eve-log: catch and log URLs in basic text emails without mime encapsulation.

expand pointer walk protection.

src/mime-decode.c

@@ -1090,7 +1090,6 @@ static int FindUrlStrings(const char *line, uint32_t len,
                     } else {
                         SCFree(tempUrl);
                     }
-
                     /* Increment counter */
                     url->url_cnt++;
                 } else {
@@ -1120,12 +1119,14 @@ static int ProcessDecodedDataChunk(const uint8_t *chunk, uint32_t len,
     char *remainPtr, *tok;
     uint32_t tokLen;
 
-    MimeDecConfig *mdcfg = MimeDecGetConfig();
+    if ((state->stack != NULL) && (state->stack->top != NULL) &&
-    if (mdcfg != NULL && mdcfg->extract_urls) {
+        (state->stack->top->data != NULL)) {
-        if ((state->stack != NULL) && (state->stack->top != NULL)) {
+        MimeDecConfig *mdcfg = MimeDecGetConfig();
+        if (mdcfg != NULL && mdcfg->extract_urls) {
             MimeDecEntity *entity = (MimeDecEntity *) state->stack->top->data;
             /* If plain text or html, then look for URLs */
             if (((entity->ctnt_flags & CTNT_IS_TEXT) ||
+                (entity->ctnt_flags & CTNT_IS_MSG) ||
                 (entity->ctnt_flags & CTNT_IS_HTML)) &&
                 ((entity->ctnt_flags & CTNT_IS_ATTACHMENT) == 0)) {
 
@@ -1161,18 +1162,19 @@ static int ProcessDecodedDataChunk(const uint8_t *chunk, uint32_t len,
                     } while (tok != remainPtr && remainPtr - (char *) chunk < len);
                 }
             }
-        } else {
-            SCLogDebug("Error: Stack pointer missing");
         }
-    }
 
-    /* Now invoke callback */
+        /* Now invoke callback */
-    if (state->dataChunkProcessor != NULL) {
+        if (state->dataChunkProcessor != NULL) {
-        ret = state->dataChunkProcessor(chunk, len, state);
+            ret = state->dataChunkProcessor(chunk, len, state);
-        if (ret != MIME_DEC_OK) {
+            if (ret != MIME_DEC_OK) {
-            SCLogDebug("Error: state->dataChunkProcessor() callback function"
+                SCLogDebug("Error: state->dataChunkProcessor() callback function"
-                    " failed");
+                            " failed");
+            }
         }
+    } else {
+        SCLogDebug("Error: Stack pointer missing");
+        ret = MIME_DEC_ERR_DATA;
     }
 
     /* Reset data chunk buffer */

src/output-json-email-common.c

@@ -166,7 +166,7 @@ static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft,
             /* Subject: */
             field = MimeDecFindField(entity, "Subject");
             if (field != NULL) {
-                char *s = strndup(field->value, (int) field->value_len);
+                char *s = BytesToString((uint8_t *)field->value, (size_t) field->value_len);
                 if (likely(s != NULL)) {
                     //printf("Subject: \"%s\"\n", s);
                     json_object_set_new(sjs, "subject", json_string(s));
@@ -181,6 +181,20 @@ static TmEcode JsonEmailLogJson(JsonEmailLogThread *aft,
             int url_cnt = 0;
             json_t *js_attch = json_array();
             json_t *js_url = json_array();
+            if (entity->url_list != NULL) {
+                MimeDecUrl *url;
+                for (url = entity->url_list; url != NULL; url = url->next) {
+                    char *s = BytesToString((uint8_t *)url->url,
+                                            (size_t)url->url_len);
+                    if (s != NULL) {
+                        //printf("URL: \"%s\"\n", s);
+                        json_array_append_new(js_url,
+                                          json_string(s));
+                        SCFree(s);
+                        url_cnt += 1;
+                    }
+                }
+            }
             for (entity = entity->child; entity != NULL; entity = entity->next) {
                 if (entity->ctnt_flags & CTNT_IS_ATTACHMENT) {