From 1953a5be39d10da8bfd9991cdc8551427ea2b8fd Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 8 Jan 2026 14:48:40 +0100 Subject: [PATCH] [PATCH 3/3] dcerpc: use saturating_add to count fragments And do not overflow if we have traffic with more than 65K fragments (cherry picked from commit a48200b9e5befb1f0aa45ad5b33e2664e6a9fa41) Origin: upstream, https://github.com/OISF/suricata/commit/c9b80e5affe073ce9d95d0c935a8d67647c83bf7.patch Bug: https://redmine.openinfosecfoundation.org/issues/8182 Subject: Upstream fix for CVE-2026-22258 part 3 Gbp-Pq: Name CVE-2026-22258_3.patch --- rust/src/dcerpc/dcerpc_udp.rs | 4 ++-- rust/src/smb/dcerpc.rs | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rust/src/dcerpc/dcerpc_udp.rs b/rust/src/dcerpc/dcerpc_udp.rs index d551b867..cce80ce9 100644 --- a/rust/src/dcerpc/dcerpc_udp.rs +++ b/rust/src/dcerpc/dcerpc_udp.rs @@ -174,7 +174,7 @@ impl DCERPCUDPState { let max_size = cfg_max_stub_size() as usize; match hdr.pkt_type { DCERPC_TYPE_REQUEST => { - tx.frag_cnt_ts += 1; + tx.frag_cnt_ts = tx.frag_cnt_ts.saturating_add(1); if input.len() + tx.stub_data_buffer_ts.len() < max_size { tx.stub_data_buffer_ts.extend_from_slice(input); } else if tx.stub_data_buffer_ts.len() < max_size { @@ -186,7 +186,7 @@ impl DCERPCUDPState { return true; } DCERPC_TYPE_RESPONSE => { - tx.frag_cnt_tc += 1; + tx.frag_cnt_tc = tx.frag_cnt_tc.saturating_add(1); if input.len() + tx.stub_data_buffer_tc.len() < max_size { tx.stub_data_buffer_tc.extend_from_slice(input); } else if tx.stub_data_buffer_tc.len() < max_size { diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs index 1e62241b..5cb1adeb 100644 --- a/rust/src/smb/dcerpc.rs +++ b/rust/src/smb/dcerpc.rs @@ -205,7 +205,7 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState, SCLogDebug!("previous CMD {} found at tx {} => {:?}", dcer.packet_type, tx.id, tx); if let Some(SMBTransactionTypeData::DCERPC(ref mut tdn)) = tx.type_data { - tdn.frag_cnt_ts += 1; + tdn.frag_cnt_ts = tdn.frag_cnt_ts.saturating_add(1); let max_size = cfg_max_stub_size() as usize; if recr.data.len() + tdn.stub_data_ts.len() < max_size { SCLogDebug!("additional frag of size {}", recr.data.len()); @@ -247,7 +247,7 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState, SCLogDebug!("first frag size {}", recr.data.len()); tdn.opnum = recr.opnum; tdn.context_id = recr.context_id; - tdn.frag_cnt_ts += 1; + tdn.frag_cnt_ts = tdn.frag_cnt_ts.saturating_add(1); let max_size = cfg_max_stub_size() as usize; if tdn.stub_data_ts.len() + recr.data.len() < max_size { tdn.stub_data_ts.extend_from_slice(recr.data); @@ -418,7 +418,7 @@ fn dcerpc_response_handle(tx: &mut SMBTransaction, SCLogDebug!("CMD 11 found at tx {}", tx.id); tdn.set_result(DCERPC_TYPE_RESPONSE); let max_size = cfg_max_stub_size() as usize; - tdn.frag_cnt_tc += 1; + tdn.frag_cnt_tc = tdn.frag_cnt_tc.saturating_add(1); if tdn.stub_data_tc.len() + respr.data.len() < max_size { tdn.stub_data_tc.extend_from_slice(respr.data); } else if tdn.stub_data_tc.len() < max_size { -- 2.30.2