Peter M. Groen / libmodbus

Commit fc73565da7a5c35d55eab843cf6c60af6c2b6925

Authored by Stéphane Raimbault
1 parent 2a9a7ddf

Fix remote buffer overflow vulnerability (closes #25, #105) 

It's strongly recommended to update your libmodbus library if you
use it in a slave/server application in a not trusted environment.

Debian package of libmodbus 3.0.4 already contains a patch to
mitigate the exploit but the patch isn't as strong than this one.
Inline Side-by-side
Showing 6 changed files with 131 additions and 31 deletions
src/modbus.c
  View file @fc73565
... ... @@ -706,7 +706,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
706 706 case _FC_READ_COILS: {
707 707 int nb = (req[offset + 3] << 8) + req[offset + 4];
708 708  
709   - if ((address + nb) > mb_mapping->nb_bits) {
  709 + if (nb < 1 || MODBUS_MAX_READ_BITS < nb) {
  710 + if (ctx->debug) {
  711 + fprintf(stderr,
  712 + "Illegal nb of values %d in read_bits (max %d)\n",
  713 + nb, MODBUS_MAX_READ_BITS);
  714 + }
  715 + rsp_length = response_exception(
  716 + ctx, &sft,
  717 + MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
  718 + } else if ((address + nb) > mb_mapping->nb_bits) {
710 719 if (ctx->debug) {
711 720 fprintf(stderr, "Illegal data address %0X in read_bits\n",
712 721 address + nb);
... ... @@ -728,7 +737,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
728 737 * function) */
729 738 int nb = (req[offset + 3] << 8) + req[offset + 4];
730 739  
731   - if ((address + nb) > mb_mapping->nb_input_bits) {
  740 + if (nb < 1 || MODBUS_MAX_READ_BITS < nb) {
  741 + if (ctx->debug) {
  742 + fprintf(stderr,
  743 + "Illegal nb of values %d in read_input_bits (max %d)\n",
  744 + nb, MODBUS_MAX_READ_BITS);
  745 + }
  746 + rsp_length = response_exception(
  747 + ctx, &sft,
  748 + MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
  749 + } else if ((address + nb) > mb_mapping->nb_input_bits) {
732 750 if (ctx->debug) {
733 751 fprintf(stderr, "Illegal data address %0X in read_input_bits\n",
734 752 address + nb);
... ... @@ -748,7 +766,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
748 766 case _FC_READ_HOLDING_REGISTERS: {
749 767 int nb = (req[offset + 3] << 8) + req[offset + 4];
750 768  
751   - if ((address + nb) > mb_mapping->nb_registers) {
  769 + if (nb < 1 || MODBUS_MAX_READ_REGISTERS < nb) {
  770 + if (ctx->debug) {
  771 + fprintf(stderr,
  772 + "Illegal nb of values %d in read_holding_registers (max %d)\n",
  773 + nb, MODBUS_MAX_READ_REGISTERS);
  774 + }
  775 + rsp_length = response_exception(
  776 + ctx, &sft,
  777 + MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
  778 + } else if ((address + nb) > mb_mapping->nb_registers) {
752 779 if (ctx->debug) {
753 780 fprintf(stderr, "Illegal data address %0X in read_registers\n",
754 781 address + nb);
... ... @@ -773,7 +800,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
773 800 * function) */
774 801 int nb = (req[offset + 3] << 8) + req[offset + 4];
775 802  
776   - if ((address + nb) > mb_mapping->nb_input_registers) {
  803 + if (nb < 1 || MODBUS_MAX_READ_REGISTERS < nb) {
  804 + if (ctx->debug) {
  805 + fprintf(stderr,
  806 + "Illegal number of values %d in read_input_registers (max %d)\n",
  807 + nb, MODBUS_MAX_READ_REGISTERS);
  808 + }
  809 + rsp_length = response_exception(
  810 + ctx, &sft,
  811 + MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
  812 + } else if ((address + nb) > mb_mapping->nb_input_registers) {
777 813 if (ctx->debug) {
778 814 fprintf(stderr, "Illegal data address %0X in read_input_registers\n",
