From: Ashutosh Gupta (ashugup3) Date: Thu, 24 Jul 2025 10:34:06 +0000 (+0000) Subject: Pull request #4812: dce_rpc: Checked for integer overflow of smb_hdr + next_command_o... X-Git-Tag: 3.9.3.0~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d80d2c65d678628a3cb090095d07652bc045d42;p=thirdparty%2Fsnort3.git Pull request #4812: dce_rpc: Checked for integer overflow of smb_hdr + next_command_offset Merge in SNORT/snort3 from ~ASHUGUP3/snort3:bug_CSCwq01518 to master Squashed commit of the following: commit cd37485cf03f03520636b8d6ba5b0f1e0f0022e1 Author: ashutosh Date: Tue Jul 15 12:48:49 2025 +0530 dce_rpc: Checked for integer overflow of smb_hdr + next_command_offset --- diff --git a/src/service_inspectors/dce_rpc/dce_smb2.cc b/src/service_inspectors/dce_rpc/dce_smb2.cc index 08ed0a722..4feded1ff 100644 --- a/src/service_inspectors/dce_rpc/dce_smb2.cc +++ b/src/service_inspectors/dce_rpc/dce_smb2.cc @@ -23,6 +23,7 @@ #include "config.h" #endif +#include #include "dce_smb2.h" #include "flow/flow_key.h" @@ -516,6 +517,16 @@ void DCE2_Smb2Process(DCE2_Smb2SsnData* ssd) } if (next_command_offset) { + // Check if adding next_command_offset would cause integer overflow + if (next_command_offset > SIZE_MAX - (uintptr_t)((const uint8_t*)smb_hdr)) + { + dce_alert(GID_DCE2, DCE2_SMB_BAD_NEXT_COMMAND_OFFSET, + (dce2CommonStats*)&dce2_smb_stats, ssd->sd); + SMB_DEBUG(dce_smb_trace, DEFAULT_TRACE_OPTION_ID, TRACE_ERROR_LEVEL, + p, "integer overflow in next command offset\n"); + dce2_smb_stats.v2_bad_next_cmd_offset++; + return; + } smb_hdr = (const Smb2Hdr*)((const uint8_t*)smb_hdr + next_command_offset); compound_request_index++; } @@ -562,4 +573,3 @@ DCE2_SmbVersion DCE2_Smb2Version(const Packet* p) return DCE2_SMB_VERSION_NULL; } -