From: Ashutosh Gupta (ashugup3) <ashugup3@cisco.com>
Date: Thu, 24 Jul 2025 10:25:07 +0000 (+0000)
Subject: Pull request #4805: dce_rpc: Checking integer overflow on data_offset + data_length
X-Git-Tag: 3.9.3.0~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e23bc4de6bf504827beb23ab73b0faf18c98ac5;p=thirdparty%2Fsnort3.git

Pull request #4805: dce_rpc: Checking integer overflow on data_offset + data_length

Merge in SNORT/snort3 from ~ASHUGUP3/snort3:bug_CSCwq01522 to master

Squashed commit of the following:

commit b4ed468b632bfd7595cbcfdb9247d81d446d56f5
Author: ashutosh <ashugup3@cisco.com>
Date:   Mon Jul 14 13:20:17 2025 +0530

    dce_rpc: Checking integer overflow on data_offset + data_length
---

diff --git a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
index e8dad63fe..aab9f4dd1 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
@@ -299,7 +299,7 @@ bool DCE2_IsSmb2DurableReconnect(const Smb2CreateRequestHdr* smb_create_hdr, con
             (data_offset & 0x7) != 0 or
             (data_offset and (data_offset < name_offset + name_length)) or
             (data_offset > remaining) or
-            (data_offset + data_length > remaining))
+            (data_offset + data_length > remaining) or (data_offset + data_length < data_length))
         {
             return false;
         }