detect/krb5: avoid integer underflow with krb5.ticket_encryption

Ticket: 7560

When passing INT32_MIN aka 0x80000000, we cannot compute -vali
as it does not fit into a i32

(cherry picked from commit 8ae5665767a1660cdb0eaa8134c5910852b1afad)

diff --git a/rust/src/krb/detect.rs b/rust/src/krb/detect.rs
index 25cce9bcf8267ed5d5e95ebb837248a24be5307d..8bac17d9d35fc285b176e44b4fc4878ea0176fc4 100644 (file)
--- a/rust/src/krb/detect.rs
+++ b/rust/src/krb/detect.rs
@@ -193,7 +193,8 @@ pub fn detect_parse_encryption_list(i: &str) -> IResult<&str, DetectKrb5TicketEn
     let (i, v) = many1(detect_parse_encryption_item)(i)?;
     for &val in v.iter() {
         let vali = val.0;
-        if vali < 0 && ((-vali) as usize) < KRB_TICKET_FASTARRAY_SIZE {
+        // KRB_TICKET_FASTARRAY_SIZE is a constant typed usize but which fits in a i32
+        if vali < 0 && vali > -(KRB_TICKET_FASTARRAY_SIZE as i32) {
             l.negative[(-vali) as usize] = true;
         } else if vali >= 0 && (vali as usize) < KRB_TICKET_FASTARRAY_SIZE {
             l.positive[vali as usize] = true;
@@ -327,5 +328,15 @@ mod tests {
                 panic!("Result should have been ok.");
             }
         }
+        let ctx = detect_parse_encryption("-2147483648").unwrap().1;
+        match ctx {
+            DetectKrb5TicketEncryptionData::LIST(l) => {
+                assert_eq!(l.other.len(), 1);
+                assert_eq!(l.other[0], EncryptionType(i32::MIN));
+            }
+            _ => {
+                panic!("Result should have been list.");
+            }
+        }
     }
 }