From 1b88e63e781bc0d49facd83971f346b58b756075 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 17 Sep 2020 21:11:09 -0700
Subject: [PATCH] Avoid signed integer overflow when combining SMB header PID
 bits

Such an overflow invokes undefined behavior.
---
 src/analyzer/protocol/smb/smb1-protocol.pac | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac
index 80c763d0eb..d661a907ae 100644
--- a/src/analyzer/protocol/smb/smb1-protocol.pac
+++ b/src/analyzer/protocol/smb/smb1-protocol.pac
@@ -39,6 +39,11 @@
 %}
 
 refine connection SMB_Conn += {
+	function join_pid_bits(hi: uint16, lo: uint16): uint32
+		%{
+		return (static_cast<uint32_t>(hi) << 16) | static_cast<uint32_t>(lo);
+		%}
+
 	function proc_smb_message(h: SMB_Header, is_orig: bool): bool
 		%{
 		if ( smb1_message )
@@ -306,7 +311,7 @@ type SMB_Header(is_orig: bool) = record {
 } &let {
 	err_status_type = (flags2 >> 14) & 1;
 	unicode         = (flags2 >> 15) & 1;
-	pid             = (pid_high * 0x10000) + pid_low;
+	pid: uint32     = $context.connection.join_pid_bits(pid_high, pid_low);
 	is_pipe: bool   = $context.connection.get_tree_is_pipe(tid);
 	proc : bool     = $context.connection.proc_smb_message(this, is_orig);
 } &byteorder=littleendian;