From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 4 Apr 2022 20:51:01 +0000 (+0200)
Subject: smb: ntlmssp domain_blob_offset underflow check
X-Git-Tag: suricata-5.0.9~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ef51abad7099f9ffd62e2e1718d460b45784b59;p=thirdparty%2Fsuricata.git

smb: ntlmssp domain_blob_offset underflow check

Ticket: 5246
(cherry picked from commit e72036f12f577fb37b985147c2c847d147e49db2)
---

diff --git a/rust/src/smb/ntlmssp_records.rs b/rust/src/smb/ntlmssp_records.rs
index d5d8c5125c..02a3eab709 100644
--- a/rust/src/smb/ntlmssp_records.rs
+++ b/rust/src/smb/ntlmssp_records.rs
@@ -87,9 +87,10 @@ named!(pub parse_ntlm_auth_record<NTLMSSPAuthRecord>,
 
          // subtrack 12 as idenfier (8) and type (4) are cut before we are called
          // subtract 60 for the len/offset/maxlen fields above
-         >> cond!(nego_flags.1==1, take!(domain_blob_offset - (12 + 60)))
+         >> cond!(nego_flags.1==1 && domain_blob_offset > 72, take!(domain_blob_offset - (12 + 60)))
+
          // or 52 if we have no version
-         >> cond!(nego_flags.1==0, take!(domain_blob_offset - (12 + 52)))
+         >> cond!(nego_flags.1==0 && domain_blob_offset > 64, take!(domain_blob_offset - (12 + 52)))
 
          >> domain_blob: take!(domain_blob_len)
          >> user_blob: take!(user_blob_len)