enip: harden byte parsing code

Make sure we never read more than we have.

Reported-by: Henning Perl

diff --git a/src/app-layer-enip-common.c b/src/app-layer-enip-common.c
index 844a5c91ac3e1a8cb9fa5e87c4e7983b80d35c6a..2002e39bbfa2baff145213851160b221ebba08b9 100644 (file)
--- a/src/app-layer-enip-common.c
+++ b/src/app-layer-enip-common.c
@@ -44,7 +44,7 @@
 static int ENIPExtractUint8(uint8_t *res, uint8_t *input, uint16_t *offset, uint32_t input_len)
 {
 
-    if (*offset > (input_len - sizeof(uint8_t)))
+    if (input_len < sizeof(uint8_t) || *offset > (input_len - sizeof(uint8_t)))
     {
         SCLogDebug("ENIPExtractUint8: Parsing beyond payload length");
         return 0;
@@ -64,7 +64,7 @@ static int ENIPExtractUint8(uint8_t *res, uint8_t *input, uint16_t *offset, uint
 static int ENIPExtractUint16(uint16_t *res, uint8_t *input, uint16_t *offset, uint32_t input_len)
 {
 
-    if (*offset > (input_len - sizeof(uint16_t)))
+    if (input_len < sizeof(uint16_t) || *offset > (input_len - sizeof(uint16_t)))
     {
         SCLogDebug("ENIPExtractUint16: Parsing beyond payload length");
         return 0;
@@ -85,7 +85,7 @@ static int ENIPExtractUint16(uint16_t *res, uint8_t *input, uint16_t *offset, ui
 static int ENIPExtractUint32(uint32_t *res, uint8_t *input, uint16_t *offset, uint32_t input_len)
 {
 
-    if (*offset > (input_len - sizeof(uint32_t)))
+    if (input_len < sizeof(uint32_t) || *offset > (input_len - sizeof(uint32_t)))
     {
         SCLogDebug("ENIPExtractUint32: Parsing beyond payload length");
         return 0;
@@ -106,7 +106,7 @@ static int ENIPExtractUint32(uint32_t *res, uint8_t *input, uint16_t *offset, ui
 static int ENIPExtractUint64(uint64_t *res, uint8_t *input, uint16_t *offset, uint32_t input_len)
 {
 
-    if (*offset > (input_len - sizeof(uint64_t)))
+    if (input_len < sizeof(uint64_t) || *offset > (input_len - sizeof(uint64_t)))
     {
         SCLogDebug("ENIPExtractUint64: Parsing beyond payload length");
         return 0;