!>mf3WbpfR-u3a!<t<}6+tlwf|w|3fcPVBzT0nl
zXS(~G-aE@{xv!Y5Vdk6Dr@wpq^gZXEbMDdm4*mW5+NrhlbL?2HwhsUETesXA{oz9!
zYVX4L@@w_y^x9;tHh$#sx7XhOnz<+6k3W!K_e`I4{nMZC9FfQa>wo^j#S^vK`cpUD
zaq9Zhhs4eUXULzgJLQzqq~zIB$+eo4JpQFr@>$p4GyRF{E^R^j(F4Ent84$v%}SQi
zQ^{>eekZOZzgB+|ot-29k?8!rRPwUUM<Koafiu><bnqk4aa~_uDOKuv4J1y068W|I
zBPFh@A9+GboPC~@_~vyl-5O;jPHo>YZPbk|)6-LRYt-5}w58pP$Bcz`v#~HIzYWa5
z+&Hwe7j;M8F&nk;yUzZ2uH72xMthf{UfipTQQ^wJd`Ghxb>fl9R<k`b-<lmWX8&Zq
zbDl91?OABVQTqEa<J|hW8;34zw^~s%o^Q9tj4Pt3GtyX?zY-w)JjPW<ruTQEF=H|6
z^%}ELy}PFw2(jw7-A1do2P&;xEZ99CZyefo@wUm4_e9-ZBG?**>Z!!7QEN7y8#C<C
z3%rd(8;2yBe_lE~ho6^ZUh!B;=JLR|pZ@&bM=(6Uy!D1GnNs3kLE`fpYROlAcs4w7
z<Xci=b3B#UAMm}8qyxV3iLAs_`DHqm7UKC%qZ`*3=dX%p&Np_qms&H8?*574iR{O<
zEZ;L-Gqg;{5st7OZ(?Ft-u1{x7CAveS7_^BIgYN1>z#$heCvFpIoIg+qIhC>Dc&;@
zK<IHLi=*Nvqq1>m3Q8NTrN!M**T7UcSvA%?A5zse&-Xg*-h6+)HR8C@oLj^+lbWQE
zwNflX+w@$=_Ch~!EK`Jz!%<8^^H&}u#duT*ij~yRiDKXMOy6>?&~`zuY1yXFQA|Rs
zq}V1YR#HPJicQ-zeb4b6+xI-z!i07?ib-gd6gwovN^1PNDVCQ1BjuL=+ll2rKWq8-
z?Mp5H2e)J`f0=c+9NP{o;d_?jIHv76mf!}BgjP9dE;(pQYW%tft&C#f+o34}Q-EF9
zw|ze}If_YWl@uqdm%@8oNe!JS4m=k#*L6JK6M^f==bEFKgjPwhPtIZ`HFTm_SXlp=
zp%0=1(+oq;<ku(^v`UHtl44Thyc#-DEG_@vlw1BM6U#rAwft9~m0JFmowfXCV1-!k
z2-9_iCwvD+o_j7xXr8S>E-XWG(3I5BY0v`K^?cj0Ldy*t*Rk;7C?=s*Qf$FzB^K{W
zdg#Ql>G*hmVg>IA-*-IM_ic`25?U$8v=6GJhfW*^uI&cGal9}zZTO+!nd6v*R?0E$
zgevKw6UPD+BbXvAAFol*F#~tmR!GbL(Q?cGoy78oS<8RT1F7YI(aBo=VsM7Mc%`F8
z`?X4X=rn4UFg+h(FBeaSZ<&EF*u^CYt(0Thu~pJTCys-_GCkqRWr`2$jt~w17Nww-
za!mW7q{?|cbmG`@1?I4HJbW*3JkPRuSD%9B?`@EaL5p@oNtN?@=)|#SV!<6^!R>jr
z;{<l#vbLfRm6rc+%Ps$ZCYC?QTK;R>iRH&O%$Sk2{JD$g*&67m(Y`H7LS7H8M$I-u
zge(K!$I@6}_<VNl<5AH3y$zIO+PPKILnn>}c8?s(H%;3KoiM~Yo?XL}&`LR`eNiPn
