defrag: drop unsigned underflow in RB_NFIND search key

The seek into the fragment tree used frag_offset - 1 as the key
for RB_NFIND. For the first fragment of an IP datagram frag_offset
is 0 and the uint16_t subtraction wraps to 65535. The wrap is
harmless in practice because no fragment can have offset 65535
(IPv4 limits the field to 8191 << 3 = 65528, and IPv6 follows the
same alignment), so RB_NFIND returns NULL and the existing RB_MIN
fallback walks the tree forward to reach the same end state. The
path is reached by accident though, and fuzzer integer overflow
sanitizers flag the wrap.

Guard the RB_NFIND call with if (frag_offset > 0) so the
subtraction never runs on a zero offset. The frag_offset == 0 case
leaves next at NULL and falls into the existing RB_MIN fallback,
which matches the prior end state on every input. The 35 defrag
unit tests pass unchanged.

Bug: #8232.

Author: ssam18

src/defrag.c

@@ -653,10 +653,15 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragTracker *tracker,
     ltrim = 0;
 
     if (!RB_EMPTY(&tracker->fragment_tree)) {
-        Frag key = {
-            .offset = frag_offset - 1,
-        };
-        next = RB_NFIND(IP_FRAGMENTS, &tracker->fragment_tree, &key);
+        if (frag_offset > 0) {
+            Frag key = {
+                .offset = frag_offset - 1,
+            };
+            next = RB_NFIND(IP_FRAGMENTS, &tracker->fragment_tree, &key);
+        }
+        /* For frag_offset == 0 the new fragment precedes every existing
+         * fragment, so we leave next NULL and fall into the RB_MIN
+         * fallback below. */
         if (next == NULL) {
             prev = RB_MIN(IP_FRAGMENTS, &tracker->fragment_tree);
             next = IP_FRAGMENTS_RB_NEXT(prev);