From 8ae5665767a1660cdb0eaa8134c5910852b1afad Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 17 Feb 2025 09:08:54 +0100 Subject: [PATCH] detect/krb5: avoid integer underflow with krb5.ticket_encryption Ticket: 7560 When passing INT32_MIN aka 0x80000000, we cannot compute -vali as it does not fit into a i32 --- rust/src/krb/detect.rs | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/rust/src/krb/detect.rs b/rust/src/krb/detect.rs index 8566d17687..7cc7d8120c 100644 --- a/rust/src/krb/detect.rs +++ b/rust/src/krb/detect.rs @@ -192,7 +192,8 @@ pub fn detect_parse_encryption_list(i: &str) -> IResult<&str, DetectKrb5TicketEn let (i, v) = many1(detect_parse_encryption_item)(i)?; for &val in v.iter() { let vali = val.0; - if vali < 0 && ((-vali) as usize) < KRB_TICKET_FASTARRAY_SIZE { + // KRB_TICKET_FASTARRAY_SIZE is a constant typed usize but which fits in a i32 + if vali < 0 && vali > -(KRB_TICKET_FASTARRAY_SIZE as i32) { l.negative[(-vali) as usize] = true; } else if vali >= 0 && (vali as usize) < KRB_TICKET_FASTARRAY_SIZE { l.positive[vali as usize] = true; @@ -326,5 +327,15 @@ mod tests { panic!("Result should have been ok."); } } + let ctx = detect_parse_encryption("-2147483648").unwrap().1; + match ctx { + DetectKrb5TicketEncryptionData::LIST(l) => { + assert_eq!(l.other.len(), 1); + assert_eq!(l.other[0], EncryptionType(i32::MIN)); + } + _ => { + panic!("Result should have been list."); + } + } } } -- 2.47.3