From 8e23bc4de6bf504827beb23ab73b0faf18c98ac5 Mon Sep 17 00:00:00 2001
From: "Ashutosh Gupta (ashugup3)" <ashugup3@cisco.com>
Date: Thu, 24 Jul 2025 10:25:07 +0000
Subject: [PATCH] Pull request #4805: dce_rpc: Checking integer overflow on
 data_offset + data_length

Merge in SNORT/snort3 from ~ASHUGUP3/snort3:bug_CSCwq01522 to master

Squashed commit of the following:

commit b4ed468b632bfd7595cbcfdb9247d81d446d56f5
Author: ashutosh <ashugup3@cisco.com>
Date:   Mon Jul 14 13:20:17 2025 +0530

    dce_rpc: Checking integer overflow on data_offset + data_length
---
 src/service_inspectors/dce_rpc/dce_smb2_commands.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
index e8dad63fe..aab9f4dd1 100644
--- a/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
+++ b/src/service_inspectors/dce_rpc/dce_smb2_commands.cc
@@ -299,7 +299,7 @@ bool DCE2_IsSmb2DurableReconnect(const Smb2CreateRequestHdr* smb_create_hdr, con
             (data_offset & 0x7) != 0 or
             (data_offset and (data_offset < name_offset + name_length)) or
             (data_offset > remaining) or
-            (data_offset + data_length > remaining))
+            (data_offset + data_length > remaining) or (data_offset + data_length < data_length))
         {
             return false;
         }
-- 
2.47.3