Pull request #4842: appid: accounting for tmp offset in RPC

Merge in SNORT/snort3 from ~DKOLOMII/snort3:rpc_out_of_bounds to master

Squashed commit of the following:

commit 6b1ebc797bafa30f4b5447b8b5bdc2a132ae6bf5
Author: Daniil Kolomiiets <dkolomii@cisco.com>
Date:   Thu Jul 31 10:22:07 2025 -0400

    appid: accounting for tmp offset in RPC

diff --git a/src/network_inspectors/appid/service_plugins/service_rpc.cc b/src/network_inspectors/appid/service_plugins/service_rpc.cc
index 19e2d78d5856497eb89fb0a04ed3e7c73b5e201d..293de20d739e486c429f81b52a700e51363870d9 100644 (file)
--- a/src/network_inspectors/appid/service_plugins/service_rpc.cc
+++ b/src/network_inspectors/appid/service_plugins/service_rpc.cc
@@ -423,7 +423,7 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi
         case RPC_PROGRAM_PORTMAP:
             if (rd->program_version == 3 and rd->procedure == RPC_BIND_PORTMAP_GETADDR)
             {
-                if (sizeof(ServiceRPCCall) + PROGRAM_LENGTH + VERSION_LENGTH + sizeof(NetId) > size)
+                if ((PROGRAM_LENGTH + VERSION_LENGTH + sizeof(NetId)) > (unsigned)(end - data))
                     return APPID_NOT_COMPATIBLE;
                 data += (PROGRAM_LENGTH + VERSION_LENGTH);
                 const NetId* net_id = (const NetId*) data;
@@ -483,7 +483,7 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi
             case RPC_PROGRAM_PORTMAP:
                 if (rd->program_version == 3 and rd->procedure == RPC_BIND_PORTMAP_GETADDR)
                 {
-                    if ((sizeof(ServiceRPCReply) + sizeof(UniversalAddress)) > size)
+                    if (sizeof(UniversalAddress) > (unsigned)(end-data))
                         return APPID_NOMATCH;
                     const UniversalAddress* u_addr = (const UniversalAddress*) data;
                     tmp = ntohl(u_addr->length);