[PATCH 3/3] dcerpc: use saturating_add to count fragments

And do not overflow if we have traffic with more than 65K fragments

(cherry picked from commit a48200b9e5befb1f0aa45ad5b33e2664e6a9fa41)

Origin: upstream, https://github.com/OISF/suricata/commit/c9b80e5affe073ce9d95d0c935a8d67647c83bf7.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8182
Subject: Upstream fix for CVE-2026-22258 part 3

Gbp-Pq: Name CVE-2026-22258_3.patch

diff --git a/rust/src/dcerpc/dcerpc_udp.rs b/rust/src/dcerpc/dcerpc_udp.rs
index d551b8674dc7611839dbfcae80cc1ea7e7c696d0..cce80ce9aacfa53f9d013f887275061b0afd7356 100644 (file)
--- a/rust/src/dcerpc/dcerpc_udp.rs
+++ b/rust/src/dcerpc/dcerpc_udp.rs
@@ -174,7 +174,7 @@ impl DCERPCUDPState {
             let max_size = cfg_max_stub_size() as usize;
             match hdr.pkt_type {
                 DCERPC_TYPE_REQUEST => {
-                    tx.frag_cnt_ts += 1;
+                    tx.frag_cnt_ts = tx.frag_cnt_ts.saturating_add(1);
                     if input.len() + tx.stub_data_buffer_ts.len() < max_size {
                         tx.stub_data_buffer_ts.extend_from_slice(input);
                     } else if tx.stub_data_buffer_ts.len() < max_size {
@@ -186,7 +186,7 @@ impl DCERPCUDPState {
                     return true;
                 }
                 DCERPC_TYPE_RESPONSE => {
-                    tx.frag_cnt_tc += 1;
+                    tx.frag_cnt_tc = tx.frag_cnt_tc.saturating_add(1);
                     if input.len() + tx.stub_data_buffer_tc.len() < max_size {
                         tx.stub_data_buffer_tc.extend_from_slice(input);
                     } else if tx.stub_data_buffer_tc.len() < max_size {

diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs
index 1e62241bb215604efcb73bd5badf290711740cdb..5cb1adeba29b6b48f8395199f4c77306e0d13787 100644 (file)
--- a/rust/src/smb/dcerpc.rs
+++ b/rust/src/smb/dcerpc.rs
@@ -205,7 +205,7 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
                                 SCLogDebug!("previous CMD {} found at tx {} => {:?}",
                                         dcer.packet_type, tx.id, tx);
                                 if let Some(SMBTransactionTypeData::DCERPC(ref mut tdn)) = tx.type_data {
-                                    tdn.frag_cnt_ts += 1;
+                                    tdn.frag_cnt_ts = tdn.frag_cnt_ts.saturating_add(1);
                                     let max_size = cfg_max_stub_size() as usize;
                                     if recr.data.len() + tdn.stub_data_ts.len() < max_size {
                                         SCLogDebug!("additional frag of size {}", recr.data.len());
@@ -247,7 +247,7 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
                                 SCLogDebug!("first frag size {}", recr.data.len());
                                 tdn.opnum = recr.opnum;
                                 tdn.context_id = recr.context_id;
-                                tdn.frag_cnt_ts += 1;
+                                tdn.frag_cnt_ts = tdn.frag_cnt_ts.saturating_add(1);
                                 let max_size = cfg_max_stub_size() as usize;
                                 if tdn.stub_data_ts.len() + recr.data.len() < max_size {
                                     tdn.stub_data_ts.extend_from_slice(recr.data);
@@ -418,7 +418,7 @@ fn dcerpc_response_handle(tx: &mut SMBTransaction,
                         SCLogDebug!("CMD 11 found at tx {}", tx.id);
                         tdn.set_result(DCERPC_TYPE_RESPONSE);
                         let max_size = cfg_max_stub_size() as usize;
-                        tdn.frag_cnt_tc += 1;
+                        tdn.frag_cnt_tc = tdn.frag_cnt_tc.saturating_add(1);
                         if tdn.stub_data_tc.len() + respr.data.len() < max_size {
                             tdn.stub_data_tc.extend_from_slice(respr.data);
                         } else if tdn.stub_data_tc.len() < max_size {