Bug #8678
openutil/file: fix integer overflow in file inspection window comparison
Description
In FilePruneFile() (src/util-file.c), the expression `window * 3` is computed
in uint32_t arithmetic before being compared with the uint64_t value data_size.
When `file->inspect_window` is configured to a large value (> UINT32_MAX/3,
i.e. > ~1.4 GB), the multiplication wraps around, producing an incorrect result.
For example, with window = 2 GB: window * 3 = 6 GB overflows to ~1.7 GB in
uint32_t, which then gets widened to uint64_t for the comparison. This silently
breaks the file inspection range-limiting logic.
The `content-inspect-window` configuration parameter accepts values up to
UINT32_MAX (~4.29 GB) via ParseSizeStringU32, so the overflow is reachable
through a legitimate configuration.
Fix: cast window to uint64_t before multiplying:
if (data_size > ((uint64_t)window * 3)) {
Flagged by Svace static analyzer (NO_CAST.INTEGER_OVERFLOW).
DB Updated by Denis Balashov 10 days ago
- Description updated (diff)
LS Updated by Lukas Sismis 2 days ago
- Status changed from New to In Review
- Assignee set to Denis Balashov
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport to 7.0, Needs backport to 8.0 added
OT Updated by OISF Ticketbot 2 days ago
- Subtask #8706 added
OT Updated by OISF Ticketbot 2 days ago
- Label deleted (
Needs backport to 8.0)
OT Updated by OISF Ticketbot 2 days ago
- Subtask #8707 added
OT Updated by OISF Ticketbot 2 days ago
- Label deleted (
Needs backport to 7.0)