MIME: Cap nested MIME analysis depth to 100

OSS-Fuzz managed to produce a MIME multipart message construction with thousands of nested entities (or that's what Zeek makes out of it anyhow). Prevent such deep analysis by capping at a nesting depth of 100, preventing unnecessary resource usage. A new weird named exceeded_mime_max_depth is reported when this limit is reached. This change reduces the runtime of the OSS-Fuzz reproducer from ~45 seconds to ~2.5 seconds. The test PCAP was produced from a Python script using the email package and sending the rendered version via POST to a HTTP server. (cherry picked from commit 997c017df937ea47d999d9724e247c3d0e38e509)
2025-10-08 17:48:21 +00:00 · 2024-01-15 21:06:24 +01:00 · 2024-01-15 21:06:24 +01:00 · b57a854633
commit b57a854633
parent c912b28444
12 changed files with 72 additions and 0 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -2753,6 +2753,16 @@ export {
 } # end export


+module MIME;
+export {
+	## Stop analysis of nested multipart MIME entities if this depth is
+	## reached. Setting this value to 0 removes the limit.
+	const max_depth = 100 &redef;
+
+} # end export
+
+
+
 module MOUNT3;
 export {