[PATCH 2/3] doc: add dcerpc.max-stub-size config param

(cherry picked from commit 6702791a9c4463858c8b54ee8678fd4f5fbe831a)

Origin: upstream, https://github.com/OISF/suricata/commit/df389f8a43a06c718bb336ea082d6c80d6fefda0.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8182
Subject: Upstream fix for CVE-2026-22258 part 2

Gbp-Pq: Name CVE-2026-22258_2.patch

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
index 2482d69ba78e4556ba156ea4da5e17052e0ea3c9..5a1bea495f0b695288b5804fcc647080b89725f0 100644 (file)
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@@ -1663,6 +1663,9 @@ Several options are available for limiting record sizes and data chunk tracking.
       max-write-queue-size: 16mb
       max-write-queue-cnt: 16
 
+      dcerpc:
+        max-stub-size: 1MiB
+
 The `max-read-size` option can be set to control the max size of accepted
 READ records. Events will be raised if a READ request asks for too much data
 and/or if READ responses are too big. A value of 0 disables the checks.
@@ -1674,6 +1677,8 @@ data. A value of 0 disables the checks.
 Additionally if the `max-read-size` or `max-write-size` values in the
 "negotiate protocol response" exceeds this limit an event will also be raised.
 
+To control the size of the DCERPC stub data, `dcerpc.max-stub-size` should be
+used. It is by default set to 1MiB.
 
 For file tracking, extraction and file data inspection the parser queues up
 out of order data chunks for both READs and WRITEs. To avoid using too much
@@ -1699,6 +1704,13 @@ the limits are exceeded, and an event will be raised.
 `max-write-queue-size` and `max-write-queue-cnt` are as the READ variants,
 but then for WRITEs.
 
+Configure DCERPC
+~~~~~~~~~~~~~~~~
+
+DCERPC has one parameter that can be customized.
+`max-stub-size` is used to control the stub data size of a DCERPC request/response. By
+default, it is set to 1MiB.
+
 Configure HTTP2
 ~~~~~~~~~~~~~~~