From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 4 Apr 2022 20:51:01 +0000 (+0200)
Subject: smb: ntlmssp domain_blob_offset underflow check
X-Git-Tag: suricata-7.0.0-beta1~757
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e72036f12f577fb37b985147c2c847d147e49db2;p=thirdparty%2Fsuricata.git

smb: ntlmssp domain_blob_offset underflow check

Ticket: 5246
---

diff --git a/rust/src/smb/ntlmssp_records.rs b/rust/src/smb/ntlmssp_records.rs
index 35ca319699..731af8ca9a 100644
--- a/rust/src/smb/ntlmssp_records.rs
+++ b/rust/src/smb/ntlmssp_records.rs
@@ -101,9 +101,9 @@ pub fn parse_ntlm_auth_record(i: &[u8]) -> IResult<&[u8], NTLMSSPAuthRecord> {
 
     // subtrack 12 as idenfier (8) and type (4) are cut before we are called
     // subtract 60 for the len/offset/maxlen fields above
-    let (i, _) = cond(nego_flags.1==1, |b| take(domain_blob_offset - (12 + 60))(b))(i)?;
+    let (i, _) = cond(nego_flags.1==1 && domain_blob_offset > 72, |b| take(domain_blob_offset - (12 + 60))(b))(i)?;
     // or 52 if we have no version
-    let (i, _) = cond(nego_flags.1==0, |b| take(domain_blob_offset - (12 + 52))(b))(i)?;
+    let (i, _) = cond(nego_flags.1==0 && domain_blob_offset > 64, |b| take(domain_blob_offset - (12 + 52))(b))(i)?;
 
     let (i, domain_blob) = take(domain_blob_len)(i)?;
     let (i, user_blob) = take(user_blob_len)(i)?;