779 815 address + nb);
... ... @@ -796,7 +832,8 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
796 832 case _FC_WRITE_SINGLE_COIL:
797 833 if (address >= mb_mapping->nb_bits) {
798 834 if (ctx->debug) {
799   - fprintf(stderr, "Illegal data address %0X in write_bit\n",
  835 + fprintf(stderr,
  836 + "Illegal data address %0X in write_bit\n",
800 837 address);
801 838 }
802 839 rsp_length = response_exception(
... ... @@ -934,9 +971,22 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
934 971 int nb = (req[offset + 3] << 8) + req[offset + 4];
935 972 uint16_t address_write = (req[offset + 5] << 8) + req[offset + 6];
936 973 int nb_write = (req[offset + 7] << 8) + req[offset + 8];
  974 + int nb_write_bytes = req[offset + 9];
937 975  
938   - if ((address + nb) > mb_mapping->nb_registers ||
939   - (address_write + nb_write) > mb_mapping->nb_registers) {
  976 + if (nb_write < 1 || MODBUS_MAX_WR_WRITE_REGISTERS < nb_write ||
  977 + nb < 1 || MODBUS_MAX_WR_READ_REGISTERS < nb ||
  978 + nb_write_bytes != nb_write * 2) {
  979 + if (ctx->debug) {
  980 + fprintf(stderr,
  981 + "Illegal nb of values (W%d, R%d) in write_and_read_registers (max W%d, R%d)\n",
  982 + nb_write, nb,
  983 + MODBUS_MAX_WR_WRITE_REGISTERS, MODBUS_MAX_WR_READ_REGISTERS);
  984 + }
  985 + rsp_length = response_exception(
  986 + ctx, &sft,
  987 + MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
  988 + } else if ((address + nb) > mb_mapping->nb_registers ||
  989 + (address_write + nb_write) > mb_mapping->nb_registers) {
940 990 if (ctx->debug) {
941 991 fprintf(stderr,
942 992 "Illegal data read address %0X or write address %0X write_and_read_registers\n",
... ... @@ -1420,21 +1470,21 @@ int modbus_write_and_read_registers(modbus_t *ctx,
1420 1470 return -1;
1421 1471 }
1422 1472  
1423   - if (write_nb > MODBUS_MAX_RW_WRITE_REGISTERS) {
  1473 + if (write_nb > MODBUS_MAX_WR_WRITE_REGISTERS) {
1424 1474 if (ctx->debug) {
1425 1475 fprintf(stderr,
1426 1476 "ERROR Too many registers to write (%d > %d)\n",
1427   - write_nb, MODBUS_MAX_RW_WRITE_REGISTERS);
  1477 + write_nb, MODBUS_MAX_WR_WRITE_REGISTERS);
1428 1478 }
1429 1479 errno = EMBMDATA;
1430 1480 return -1;
1431 1481 }
1432 1482  
1433   - if (read_nb > MODBUS_MAX_READ_REGISTERS) {
  1483 + if (read_nb > MODBUS_MAX_WR_READ_REGISTERS) {
1434 1484 if (ctx->debug) {
1435 1485 fprintf(stderr,
1436 1486 "ERROR Too many registers requested (%d > %d)\n",
1437   - read_nb, MODBUS_MAX_READ_REGISTERS);
  1487 + read_nb, MODBUS_MAX_WR_READ_REGISTERS);
1438 1488 }
1439 1489 errno = EMBMDATA;
1440 1490 return -1;
... ...
src/modbus.h
  View file @fc73565
... ... @@ -90,7 +90,8 @@ MODBUS_BEGIN_DECLS
90 90 */
91 91 #define MODBUS_MAX_READ_REGISTERS 125
92 92 #define MODBUS_MAX_WRITE_REGISTERS 123
93   -#define MODBUS_MAX_RW_WRITE_REGISTERS 121
  93 +#define MODBUS_MAX_WR_WRITE_REGISTERS 121
  94 +#define MODBUS_MAX_WR_READ_REGISTERS 125
94 95  
95 96 /* Random number to avoid errno conflicts */
96 97 #define MODBUS_ENOBASE 112345678
... ...
tests/bandwidth-client.c
  View file @fc73565
... ... @@ -179,9 +179,9 @@ int main(int argc, char *argv[])
179 179 printf("* %d KiB/s\n", rate);
180 180 printf("\n\n");
181 181  
182   - printf("READ AND WRITE REGISTERS\n\n");
  182 + printf("WRITE AND READ REGISTERS\n\n");
183 183  
184   - nb_points = MODBUS_MAX_RW_WRITE_REGISTERS;
  184 + nb_points = MODBUS_MAX_WR_WRITE_REGISTERS;
185 185 start = gettime_ms();
186 186 for (i=0; i<n_loop; i++) {
187 187 rc = modbus_write_and_read_registers(ctx,
... ...
