From: Andres Avila Segura (aavilase) <aavilase@cisco.com>
Date: Fri, 24 Oct 2025 20:15:22 +0000 (+0000)
Subject: Pull request #4954: s7commplus: out of bounds check during decode
X-Git-Tag: 3.9.7.0~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c9124c1b697cfe22e164ce095ba0591f49cea55;p=thirdparty%2Fsnort3.git

Pull request #4954: s7commplus: out of bounds check during decode

Merge in SNORT/snort3 from ~AAVILASE/snort3:s7commplus_out_bounds_check to master

Squashed commit of the following:

commit 946cf17ece70bdf2899053099dca70e93fd7d9b5
Author: Andres Avila <aavilase@cisco.com>
Date:   Tue Oct 21 10:12:21 2025 -0400

    s7commplus: out of bounds check during decode
---

diff --git a/src/service_inspectors/s7commplus/s7comm_decode.cc b/src/service_inspectors/s7commplus/s7comm_decode.cc
index 0b6fc15d7..f7b7cff68 100644
--- a/src/service_inspectors/s7commplus/s7comm_decode.cc
+++ b/src/service_inspectors/s7commplus/s7comm_decode.cc
@@ -35,6 +35,10 @@
 #include "s7comm.h"
 #include "s7comm_module.h"
 
+#ifdef REG_TEST
+#include "log/messages.h"
+#endif
+
 #pragma pack(1)
 /* TPKT header */
 struct TpktHeader
@@ -95,6 +99,15 @@ static bool S7commPlusProtocolDecode(S7commplusSessionData* session, Packet* p)
     }
     else
     {
+        if ( p->dsize < (sizeof(TpktHeader) + sizeof(CotpHeader) + \
+            sizeof(S7commplusHeader) + sizeof(S7commplusDataHeader) + \
+            INTEGRITY_PART_LEN) )
+        {
+#ifdef REG_TEST
+            LogMessage("s7commplus packet dsize is less than headers for version 3 protocol");
+#endif
+            return false;
+        }
         /* 33 byte Integrity part for V3 header packets */
         offset += sizeof(S7commplusHeader) + INTEGRITY_PART_LEN ;
     }