detect/krb5: avoid integer underflow with krb5.ticket_encryption

author Philippe Antoine <pantoine@oisf.net>

Mon, 17 Feb 2025 08:08:54 +0000 (09:08 +0100)

committer Victor Julien <victor@inliniac.net>

Wed, 19 Feb 2025 08:21:33 +0000 (09:21 +0100)
author Philippe Antoine <pantoine@oisf.net>
Mon, 17 Feb 2025 08:08:54 +0000 (09:08 +0100)
committer Victor Julien <victor@inliniac.net>
Wed, 19 Feb 2025 08:21:33 +0000 (09:21 +0100)
diff --git a/rust/src/krb/detect.rs b/rust/src/krb/detect.rs

index 8566d17687cdb17b23ea1e83e408773ff2c18a32..7cc7d8120c22ca13c6ddfc9e7362337d4ca99575 100644 (file)
--- a/rust/src/krb/detect.rs
+++ b/rust/src/krb/detect.rs
@@ -192,7 +192,8 @@ pub fn detect_parse_encryption_list(i: &str) -> IResult<&str, DetectKrb5TicketEn
      let (i, v) = many1(detect_parse_encryption_item)(i)?;
      for &val in v.iter() {
          let vali = val.0;
-        if vali < 0 && ((-vali) as usize) < KRB_TICKET_FASTARRAY_SIZE {
+        // KRB_TICKET_FASTARRAY_SIZE is a constant typed usize but which fits in a i32
+        if vali < 0 && vali > -(KRB_TICKET_FASTARRAY_SIZE as i32) {
              l.negative[(-vali) as usize] = true;
          } else if vali >= 0 && (vali as usize) < KRB_TICKET_FASTARRAY_SIZE {
              l.positive[vali as usize] = true;
@@ -326,5 +327,15 @@ mod tests {
                  panic!("Result should have been ok.");
              }
          }
+        let ctx = detect_parse_encryption("-2147483648").unwrap().1;
+        match ctx {
+            DetectKrb5TicketEncryptionData::LIST(l) => {
+                assert_eq!(l.other.len(), 1);
+                assert_eq!(l.other[0], EncryptionType(i32::MIN));
+            }
+            _ => {
+                panic!("Result should have been list.");
+            }
+        }
      }
  }
author	Philippe Antoine <pantoine@oisf.net>
	Mon, 17 Feb 2025 08:08:54 +0000 (09:08 +0100)
committer	Victor Julien <victor@inliniac.net>
	Wed, 19 Feb 2025 08:21:33 +0000 (09:21 +0100)