zbmG_&E*O?Obgmu3_+VFwTf>vkDmfOkFRG-6P8=ha>%&?&2sHYx8Q7u2zC}ssagL?s
z{}?Pkzomcp2h#Fi@$aeSU)eL>w-0;9FCO?w*77Sz{I5jfqeY2Vp9P6O{`e(Di61Z5
z@xK#^M~f1#c>ofB@YlDmS>g{9iARbOua$`m&s;xLlz3CQjz3By{##Mvhu#E<-??tK
zDDfZ4-^ou&iA_J1*x!5q(3?_kY-TYlaXANJknaUS#~sS&+{xxbq#N56?0wsT+!-;E
zSYQQ?Z-pXccMVDC@#m=uj_J6Ak{&wQETk5gc$vX@6`==)k<P)r7f5KO9Me$(B|UWF
zSjGlI(-p$OBGMG_09cMmXr&y}Q354BbmG|cO((RR0DF9x(8w>~W9=mLgdEE^=s%WQ
z{_iH1-^*J58}3al|L>1wE&nS>ZW46dLFvwP8a2}mY{VT*WHw>(FQcC!XMITM2}kXf
za7@P?l=RSwW81?fpNH3I7$92@Nd|0s6OufN&`LR`qXbHN=)|$@AT)sVCLbZR(6y0D
z#?E6BS}DhLlt4)joj7)602nJm(+-4(D7F)@9Fx$K=2%+(Tgxr~(~0GGvzGtH+0^ns
z^HkRI=aP!4^i@H}9hB}&r%|(fq^^dp69hJvKQ8=Y)+Z*RCp~Hk9NSFXfl@iIhfW+L
z_ZsVW#B_XQubQTX03i1kC87Cy8>BC4)4r&Z9y)RC$?Rb4IoQ7CyYQ4?fjEvyXr&y}
zzNnHOI&qBXBsNoR8#!V&TvFQ-Y>bkG4xD3Y`45&`{$~=)?_@3i&96@_fA8_E<zH2x
zVAI~M(w%8FYDk!OT^kv!$oz9`Ap$m$Oi<8)kJ@UEY427^51ly1n=?fA7_uw_WDNV*
z3}+(<B(zeFX<t-H51lxcX2*393A4bmC2JH|3r|8T<(T$GmGsbwV<Z=#zD5YF0%e-8
zTeh1@K`Z5WwJ$0y|0l~W|MwEhZ)Yw4Eq5iBAA9fDz9wt=SL)$N67qMZ)2JcG37du<
zYBYt9op8%{_y__8&EMNV*O#<+ORAjLLo1Gv;baRtv;*YP<3G0~5=KGu_cl<DX<yV-
z(L*PWv3~?72_bk-VAlij8o}ooP|zwlc4%LeR5`DQUK~4E3nJYe3l-FKn;{>iK_*`j
zn!mR}&SQu6MYDQH%YPdzf63na3)1pm@y*oouk5|wa4+_ZAOGOjvX);#;*S%Fhl>(#
zoQ1@r?|(~C;-|}X{7EA5k)p(#Uk{0o?Ek=;CH^##_^(BYx7-DZU+;apDDn1k9sehh
z_>H2(+b)O1`&#2giC-vxCqFACHbpA2zxRII<*7IJ-CU!C<>{H9b2>dwK2k~$Qg(g3
zeSNI_5dr1m4kR>xZv%av=(vND9y)O>uqgGgdFc7ribB?oCD@fe39Xc4CQ3l5oYzAq
zjxA(<B7fVm+|Wig2P#U~7$phK-`havF&!mP(nBkbQA3Ok5;Tgy7L@5BkjCziSQNBU
zj_D|Yk{*ll4SGkp<$o@*{8rZTf9|x@@-JMSeV44Y<4cuUPS`a>wGT=$(R{*@TP1AN
z6Y<d^w9-*y;tnc$==5ZG=$L^_g8&f+G&MjareNQqB(zeFSH~SzMF}XC^LpsSv5z^7
z-~ciWV1rN&E_mxhLi6`FPzz5-36%8EiDSnK0`Q7TK^K`bc%||&N)lQr$8?lHNe`A|
