Actions
Bug #8238
openUnsigned integer underflow in quoted-printable decoder with small input chunks
Affected Versions:
Effort:
Difficulty:
Label:
Description
When state->bvr_len > 0 and the buffered data starts with '=', the code attempts to complete a quoted-printable escape sequence and then adjusts the input counters using the following logic:
offset = 3 - state->bvr_len;
remaining -= offset;
Both offset and remaining are unsigned integers.
If the current input buffer is smaller than the required number of bytes to complete the escape sequence (for example, when the next chunk is only 1 byte long), offset may become larger than remaining. In this case, the subtraction:
remaining -= offset;
causes an unsigned integer underflow, resulting in remaining wrapping to a very large value.
FIX:
Index: suricata-7.0.14/src/util-decode-mime.c
===================================================================
--- suricata-7.0.14.orig/src/util-decode-mime.c
+++ suricata-7.0.14/src/util-decode-mime.c
@@ -1474,6 +1474,11 @@ static int ProcessQuotedPrintableBodyLin
state->data_chunk[state->data_chunk_len] = val;
state->data_chunk_len++;
offset = 3 - state->bvr_len;
+ if (remaining < offset) {
+ memcpy(state->bvremain + state->bvr_len, buf, remaining);
+ state->bvr_len += remaining;
+ return MIME_DEC_OK;
+ }
remaining -= offset;
/* If buffer full, then invoke callback */
if (DATA_CHUNK_SIZE - state->data_chunk_len < EOL_LEN + 1) {
also attach the PCAP traffic.
root@vpp-bez-nazvaniya-adc6f139-9d89-4fa9-b820-d3e50b541bc8 ~]# suricata --build-info
This is Suricata version 7.0.13 RELEASE
Features: NFQ PCAP_SET_BUFF HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64
SIMD support: SSE_2
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 14.2.1 20250110 (Red Hat 14.2.1-7), C version 201112
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.52, linked against LibHTP v0.5.52
Suricata Configuration:
AF_PACKET support: no
AF_XDP support: no
DPDK support: no
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libjansson support: yes
hiredis support: no
hiredis async with libevent: no
PCRE jit: yes
LUA support: no
libluajit: no
GeoIP2 support: yes
JA3 support: yes
JA4 support: yes
Non-bundled htp: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
Landlock support: yes
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.84.0 (9fc6b4312 2025-01-07) (Fedora 1.84.0-3.fc41)
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.84.0 (66221abde 2024-11-19)
Python support: no
Python path: not set
Install suricatactl: requires python
Install suricatasc: requires python
Install suricata-update: no, not bundled
Profiling enabled: no
Profiling locks enabled: no
Profiling rules enabled: no
Plugin support (experimental): yes
DPDK Bond PMD: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Fuzz targets enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-redhat-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -fPIC -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
PCAP_CFLAGS -I/usr/include
SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
Files
Actions