From 7fce4ef077f58e094cbc54e39e9cb9ec0de5d2f0 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 17 Feb 2025 09:08:54 +0100 Subject: [PATCH] detect/krb5: avoid integer underflow with krb5.ticket_encryption Ticket: 7560 When passing INT32_MIN aka 0x80000000, we cannot compute -vali as it does not fit into a i32 (cherry picked from commit 8ae5665767a1660cdb0eaa8134c5910852b1afad) --- rust/src/krb/detect.rs | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/rust/src/krb/detect.rs b/rust/src/krb/detect.rs index 25cce9bcf8..8bac17d9d3 100644 --- a/rust/src/krb/detect.rs +++ b/rust/src/krb/detect.rs @@ -193,7 +193,8 @@ pub fn detect_parse_encryption_list(i: &str) -> IResult<&str, DetectKrb5TicketEn let (i, v) = many1(detect_parse_encryption_item)(i)?; for &val in v.iter() { let vali = val.0; - if vali < 0 && ((-vali) as usize) < KRB_TICKET_FASTARRAY_SIZE { + // KRB_TICKET_FASTARRAY_SIZE is a constant typed usize but which fits in a i32 + if vali < 0 && vali > -(KRB_TICKET_FASTARRAY_SIZE as i32) { l.negative[(-vali) as usize] = true; } else if vali >= 0 && (vali as usize) < KRB_TICKET_FASTARRAY_SIZE { l.positive[vali as usize] = true; @@ -327,5 +328,15 @@ mod tests { panic!("Result should have been ok."); } } + let ctx = detect_parse_encryption("-2147483648").unwrap().1; + match ctx { + DetectKrb5TicketEncryptionData::LIST(l) => { + assert_eq!(l.other.len(), 1); + assert_eq!(l.other[0], EncryptionType(i32::MIN)); + } + _ => { + panic!("Result should have been list."); + } + } } } -- 2.47.2