MIME: Cap nested MIME analysis depth to 100

OSS-Fuzz managed to produce a MIME multipart message construction with thousands of nested entities (or that's what Zeek makes out of it anyhow). Prevent such deep analysis by capping at a nesting depth of 100, preventing unnecessary resource usage. A new weird named exceeded_mime_max_depth is reported when this limit is reached. This change reduces the runtime of the OSS-Fuzz reproducer from ~45 seconds to ~2.5 seconds. The test PCAP was produced from a Python script using the email package and sending the rendered version via POST to a HTTP server. Closes #208
2025-10-02 06:38:20 +00:00 · 2024-01-15 21:06:24 +01:00 · 2024-01-15 21:06:24 +01:00 · 2a858d252e
commit 2a858d252e
parent cea7c473ac
13 changed files with 74 additions and 1 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -2780,6 +2780,16 @@ export {
 } # end export


+module MIME;
+export {
+	## Stop analysis of nested multipart MIME entities if this depth is
+	## reached. Setting this value to 0 removes the limit.
+	const max_depth = 100 &redef;
+
+} # end export
+
+
+
 module MOUNT3;
 export {