一。MIME头部字段解析函数ProcessMimeHeaders
SMTPParse-> SMTPProcessRequest-> SMTPProcessCommandDATA-> MimeDecParseLine-> ProcessMimeEntity-> ProcessMimeHeaders
主要完成以下几个工作:
1。调研函数FindMimeHeader根据冒号查找头部字段name和value,如content-type等等,并对其进行存储。
2。解析完头部字段后,分析头部字段的重要内容,如文本格式,编码类型,是否包含附件,是否有boundary,是否嵌套格式等,并根据这些信息设置相应的标志位,在解析body数据时使用。
参数:buf 行数据,len:行数据长度
static int ProcessMimeHeaders(const uint8_t *buf, uint32_t len,
MimeDecParseState *state)
{
int ret = MIME_DEC_OK;
MimeDecField *field;
uint8_t *bptr = NULL, *rptr = NULL;
uint32_t blen = 0;
MimeDecEntity *entity = (MimeDecEntity *) state->stack->top->data;
//调用函数FindMimeHeader解析mime头部字段,并存储到mime_state中,
//解析完成后设置HEADER_DONE标志,如果成功解析到name则设置HEADER_START标志
//该函数解析完头部字段后,所有字段存放在MimeDecField 类型的链表中
/* Look for mime header in current line */
ret = FindMimeHeader(buf, len, state);
if (ret != MIME_DEC_OK) {
SCLogDebug("Error: FindMimeHeader() function failed: %d", ret);
return ret;
}
//下边的函数MimeDecFindField主要是变量头部字段链表,查找指定的字段名称,返回那个节点指针
//如果解析标志为HEADER_DONE则头部解析完成,分析头部重要字段如:content-type
//content-transer-code,content-dispositon,查找关键字符串如,"message/"
//"boundary"等,设置相关的编码标志
/* Post-processing after all headers done */
if (state->state_flag == HEADER_DONE) {
//查找编码并设置编码标志
/* First determine encoding by looking at Content-Transfer-Encoding */
field = MimeDecFindField(entity, CTNT_TRAN_STR);
if (field != NULL) {
/* Look for base64 */
if (FindBuffer(field->value, field->value_len, (const uint8_t *)BASE64_STR, strlen(BASE64_STR))) {
SCLogDebug("Base64 encoding found");
entity->ctnt_flags |= CTNT_IS_BASE64;
} else if (FindBuffer(field->value, field->value_len, (const uint8_t *)QP_STR, strlen(QP_STR))) {
/* Look for quoted-printable */
SCLogDebug("quoted-printable encoding found");
entity->ctnt_flags |= CTNT_IS_QP;
}
}
//查找是否有附件并设置附件标志
/* Check for file attachment in content disposition */
field = MimeDecFindField(entity, CTNT_DISP_STR);
if (field != NULL) {
bptr = FindMimeHeaderToken(field, "filename=", TOK_END_STR, &blen);
if (bptr != NULL) {
SCLogDebug("File attachment found in disposition");
entity->ctnt_flags |= CTNT_IS_ATTACHMENT;
/* Copy over using dynamic memory */
entity->filename = SCMalloc(blen);
if (unlikely(entity->filename == NULL)) {
SCLogError(SC_ERR_MEM_ALLOC, "memory allocation failed");
return MIME_DEC_ERR_MEM;
}
memcpy(entity->filename, bptr, blen);
entity->filename_len = blen;
}
}
//分析content-type的内容,查找boundary,message/等
/* Check for boundary, encapsulated message, and file name in Content-Type */
field = MimeDecFindField(entity, CTNT_TYPE_STR);
if (field != NULL) {
//如果找到boundary字符串,表示当前信件体包含子信件体,设置变量found_child为1
//解析body数据时会判断这个变量
/* Check if child e