From fbdc433386ef88b13a64b5d79f1e889c39c3b825 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 27 Mar 2023 15:12:27 +0200
Subject: [PATCH] file_analysis/File: Report overflowing chunks as weird and
 discard/truncate

This is one level above the Reassembler where we still have information
about the file and source. A weird entry may looks as follows:

    1679759398.237353  ... file_offset_overflow    FXPLGt4SeMmlMKahJc: offset=fffffffffffffff7 len=10      F       zeek    HTTP
---
 src/file_analysis/File.cc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index 88500e9e50..845bc9a4d8 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -2,6 +2,7 @@
 
 #include "zeek/file_analysis/File.h"
 
+#include <limits>
 #include <utility>
 
 #include "zeek/Event.h"
@@ -431,6 +432,15 @@ void File::DeliverStream(const u_char* data, uint64_t len)
 
 void File::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
 	{
+	if ( std::numeric_limits<uint64_t>::max() - offset < len )
+		{
+		reporter->Weird(this, "file_offset_overflow",
+		                zeek::util::fmt("offset=%" PRIx64 " len=%" PRIx64, offset, len),
+		                GetSource().c_str());
+
+		len = std::numeric_limits<uint64_t>::max() - offset;
+		}
+
 	// Potentially handle reassembly and deliver to the stream analyzers.
 	if ( file_reassembler )
 		{