tests/bandwidth-server-one.c
  View file @fc73565
... ... @@ -59,6 +59,7 @@ int main(int argc, char *argv[])
59 59  
60 60 if (use_backend == TCP) {
61 61 ctx = modbus_new_tcp("127.0.0.1", 1502);
  62 + modbus_set_debug(ctx, TRUE);
62 63 s = modbus_tcp_listen(ctx, 1);
63 64 modbus_tcp_accept(ctx, &s);
64 65  
... ... @@ -68,8 +69,7 @@ int main(int argc, char *argv[])
68 69 modbus_connect(ctx);
69 70 }
70 71  
71   - mb_mapping = modbus_mapping_new(MODBUS_MAX_READ_BITS, 0,
72   - MODBUS_MAX_READ_REGISTERS, 0);
  72 + mb_mapping = modbus_mapping_new(1000, 1000, 1000, 1000);
73 73 if (mb_mapping == NULL) {
74 74 fprintf(stderr, "Failed to allocate the mapping: %s\n",
75 75 modbus_strerror(errno));
... ...
tests/unit-test-client.c
  View file @fc73565
1 1 /*
2   - * Copyright © 2008-2010 Stéphane Raimbault <stephane.raimbault@gmail.com>
  2 + * Copyright © 2008-2013 Stéphane Raimbault <stephane.raimbault@gmail.com>
3 3 *
4 4 * This program is free software: you can redistribute it and/or modify
5 5 * it under the terms of the GNU General Public License as published by
... ... @@ -255,8 +255,8 @@ int main(int argc, char *argv[])
255 255 rc = modbus_read_registers(ctx, UT_REGISTERS_ADDRESS,
256 256 0, tab_rp_registers);
257 257 printf("3/5 modbus_read_registers (0): ");
258   - if (rc != 0) {
259   - printf("FAILED (nb points %d)\n", rc);
  258 + if (rc != -1) {
  259 + printf("FAILED (nb_points %d)\n", rc);
260 260 goto close;
261 261 }
262 262 printf("OK\n");
... ... @@ -270,7 +270,8 @@ int main(int argc, char *argv[])
270 270 into tab_rp_registers. So the read registers must set to 0, except the
271 271 first one because there is an offset of 1 register on write. */
272 272 rc = modbus_write_and_read_registers(ctx,
273   - UT_REGISTERS_ADDRESS + 1, UT_REGISTERS_NB - 1,
  273 + UT_REGISTERS_ADDRESS + 1,
  274 + UT_REGISTERS_NB - 1,
274 275 tab_rp_registers,
275 276 UT_REGISTERS_ADDRESS,
276 277 UT_REGISTERS_NB,
... ... @@ -430,8 +431,8 @@ int main(int argc, char *argv[])
430 431 goto close;
431 432 }
432 433  
433   - rc = modbus_write_registers(ctx, UT_REGISTERS_ADDRESS + UT_REGISTERS_NB,
434   - UT_REGISTERS_NB, tab_rp_registers);
  434 + rc = modbus_read_registers(ctx, UT_REGISTERS_ADDRESS + UT_REGISTERS_NB,
  435 + UT_REGISTERS_NB, tab_rp_registers);
435 436 printf("* modbus_write_registers: ");
436 437 if (rc == -1 && errno == EMBXILADD) {
437 438 printf("OK\n");
... ... @@ -440,7 +441,6 @@ int main(int argc, char *argv[])
440 441 goto close;
441 442 }
442 443  
443   -
444 444 /** TOO MANY DATA **/
445 445 printf("\nTEST TOO MANY DATA ERROR:\n");
446 446  
... ... @@ -535,7 +535,7 @@ int main(int argc, char *argv[])
535 535 * indication for another slave is received, a confirmation must follow */
536 536  
537 537  
538   - /* Send a pair of indication/confimration to the slave with a different
  538 + /* Send a pair of indication/confirmation to the slave with a different
539 539 * slave ID to simulate a communication on a RS485 bus. At first, the
540 540 * slave will see the indication message then the confirmation, and it must
541 541 * ignore both. */
... ... @@ -699,13 +699,23 @@ int main(int argc, char *argv[])
699 699 }
700 700  
701 701 /** RAW REQUEST */
702   - printf("\nTEST RAW REQUEST:\n");
  702 + printf("\nTEST RAW REQUESTS:\n");
703 703 {
  704 + int j;
704 705 const int RAW_REQ_LENGTH = 6;
705   - uint8_t raw_req[] = { (use_backend == RTU) ? SERVER_ID : 0xFF,
706   - 0x03, 0x00, 0x01, 0x0, 0x05 };
  706 + uint8_t raw_req[] = {
  707 + (use_backend == RTU) ? SERVER_ID : 0xFF,
  708 + 0x03, 0x00, 0x01, 0x0, 0x05,
  709 + };
707 710 int req_length;
708 711 uint8_t rsp[MODBUS_TCP_MAX_ADU_LENGTH];
  712 + int tab_function[] = {0x01, 0x02, 0x03, 0x04};
  713 + int tab_nb_max[] = {
  714 + MODBUS_MAX_READ_BITS + 1,
  715 + MODBUS_MAX_READ_BITS + 1,
  716 + MODBUS_MAX_READ_REGISTERS + 1,
  717 + MODBUS_MAX_READ_REGISTERS + 1
  718 + };
709 719  
710 720 req_length = modbus_send_raw_request(ctx, raw_req,
711 721 RAW_REQ_LENGTH * sizeof(uint8_t));
... ... @@ -730,6 +740,44 @@ int main(int argc, char *argv[])
730 740 printf("FAILED (%d)\n", rc);
731 741 goto close;
732 742 }
  743 +
  744 + /* Try to crash server with raw requests to bypass checks of client. */
  745 +
  746 + /* Address */
  747 + raw_req[2] = 0;
  748 + raw_req[3] = 0;
  749 +
  750 + /* Try to read more values than a response could hold for all data
  751 + * types.
