From 61793179e530815ce71f993c5b1016d93a0a3c6d Mon Sep 17 00:00:00 2001
From: Markus Unterwaditzer <markus-tarpit+git@unterwaditzer.net>
Date: Sun, 7 Dec 2025 16:10:23 +0100
Subject: [PATCH] Fix Message parser crashes found by fuzzing

These payloads would previous cause panic on underflow.

The fuzzing setup lives in
https://github.com/untitaker/rayhunter/tree/fuzz-wip -- I can eventually
upstream it though right now it runs very inefficiently.
---
 Cargo.lock      |  2 +-
 lib/src/diag.rs | 31 ++++++++++++++++++++++++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 07ed128..390303f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2730,7 +2730,7 @@ dependencies = [
 
 [[package]]
 name = "installer-gui"
-version = "0.7.1"
+version = "0.8.0"
 dependencies = [
  "anyhow",
  "installer",
diff --git a/lib/src/diag.rs b/lib/src/diag.rs
index c50ac54..625be8b 100644
--- a/lib/src/diag.rs
+++ b/lib/src/diag.rs
@@ -131,7 +131,7 @@ pub enum Message {
         log_type: u16,
         timestamp: Timestamp,
         // pass the log type and log length (inner_length - (sizeof(log_type) + sizeof(timestamp)))
-        #[deku(ctx = "*log_type, *inner_length - 12")]
+        #[deku(ctx = "*log_type, inner_length.saturating_sub(12)")]
         body: LogBody,
     },
 
@@ -196,13 +196,13 @@ pub enum LogBody {
         rrc_version_minor: u8,
         rrc_version_major: u8,
         // message length = hdr_len - (sizeof(ext_header_version) + sizeof(rrc_rel) + sizeof(rrc_version_minor) + sizeof(rrc_version_major))
-        #[deku(count = "hdr_len - 4")]
+        #[deku(count = "hdr_len.saturating_sub(4)")]
         msg: Vec<u8>,
     },
     #[deku(id = "0x11eb")]
     IpTraffic {
         // is this right?? based on https://github.com/P1sec/QCSuper/blob/81dbaeee15ec7747e899daa8e3495e27cdcc1264/src/modules/pcap_dump.py#L378
-        #[deku(count = "hdr_len - 8")]
+        #[deku(count = "hdr_len.saturating_sub(8)")]
         msg: Vec<u8>,
     },
     #[deku(id = "0x713a")]
@@ -613,4 +613,29 @@ mod test {
             Err(DiagParsingError::HdlcDecapsulationError(_, _))
         ));
     }
+
+    #[test]
+    fn test_fuzz_crash_inner_length_underflow() {
+        // Regression test: inner_length < 12 previously caused panic.
+        // Fixed by using saturating_sub in Message::Log body length calculation.
+        let fuzz_data = b"\x10\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
+        let _ = Message::from_bytes((fuzz_data, 0));
+    }
+
+    #[test]
+    fn test_fuzz_crash_nas_hdr_len_underflow() {
+        // Regression test: hdr_len < 4 previously caused panic in Nas4GMessage.
+        // Fixed by using saturating_sub for msg length calculation.
+        let nas_msg =
+            b"\x10\x00\x14\x00\x02\x00\xe2\xb0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00";
+        let _ = Message::from_bytes((nas_msg, 0));
+    }
+
+    #[test]
+    fn test_fuzz_crash_ip_traffic_hdr_len_underflow() {
+        // Regression test: hdr_len < 8 previously caused panic in IpTraffic.
+        // Fixed by using saturating_sub for msg length calculation.
+        let ip_msg = b"\x10\x00\x14\x00\x02\x00\xeb\x11\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00";
+        let _ = Message::from_bytes((ip_msg, 0));
+    }
 }