]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
projects / thirdparty / suricata.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 013fb2d)
smb: check on param parsing
authorPhilippe Antoine <contact@catenacyber.fr>
Mon, 4 Apr 2022 20:45:56 +0000 (22:45 +0200)
committerVictor Julien <vjulien@oisf.net>
Mon, 11 Apr 2022 17:11:01 +0000 (19:11 +0200)
Ticket: 5246

so as not to overflow u16

rust/src/smb/smb1_records.rs patch | blob | blame | history

diff --git a/rust/src/smb/smb1_records.rs b/rust/src/smb/smb1_records.rs
index 1a2388a8b06c27f0f2a606cc288c70b2733f4c36..6f602ceffe80a00dfbef72a4543292cec55266b4 100644 (file)
--- a/rust/src/smb/smb1_records.rs
+++ b/rust/src/smb/smb1_records.rs
@@ -20,7 +20,7 @@ use crate::smb::error::SmbError;
 use crate::smb::smb::*;
 use crate::smb::smb_records::*;
 use nom7::bytes::streaming::{tag, take};
-use nom7::combinator::{complete, cond, peek, rest};
+use nom7::combinator::{complete, cond, peek, rest, verify};
 use nom7::multi::many1;
 use nom7::number::streaming::{le_u8, le_u16, le_u32, le_u64};
 use nom7::IResult;
@@ -702,7 +702,7 @@ pub fn parse_smb_trans2_request_record(i: &[u8]) -> IResult<&[u8], SmbRequestTra
     let (i, _timeout) = le_u32(i)?;
     let (i, _reserved2) = take(2_usize)(i)?;
     let (i, param_cnt) = le_u16(i)?;
-    let (i, param_offset) = le_u16(i)?;
+    let (i, param_offset) = verify(le_u16, |&v| v <= (u16::MAX - param_cnt))(i)?;
     let (i, data_cnt) = le_u16(i)?;
     let (i, data_offset) = le_u16(i)?;
     let (i, _setup_cnt) = le_u8(i)?;
Mirror of https://github.com/OISF/suricata.git