From dc5eab52ba6d686e113f870b1a33130b2fc271f0 Mon Sep 17 00:00:00 2001
From: John Thacker <johnthacker@gmail.com>
Date: Mon, 9 Mar 2026 12:39:04 -0400
Subject: [PATCH] SMB2: Check for offset overflow in two more places

Use the ckd_add functions (which are available on all currently
supported branches) to make it obvious what is going on and avoid
technically UB.

Thanks to bcoles for reporting.

Fix #21073

AI-Assisted: no
(backported from commit 084392e363f7b7a9d57993e867d6b8bfcf839d06)
---
 epan/dissectors/packet-smb2.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/epan/dissectors/packet-smb2.c b/epan/dissectors/packet-smb2.c
index 6b067afe786..5f91ec27b20 100644
--- a/epan/dissectors/packet-smb2.c
+++ b/epan/dissectors/packet-smb2.c
@@ -3301,6 +3301,11 @@ dissect_smb2_file_full_ea_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *pa
 		}
 
 		offset = start_offset+next_offset;
+		if (offset < start_offset) {
+			proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
+				    "Invalid offset/length. Malformed packet");
+			break;
+		}
 	}
 
 	return offset;
@@ -4662,6 +4667,11 @@ dissect_smb2_notify_data_out(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *
 		}
 
 		offset = start_offset+next_offset;
+		if (offset < (int)start_offset) {
+			proto_tree_add_expert_format(tree, pinfo, &ei_smb2_invalid_length, tvb, offset, -1,
+				    "Invalid offset/length. Malformed packet");
+			break;
+		}
 	}
 }
 
-- 
GitLab