Pull request #4954: s7commplus: out of bounds check during decode

Merge in SNORT/snort3 from ~AAVILASE/snort3:s7commplus_out_bounds_check to master

Squashed commit of the following:

commit 946cf17ece70bdf2899053099dca70e93fd7d9b5
Author: Andres Avila <aavilase@cisco.com>
Date:   Tue Oct 21 10:12:21 2025 -0400

    s7commplus: out of bounds check during decode

diff --git a/src/service_inspectors/s7commplus/s7comm_decode.cc b/src/service_inspectors/s7commplus/s7comm_decode.cc
index 0b6fc15d73a181cfcfdb782357c1d2eea4039ea1..f7b7cff683e57f454e079bb57dcaf09bf4fd7ed8 100644 (file)
--- a/src/service_inspectors/s7commplus/s7comm_decode.cc
+++ b/src/service_inspectors/s7commplus/s7comm_decode.cc
@@ -35,6 +35,10 @@
 #include "s7comm.h"
 #include "s7comm_module.h"
 
+#ifdef REG_TEST
+#include "log/messages.h"
+#endif
+
 #pragma pack(1)
 /* TPKT header */
 struct TpktHeader
@@ -95,6 +99,15 @@ static bool S7commPlusProtocolDecode(S7commplusSessionData* session, Packet* p)
     }
     else
     {
+        if ( p->dsize < (sizeof(TpktHeader) + sizeof(CotpHeader) + \
+            sizeof(S7commplusHeader) + sizeof(S7commplusDataHeader) + \
+            INTEGRITY_PART_LEN) )
+        {
+#ifdef REG_TEST
+            LogMessage("s7commplus packet dsize is less than headers for version 3 protocol");
+#endif
+            return false;
+        }
         /* 33 byte Integrity part for V3 header packets */
         offset += sizeof(S7commplusHeader) + INTEGRITY_PART_LEN ;
     }