From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 17 Feb 2025 08:08:54 +0000 (+0100)
Subject: detect/krb5: avoid integer underflow with krb5.ticket_encryption
X-Git-Tag: suricata-7.0.9~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fce4ef077f58e094cbc54e39e9cb9ec0de5d2f0;p=thirdparty%2Fsuricata.git

detect/krb5: avoid integer underflow with krb5.ticket_encryption

Ticket: 7560

When passing INT32_MIN aka 0x80000000, we cannot compute -vali
as it does not fit into a i32

(cherry picked from commit 8ae5665767a1660cdb0eaa8134c5910852b1afad)
---

diff --git a/rust/src/krb/detect.rs b/rust/src/krb/detect.rs
index 25cce9bcf8..8bac17d9d3 100644
--- a/rust/src/krb/detect.rs
+++ b/rust/src/krb/detect.rs
@@ -193,7 +193,8 @@ pub fn detect_parse_encryption_list(i: &str) -> IResult<&str, DetectKrb5TicketEn
     let (i, v) = many1(detect_parse_encryption_item)(i)?;
     for &val in v.iter() {
         let vali = val.0;
-        if vali < 0 && ((-vali) as usize) < KRB_TICKET_FASTARRAY_SIZE {
+        // KRB_TICKET_FASTARRAY_SIZE is a constant typed usize but which fits in a i32
+        if vali < 0 && vali > -(KRB_TICKET_FASTARRAY_SIZE as i32) {
             l.negative[(-vali) as usize] = true;
         } else if vali >= 0 && (vali as usize) < KRB_TICKET_FASTARRAY_SIZE {
             l.positive[vali as usize] = true;
@@ -327,5 +328,15 @@ mod tests {
                 panic!("Result should have been ok.");
             }
         }
+        let ctx = detect_parse_encryption("-2147483648").unwrap().1;
+        match ctx {
+            DetectKrb5TicketEncryptionData::LIST(l) => {
+                assert_eq!(l.other.len(), 1);
+                assert_eq!(l.other[0], EncryptionType(i32::MIN));
+            }
+            _ => {
+                panic!("Result should have been list.");
+            }
+        }
     }
 }