Project

General

Profile

Actions

Bug #8678

open
DB DB

util/file: fix integer overflow in file inspection window comparison

Bug #8678: util/file: fix integer overflow in file inspection window comparison

Added by Denis Balashov 10 days ago. Updated 2 days ago.

Status:
In Review
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

In FilePruneFile() (src/util-file.c), the expression `window * 3` is computed
in uint32_t arithmetic before being compared with the uint64_t value data_size.
When `file->inspect_window` is configured to a large value (> UINT32_MAX/3,
i.e. > ~1.4 GB), the multiplication wraps around, producing an incorrect result.
For example, with window = 2 GB: window * 3 = 6 GB overflows to ~1.7 GB in
uint32_t, which then gets widened to uint64_t for the comparison. This silently
breaks the file inspection range-limiting logic.

The `content-inspect-window` configuration parameter accepts values up to
UINT32_MAX (~4.29 GB) via ParseSizeStringU32, so the overflow is reachable
through a legitimate configuration.

Fix: cast window to uint64_t before multiplying:
if (data_size > ((uint64_t)window * 3)) {

Flagged by Svace static analyzer (NO_CAST.INTEGER_OVERFLOW).

PR: https://github.com/OISF/suricata/pull/15720


Subtasks 2 (2 open0 closed)

Bug #8706: util/file: fix integer overflow in file inspection window comparison (8.0.x backport)AssignedOISF DevActions
Bug #8707: util/file: fix integer overflow in file inspection window comparison (7.0.x backport)AssignedOISF DevActions
Actions

Also available in: PDF Atom