  752 + */
  753 + for (i=0; i<4; i++) {
  754 + raw_req[1] = tab_function[i];
  755 +
  756 + for (j=0; j<2; j++) {
  757 + if (j == 0) {
  758 + /* Try to read zero values on first iteration */
  759 + raw_req[4] = 0x00;
  760 + raw_req[5] = 0x00;
  761 + } else {
  762 + /* Try to read max values + 1 on second iteration */
  763 + raw_req[4] = (tab_nb_max[i] >> 8) & 0xFF;
  764 + raw_req[5] = tab_nb_max[i] & 0xFF;
  765 + }
  766 +
  767 + req_length = modbus_send_raw_request(ctx, raw_req,
  768 + RAW_REQ_LENGTH * sizeof(uint8_t));
  769 + printf("* try an exploit on function %d: ", tab_function[i]);
  770 + rc = modbus_receive_confirmation(ctx, rsp);
  771 + if (rc == 9 &&
  772 + rsp[7] == (0x80 + tab_function[i]) &&
  773 + rsp[8] == MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE) {
  774 + printf("OK\n");
  775 + } else {
  776 + printf("FAILED\n");
  777 + goto close;
  778 + }
  779 + }
  780 + }
733 781 }
734 782  
735 783 printf("\nALL TESTS PASS WITH SUCCESS.\n");
... ...
tests/unit-test.h.in
  View file @fc73565
... ... @@ -36,15 +36,16 @@
36 36 #define SERVER_ID 17
37 37 #define INVALID_SERVER_ID 18
38 38  
39   -const uint16_t UT_BITS_ADDRESS = 0x13;
  39 +/* Server allocates address + nb */
  40 +const uint16_t UT_BITS_ADDRESS = 0x130;
40 41 const uint16_t UT_BITS_NB = 0x25;
41 42 const uint8_t UT_BITS_TAB[] = { 0xCD, 0x6B, 0xB2, 0x0E, 0x1B };
42 43  
43   -const uint16_t UT_INPUT_BITS_ADDRESS = 0xC4;
  44 +const uint16_t UT_INPUT_BITS_ADDRESS = 0x1C4;
44 45 const uint16_t UT_INPUT_BITS_NB = 0x16;
45 46 const uint8_t UT_INPUT_BITS_TAB[] = { 0xAC, 0xDB, 0x35 };
46 47  
47   -const uint16_t UT_REGISTERS_ADDRESS = 0x6B;
  48 +const uint16_t UT_REGISTERS_ADDRESS = 0x16B;
48 49 /* Raise a manual exception when this address is used for the first byte */
49 50 const uint16_t UT_REGISTERS_ADDRESS_SPECIAL = 0x6C;
50 51 /* The response of the server will contains an invalid TID or slave */
... ... @@ -57,7 +58,7 @@ const uint16_t UT_REGISTERS_TAB[] = { 0x022B, 0x0001, 0x0064 };
57 58 UT_REGISTERS_NB_POINTS to try to raise a segfault. */
58 59 const uint16_t UT_REGISTERS_NB_SPECIAL = 0x2;
59 60  
60   -const uint16_t UT_INPUT_REGISTERS_ADDRESS = 0x08;
  61 +const uint16_t UT_INPUT_REGISTERS_ADDRESS = 0x108;
61 62 const uint16_t UT_INPUT_REGISTERS_NB = 0x1;
62 63 const uint16_t UT_INPUT_REGISTERS_TAB[] = { 0x000A };
63 64  
... ...