zY5DIgxBTBvEWeqx{C9pfwfs{rWG#QOdsM%tSA`bd^*y-3D6vQL3}K?!Az;@&B(%y=
zbLqH)k{;}+y$T#7PZ*98l0s0Zj8caH35=YdL_#a&n29@3D(CgkiDMr#7bUK!bv3aW
z?%-c`9+S}gy$#aByNoYNshrnCCytRP;~_!`ev$5kkT8<UxOq%M^Y=DTj%i<1Nsl#i
zEG_?C<(5C`o7k*pE&tuSQp^8G7iBGfg%;j)5Vwcvk*R5cX$A1TxKSgam5v(i-74v^
z=25GVV;?3*pvgzzp$8)Re85@aI3}T$a!h--N_uF;vFC`u!%78-dR~Z1Wj+H3?fi<+
zN;#%|Q6)We;#d|3!dl2iD$;8BNa^I}F$t}dW7-#0(qmv8OUwVoa?77oKQ>3Rmj5fq
zQp<no_p_FN5PeuZTQ(ZPzi2gtZxPF6M~#A3I%>3cD^&Ct*r*MHV__mQ3rWIQV+uSO
zutF@y6tq%~Y3~-rTt$`hdg#P4A~Uv&HZ|yo=whK_A{mF{n1tr<ZIJ6rkM>2C^w5c8
zBnl&VhX9!D@&RLC((RUnR?0E$iz?|+ImgoS|5Lf;PpZ_LBU#IT|H0Jq-yUQwzp<#?
z%p84K(fmdrsU;BT*ykY~kbN>JXr-e@d$**@c|9s0wKZ^z2r-tGvV|PV{!j*sFcZfy
z3C-WzK&=n$-74v!6US)giR}5nLlGJxT?iz2Y`-iLS}Di0FRG-6P8|EN6j-^3o-CNh
zvJk5lZXT1+N;zhHQA*{!9<Lh5((-?)-0~;gM4IPiE&s#YQ_FwKuB_!Jj;pXxpCAnn
z8VEQ61`qk(+^CVzJX-^`KD2kMq{pi^Y6Qnv?1W|zqKXAQZv|pvCcD#0LM!E%_HLE*
z(1~MAUIz)R4nhZ5$zw;`VmT(Em2yn`qDp#b#W6xNrVVElTdn9S86qgg*$NrODL^ab
znD#}L^w5c84@q~nwETCMTmGc$Q}b<E%m2-nQ_KH`TrO*1q0<2>(a;sz;p?Q5i|3(L
zj+#$<w@P~GG-^ogz>W_Lk1v}Z;KU04Km`(7DaW*TtE7ic9HT@i^bn^(9v`|+!WVT}
z>q9~-<(T$GmGsbwW8u0;V{>Gl5_<K4X+D>RgjUKi?Taeup%ce=?IWCmRwHQ8kL(Oo
zRj%^)rRD$Ua?77|=WCvuwfv9WoLc_B`-AM7e<gcPen(!s(ov(mTO~bo8Z}FXED=J0
z<-x8t_OkiiY!X^2$Fz5=q=!x%<H$r<9i)Vzs>75^Onw)TgjUKi?Taeup%ceo)k3X-
ziL+M_tucMnn{jJ+5?U$8v@fcphfW;J6k0Utv_tHKVOJDgXxN&A6{v#cPipL%=VUGa
zw=PO7KdP(md@O7ES6#f)QKP-vl{+iZL#I)b<K<a0g98hB9Lb0dtK5@8LM!E%_HLE*
z(1~Mo3qr8b_OLJ(=q7>Uj#X=)>`H}%R>`qEY?(OyNl6c#IQCEv3G0rQh6sguA@YCO
zc}zkp<(T$GmGsbxW9-(M7XHD>MCiyQTiJ590;5rcW;m9X|I1kOmsD53m{bKnoLc^s
z>gvy(hN|Fu=5EYdeg%myB@!PhO1$&4kod*jFBc`=Q?BF7iNt>?O1yg)Bp$kK=b9z{
zZzA#QMTuWI28o~9b*L!u-f|s(mPmZCDDnP-ka+OjIGR3x==)d8y|JW9y?J&jv0q*N
