From: Ashutosh Gupta (ashugup3) <ashugup3@cisco.com>
Date: Tue, 28 Oct 2025 09:51:43 +0000 (+0000)
Subject: Pull request #4940: dce_rpc: checking out of bounds
X-Git-Tag: 3.9.7.0~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f88e2b663658df5420ac1b8d6988bd15342c5ff;p=thirdparty%2Fsnort3.git

Pull request #4940: dce_rpc: checking out of bounds

Merge in SNORT/snort3 from ~ASHUGUP3/snort3:bug_dcesmb_oob to master

Squashed commit of the following:

commit a81f44c4ed3c9867580b49cd0877798cefa7dffb
Author: ashutosh <ashugup3@cisco.com>
Date:   Thu Oct 9 12:17:10 2025 +0530

    dce_rpc: checking out of bounds
---

diff --git a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
index aab9f4dd1..d61c68e46 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
@@ -277,10 +277,25 @@ void DCE2_Smb2TreeDisconnect(DCE2_Smb2SsnData*, const uint8_t* smb_data,
 
 bool DCE2_IsSmb2DurableReconnect(const Smb2CreateRequestHdr* smb_create_hdr, const uint8_t* end, uint64_t& file_id)
 {
-    const uint8_t* data = (const uint8_t*)smb_create_hdr + alignedNtohl(&smb_create_hdr->create_contexts_offset) -
-        SMB2_HEADER_LENGTH;
+    if (!smb_create_hdr || !end)
+        return false;
+    const uint8_t* start = (const uint8_t*)smb_create_hdr - SMB2_HEADER_LENGTH;
+
+    if (end <= start)
+        return false;
+
+    const size_t total_len = static_cast<size_t>(end - start);
+    const uint32_t ctx_offset = alignedNtohl(&smb_create_hdr->create_contexts_offset);
     uint32_t remaining = alignedNtohl(&smb_create_hdr->create_contexts_length);
 
+    if ((size_t)ctx_offset > total_len)          // bounds
+        return false;
+    
+    if ((size_t)remaining > (total_len - (size_t)ctx_offset))
+        return false;
+    
+    const uint8_t* data = start + (size_t)ctx_offset;
+    
     while (remaining > sizeof(Smb2CreateRequestHdr) && data < end)
     {
         const Smb2CreateContextHdr* context = (const Smb2CreateContextHdr*)data;
@@ -299,7 +314,7 @@ bool DCE2_IsSmb2DurableReconnect(const Smb2CreateRequestHdr* smb_create_hdr, con
             (data_offset & 0x7) != 0 or
             (data_offset and (data_offset < name_offset + name_length)) or
             (data_offset > remaining) or
-            (data_offset + data_length > remaining) or (data_offset + data_length < data_length))
+            (data_length > remaining - data_offset) or (size_t)(end - data) < (size_t)next)
         {
             return false;
         }