From: Ashutosh Gupta (ashugup3) <ashugup3@cisco.com>
Date: Fri, 19 Sep 2025 09:51:17 +0000 (+0000)
Subject: Pull request #4870: dce_rpc: fix to avoid integer overflow of stub_data size.
X-Git-Tag: 3.9.6.0~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de5fee39ee5bcd4581063d1d50721a22fb438b9c;p=thirdparty%2Fsnort3.git

Pull request #4870: dce_rpc: fix to avoid integer overflow of stub_data size.

Merge in SNORT/snort3 from ~ASHUGUP3/snort3:bug_CSCwq75359 to master

Squashed commit of the following:

commit 9f35b30fb11712b2c518da751b66ebebb611a846
Author: ashutosh <ashugup3@cisco.com>
Date:   Sat Sep 13 12:55:25 2025 +0530

    dce_rpc: reassembling out of bounds packets
---

diff --git a/src/service_inspectors/dce_rpc/ips_dce_stub_data.cc b/src/service_inspectors/dce_rpc/ips_dce_stub_data.cc
index 99830b4bf..d184b6652 100644
--- a/src/service_inspectors/dce_rpc/ips_dce_stub_data.cc
+++ b/src/service_inspectors/dce_rpc/ips_dce_stub_data.cc
@@ -28,6 +28,7 @@
 #include "framework/module.h"
 #include "hash/hash_key_operations.h"
 #include "profiler/profiler.h"
+#include "dce_co.h"
 
 #include "dce_common.h"
 
@@ -95,6 +96,45 @@ IpsOption::EvalStatus Dce2StubDataOption::eval(Cursor& c, Packet* p)
 
     if (ropts->stub_data != nullptr)
     {
+        if (p->is_udp() || p->pseudo_type == PSEUDO_PKT_DCE_FRAG)
+        {
+              c.set(s_name, ropts->stub_data, (uint16_t)(p->dsize - (ropts->stub_data -
+                p->data)));
+            return MATCH;
+        }
+        else if (ropts->stub_data < p->data || ropts->stub_data >= p->data + p->dsize)
+        {
+            // Out of bounds for regular packets - create a reassembly packet.
+            auto dce2_tcp_rbuf = std::make_unique<uint8_t[]>(IP_MAXPACKET);
+            DceEndianness* endianness = (DceEndianness*)p->endianness;
+            uint16_t stub_len = 0;
+
+            if (endianness && endianness->stub_data_offset != DCE2_SENTINEL) 
+            {
+                stub_len = endianness->stub_data_offset;
+            } 
+            else if(p->dsize>0)
+            {
+                stub_len = p->dsize;
+            }
+            else
+            {
+                stub_len = DCE2_GetRpktMaxData(DCE2_RPKT_TYPE__TCP_CO_FRAG);
+            }
+
+            Packet* rpkt = DCE2_GetRpkt(p, DCE2_RPKT_TYPE__TCP_CO_FRAG, dce2_tcp_rbuf.get(), stub_len);
+
+            if (rpkt) 
+            {
+                c.set(s_name, rpkt->data + DCE2_MOCK_HDR_LEN__CO_CLI, (uint16_t)(rpkt->dsize - DCE2_MOCK_HDR_LEN__CO_CLI));
+                return MATCH;
+            } 
+            else 
+            {
+                return NO_MATCH;
+            }
+        }
+        
         c.set(s_name, ropts->stub_data, (uint16_t)(p->dsize - (ropts->stub_data -
             p->data)));
         return MATCH;