z)Q?hc>^F1gl;dReLGF+QOx)pwbM9nLc&{*zRn{pWv0FBRw$K|9dr|CrfrMtBr$KW}
z#~qaP(8*@WCUQR3HnI{8Ep2Ti({nb9gjUKi9VJlGLnn?=oqz?ujj4?0lh~)kInf-)
zB(zeF=_rAc9y)O>&^F%0TNmXtvZ7KRWXy3)LX|j{Z_pE1{-m2ob5qvxKljnp@;`Sh
z`z~3E_lyL?t1ezF2%~!526Ws(>CUtoHH16S1`&@0HcHU$3@PgDs8P^W#O?14+QQRu
z2YDz#LFK$2I&q919U*)xfyQKbGUUOTto0$G`Fk7aN`;ORDCwaU$LKYQvjDNnhdf~$
zXR(xUOhGH<n2r*lhjdZpydFAn9AI}3DPlg329!r2phE#$IYvVB_qL{aEG_@n%Gdl!
z*Qe(1W-b2@e=oKCyWg0#{3DaCW_xD7H9KZd7Cxlo4oY{X)2QK{i~=bH?Gah_F>ELa
z;Ve7}eMO^oB97^}gOVOPag46QAr5nqK}zIV;!Vm&mPu%(9Mit2k{&v7jMG36GjlvR
zORkW+;3ZurDQKk}Grp*b9(r+%(6uX%t-vEFvt{_YRlH@3&`LO#mjC{8%b#@TYrZvW
z`G5LsYWX*RI&1k`ON+ast`XASt<s(8G-?*A&jk9cAfoK}vh|+LuHi{&C8L&dOnbLV
zdg#P4%A?WrDojo!59N#0VI#{Vv{H^~UsOpCoj6A1OQ3Hg<}#XHqNh2|HsMw(B(zeF
z8DErAIj@IK9LqC{U6jfrg$$W`@+5UO+DJn4_qL`r{E1eBd0$k)@+Uhm&ELsd{-1p~
zwfuj%Icxd*dzngirqigQ239tC4&i*rQV@9tCi`Si&`L**_HId)^LkXz@gV0Xh^M!r
zDauDiNGv(^7%XYz7%XY*87%qoWw7L8h{X~sbOuYh9}Jds2N^8so-<f70K;La7#@Qq
z1C$(=ikdT6a!Y{0l3O$kmfSL9u;jKmhov$e7;G+`Lt6d^%GdnKPI>b!S<8RSPc6Us
z<*eoJ=d>_aClhuUESW&XV969Y21}+aGFUQ&l);iIy$qI2+Gen15<P<@iy9a#S!BXs
z$uc4iOI4yVShCEH!IEW<43;dgWw2zSF@q%wzZoo9h|gfjRtpT4Y<<CC$yOvBmTC>d
zVX1ya43=!h#9^s^UJRCOR>ok-c61DuY*WZ!$+nRUmTaHNV95rl3|897LXTYryQ-0~
zwEPd2TmB@YsX3gn{D)3`GPV3$&&gW;l`hK6)yY=X43=yH&S9xO@(h-2*3V$cLkk#e
z_P~(kLnK%%apnwzB@fi$u+%|I3>I&d;;CB<mON67!IDS3F<A1*Jq}Bq1Ib{?LoOLC
zdFUvEB@d%zu;ih<43<20nZc6BU~^dNBy|Q$9uv=CQJjLHH6k*om6IuJXxcI{!C=u>
z!Nj@DNC!e&3`F*Dz#EITk(vdIik6P3(7+{d&=HS?5(r))lMAmR>{5iXQjgKWLi1lA
zl2LbNhuAZ+W!5!=g|3bRG&b-;=|lQ*7mvZ>OkHd&<5VNifUsqloLt9YrSA#|`X}1x
zKPyk1V&(SZML0Gb`BNyC^N=pWVgnSSBg};BW6Kz=q;XOSi%o*6BB`#HmjC+owdAX|
z>T`N+vbO%3BT44zo<Gf6{-M7}EI%qOK66vf^5f1hClC@B{9Ot3+P7p<26Bc`U0~vT
