Commit 5ccdf5ef79d742640355d1132fa9e2abc7fbaefc
1 parent
076992fb
Fix VD-1301 and VD-1302 vulnerabilities
This patch was contributed by Maor Vermucht and Or Peles from VDOO Connected Trust.
Showing
1 changed file
with
4 additions
and
2 deletions
src/modbus.c
| ... | ... | @@ -839,9 +839,10 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, |
| 839 | 839 | break; |
| 840 | 840 | case MODBUS_FC_WRITE_MULTIPLE_COILS: { |
| 841 | 841 | int nb = (req[offset + 3] << 8) + req[offset + 4]; |
| 842 | + int nb_bits = req[offset + 5]; | |
| 842 | 843 | int mapping_address = address - mb_mapping->start_bits; |
| 843 | 844 | |
| 844 | - if (nb < 1 || MODBUS_MAX_WRITE_BITS < nb) { | |
| 845 | + if (nb < 1 || MODBUS_MAX_WRITE_BITS < nb || nb_bits * 8 < nb) { | |
| 845 | 846 | /* May be the indication has been truncated on reading because of |
| 846 | 847 | * invalid address (eg. nb is 0 but the request contains values to |
| 847 | 848 | * write) so it's necessary to flush. */ |
| ... | ... | @@ -870,9 +871,10 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, |
| 870 | 871 | break; |
| 871 | 872 | case MODBUS_FC_WRITE_MULTIPLE_REGISTERS: { |
| 872 | 873 | int nb = (req[offset + 3] << 8) + req[offset + 4]; |
| 874 | + int nb_bytes = req[offset + 5]; | |
| 873 | 875 | int mapping_address = address - mb_mapping->start_registers; |
| 874 | 876 | |
| 875 | - if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb) { | |
| 877 | + if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb || nb_bytes * 8 < nb) { | |
| 876 | 878 | rsp_length = response_exception( |
| 877 | 879 | ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp, TRUE, |
| 878 | 880 | "Illegal number of values %d in write_registers (max %d)\n", | ... | ... |