Project

General

Profile

Bug #8678

Updated by Denis Balashov 10 days ago

In FilePruneFile() (src/util-file.c), the expression `window * 3` is computed 
 in uint32_t arithmetic before being compared with the uint64_t value data_size. 
 When `file->inspect_window` is configured to a large value (> UINT32_MAX/3, 
 i.e. > ~1.4 GB), the multiplication wraps around, producing an incorrect result. 
 For example, with window = 2 GB: window * 3 = 6 GB overflows to ~1.7 GB in 
 uint32_t, which then gets widened to uint64_t for the comparison. This silently 
 breaks the file inspection range-limiting logic. 

 The `content-inspect-window` configuration parameter accepts values up to 
 UINT32_MAX (~4.29 GB) via ParseSizeStringU32, so the overflow is reachable 
 through a legitimate configuration. 

 Fix: cast window to uint64_t before multiplying: 
     if (data_size > ((uint64_t)window * 3)) { 

 Flagged by Svace static analyzer (NO_CAST.INTEGER_OVERFLOW). 

 PR: https://github.com/OISF/suricata/pull/15720 

Back