From: Daniil Kolomiiets -X (dkolomii - SOFTSERVE INC at Cisco) <dkolomii@cisco.com>
Date: Wed, 30 Jul 2025 14:08:54 +0000 (+0000)
Subject: Pull request #4824: appid: rpc integer overflow fix
X-Git-Tag: 3.9.3.0~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f54f7b7b1d1f539f0a14c1fc2b80b331e1031b08;p=thirdparty%2Fsnort3.git

Pull request #4824: appid: rpc integer overflow fix

Merge in SNORT/snort3 from ~DKOLOMII/snort3:rpc_overflow to master

Squashed commit of the following:

commit 7ada722c1d6c4833b80f6dce2bf973ce7f687396
Author: Daniil Kolomiiets <dkolomii@cisco.com>
Date:   Wed Jul 30 09:56:45 2025 -0400

    appid: rpc integer overflow fix
---

diff --git a/src/network_inspectors/appid/service_plugins/service_rpc.cc b/src/network_inspectors/appid/service_plugins/service_rpc.cc
index 6d55ba0e6..19e2d78d5 100644
--- a/src/network_inspectors/appid/service_plugins/service_rpc.cc
+++ b/src/network_inspectors/appid/service_plugins/service_rpc.cc
@@ -408,12 +408,12 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi
         rd->program_version = ntohl(call->program_version);
         rd->procedure = ntohl(call->procedure);
         tmp = ntohl(call->cred.length);
-        if (sizeof(ServiceRPCCall)+tmp > size)
+        if (sizeof(ServiceRPCCall) > (tmp > size ? 0 : size - tmp))
             return APPID_NOT_COMPATIBLE;
         data += (sizeof(ServiceRPCCall) - sizeof(ServiceRPCAuth)) + tmp;
         a = (const ServiceRPCAuth*)data;
         tmp = ntohl(a->length);
-        if (tmp+sizeof(ServiceRPCAuth) > (unsigned)(end-data))
+        if (sizeof(ServiceRPCAuth) > (tmp > (unsigned)(end-data) ? 0 : (unsigned)(end-data) - tmp))
             return APPID_NOT_COMPATIBLE;
         data += sizeof(ServiceRPCAuth) + tmp;
         if (rd->program >= 0x60000000)
@@ -428,8 +428,8 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi
                 data += (PROGRAM_LENGTH + VERSION_LENGTH);
                 const NetId* net_id = (const NetId*) data;
                 tmp = ntohl(net_id->length);
-                if (tmp == 0 or (sizeof(ServiceRPCCall) + PROGRAM_LENGTH + VERSION_LENGTH +
-                    sizeof(NetId) + tmp > size))
+                if (tmp == 0 or ((sizeof(ServiceRPCCall) + PROGRAM_LENGTH + VERSION_LENGTH +
+                    sizeof(NetId)) > (tmp > size ? 0 : size - tmp)))
                     return APPID_NOT_COMPATIBLE;
 
                 data += sizeof(NetId);
@@ -462,7 +462,7 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi
         if (rd->xid != reply->header.xid && rd->xid != 0xFFFFFFFF)
             return APPID_NOMATCH;
         tmp = ntohl(reply->verify.length);
-        if (sizeof(ServiceRPCReply)+tmp > size)
+        if (sizeof(ServiceRPCReply) > (tmp > size ? 0 : size - tmp))
             return APPID_NOMATCH;
         data += sizeof(ServiceRPCReply) + tmp;
         tmp = ntohl(reply->reply_state);
@@ -487,8 +487,8 @@ int RpcServiceDetector::validate_packet(const uint8_t* data, uint16_t size, Appi
                         return APPID_NOMATCH;
                     const UniversalAddress* u_addr = (const UniversalAddress*) data;
                     tmp = ntohl(u_addr->length);
-                    if (tmp == 0 or
-                        ((sizeof(ServiceRPCReply) + sizeof(UniversalAddress) + tmp) > size))
+                     if (tmp == 0 or 
+                        (sizeof(ServiceRPCReply) + sizeof(UniversalAddress)) > (tmp > size ? 0 : size - tmp))
                         return APPID_NOMATCH;
                     uint32_t address = 0;
                     uint16_t port = 0;