z16EV)@uA}qHlZL_HbwMhJ|x2|CYKCkq6Hrsfntck0*l2sc|Izv(922Yh@%vU*8vAU
zhB6q9gG>e1h=}<k+Rx~KEC?*iWW*1<^`<<=kjKh#Ma~vZmciUbXMEJ8^Ky~8AbZIO
zY<Z$`z(-vei?#6n4UiV*K~Xex!!`I>BQJ_|84BW2=;6w9E%_%6ZObsW*rr0;AUJn8
zt`&W4I37YgTX^I>*~n5p@+F+P7G?ud+2D`C2s`re?8}ualgA$}%?JN^lE?f&IzNx+
zgCBa`qsU{v>~(KDK0nVCI}e;8C4TrD8)~mzS4+NDP57Fe@wHzZ{)LqI$Hz#CZ(euV
zgU@CqZke8*s#~L`fdW=zXREi=>9o6XG-E7A@mzbxID6C7_8rrk&e=G$BkEomb;pby
z^NXE@DET{c)H9~`1J|nCqn0^pVdr>rBSu!&^ip)5VR^>88ZAS1@h~iR%(2IWYh1K#
zItl8vqGmkbZjBkug?2B>$N7>d++4i4aDH>H(d|X?M3Q#50^1t3X5+ar!wHi(yCmiY
z5W}b5A4yWi=Z>e0Ckfu5`4iW@*8|lr4n341=1eK^V~}XWxX7>7pTxMl_3$qx)$>QQ
zRKM4IS`HqlKJ!yqiQ~V$dHaRamrhL@Tc)>dHKumHbL+(y8p9*?`Y!vzdVTZs=Ke37
zQPZl|CodTuGL}EXb8*}mtJnAK+c&z;9&LAL>(lS9OM0AoFYeAa<I$OTX83}karv_g
zlD`|DiyAZiZ>5xRjAz4;az>)POY>Jw45wM((@4V`Hk$2L9JS(!VTO4KPqi73=i`Ow
zg2`^T-8H&VuhVYzqVanFr~PZ!S1vxjyFIgi)gRAUg}=m)R)lw!e~nBV%p=Uo@p>oo
z>uvqxZN|!G>uCOu`pQa~Ms!tYq0wseC!d_gJK{#X)Em8I`}E}(Z=2dWxoz^2>B-H;
zh|!<%#!Nfv8Lf6~EI%AZJU8Dn+MTGI2wAz-c)fqG<H^umFeInYP34m^dH&~)KmRL}
z@_n1+q&$7)gl+l!CzJA1r4kSSUt&?dnw^yI+muYoGuK`A+P&FHDRsP~T;i`1iTC9s
Po}Ea1BXoQ;EAjsUlI-4{

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/deeply-nested-mime.zeek b/testing/btest/scripts/base/protocols/http/deeply-nested-mime.zeek
new file mode 100644
index 0000000000..0def245e5b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/deeply-nested-mime.zeek
@@ -0,0 +1,7 @@
+# @TEST-DOC: HTTP POST request with 100 nestesd message/rfc822 entities, causing an analysis depth of 200 or so, Zeek stops at 100 and produces a weird.
+#
+# @TEST-EXEC: zeek -b -r $TRACES/http/deeply-nested-mime.pcap %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+
+@load base/protocols/http