Peter M. Groen / libmodbus

Commit fc73565da7a5c35d55eab843cf6c60af6c2b6925

Authored by Stéphane Raimbault
1 parent 2a9a7ddf

Fix remote buffer overflow vulnerability (closes #25, #105) 

It's strongly recommended to update your libmodbus library if you
use it in a slave/server application in a not trusted environment.

Debian package of libmodbus 3.0.4 already contains a patch to
mitigate the exploit but the patch isn't as strong than this one.
Inline Side-by-side
Showing 6 changed files with 131 additions and 31 deletions
src/modbus.c
  View file @fc73565
@@ -706,7 +706,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, @@ -706,7 +706,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
706 case _FC_READ_COILS: { 706 case _FC_READ_COILS: {
707 int nb = (req[offset + 3] << 8) + req[offset + 4]; 707 int nb = (req[offset + 3] << 8) + req[offset + 4];
708 708
709 - if ((address + nb) > mb_mapping->nb_bits) { 709 + if (nb < 1 || MODBUS_MAX_READ_BITS < nb) {
  710 + if (ctx->debug) {
  711 + fprintf(stderr,
  712 + "Illegal nb of values %d in read_bits (max %d)\n",
  713 + nb, MODBUS_MAX_READ_BITS);
  714 + }
  715 + rsp_length = response_exception(
  716 + ctx, &sft,
  717 + MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
  718 + } else if ((address + nb) > mb_mapping->nb_bits) {
710 if (ctx->debug) { 719 if (ctx->debug) {
711 fprintf(stderr, "Illegal data address %0X in read_bits\n", 720 fprintf(stderr, "Illegal data address %0X in read_bits\n",
712 address + nb); 721 address + nb);
@@ -728,7 +737,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, @@ -728,7 +737,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
728 * function) */ 737 * function) */
729 int nb = (req[offset + 3] << 8) + req[offset + 4]; 738 int nb = (req[offset + 3] << 8) + req[offset + 4];
730 739
731 - if ((address + nb) > mb_mapping->nb_input_bits) { 740 + if (nb < 1 || MODBUS_MAX_READ_BITS < nb) {
  741 + if (ctx->debug) {
  742 + fprintf(stderr,
  743 + "Illegal nb of values %d in read_input_bits (max %d)\n",
  744 + nb, MODBUS_MAX_READ_BITS);
  745 + }
  746 + rsp_length = response_exception(
  747 + ctx, &sft,
  748 + MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
  749 + } else if ((address + nb) > mb_mapping->nb_input_bits) {
732 if (ctx->debug) { 750 if (ctx->debug) {
733 fprintf(stderr, "Illegal data address %0X in read_input_bits\n", 751 fprintf(stderr, "Illegal data address %0X in read_input_bits\n",
734 address + nb); 752 address + nb);
@@ -748,7 +766,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, @@ -748,7 +766,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
748 case _FC_READ_HOLDING_REGISTERS: { 766 case _FC_READ_HOLDING_REGISTERS: {
749 int nb = (req[offset + 3] << 8) + req[offset + 4]; 767 int nb = (req[offset + 3] << 8) + req[offset + 4];
750 768
751 - if ((address + nb) > mb_mapping->nb_registers) { 769 + if (nb < 1 || MODBUS_MAX_READ_REGISTERS < nb) {
  770 + if (ctx->debug) {
  771 + fprintf(stderr,
  772 + "Illegal nb of values %d in read_holding_registers (max %d)\n",
  773 + nb, MODBUS_MAX_READ_REGISTERS);
  774 + }
  775 + rsp_length = response_exception(
  776 + ctx, &sft,
  777 + MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
  778 + } else if ((address + nb) > mb_mapping->nb_registers) {
752 if (ctx->debug) { 779 if (ctx->debug) {
753 fprintf(stderr, "Illegal data address %0X in read_registers\n", 780 fprintf(stderr, "Illegal data address %0X in read_registers\n",
754 address + nb); 781 address + nb);
@@ -773,7 +800,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, @@ -773,7 +800,16 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
773 * function) */ 800 * function) */
774 int nb = (req[offset + 3] << 8) + req[offset + 4]; 801 int nb = (req[offset + 3] << 8) + req[offset + 4];
775 802
776 - if ((address + nb) > mb_mapping->nb_input_registers) { 803 + if (nb < 1 || MODBUS_MAX_READ_REGISTERS < nb) {
  804 + if (ctx->debug) {
  805 + fprintf(stderr,
  806 + "Illegal number of values %d in read_input_registers (max %d)\n",
  807 + nb, MODBUS_MAX_READ_REGISTERS);
  808 + }
  809 + rsp_length = response_exception(
  810 + ctx, &sft,
  811 + MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
  812 + } else if ((address + nb) > mb_mapping->nb_input_registers) {
777 if (ctx->debug) { 813 if (ctx->debug) {
778 fprintf(stderr, "Illegal data address %0X in read_input_registers\n", 814 fprintf(stderr, "Illegal data address %0X in read_input_registers\n",
779 address + nb); 815 address + nb);
@@ -796,7 +832,8 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, @@ -796,7 +832,8 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
796 case _FC_WRITE_SINGLE_COIL: 832 case _FC_WRITE_SINGLE_COIL:
797 if (address >= mb_mapping->nb_bits) { 833 if (address >= mb_mapping->nb_bits) {
798 if (ctx->debug) { 834 if (ctx->debug) {
799 - fprintf(stderr, "Illegal data address %0X in write_bit\n", 835 + fprintf(stderr,
  836 + "Illegal data address %0X in write_bit\n",
800 address); 837 address);
801 } 838 }
802 rsp_length = response_exception( 839 rsp_length = response_exception(
@@ -934,9 +971,22 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, @@ -934,9 +971,22 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
934 int nb = (req[offset + 3] << 8) + req[offset + 4]; 971 int nb = (req[offset + 3] << 8) + req[offset + 4];
935 uint16_t address_write = (req[offset + 5] << 8) + req[offset + 6]; 972 uint16_t address_write = (req[offset + 5] << 8) + req[offset + 6];
936 int nb_write = (req[offset + 7] << 8) + req[offset + 8]; 973 int nb_write = (req[offset + 7] << 8) + req[offset + 8];
  974 + int nb_write_bytes = req[offset + 9];
937 975
938 - if ((address + nb) > mb_mapping->nb_registers ||  
939 - (address_write + nb_write) > mb_mapping->nb_registers) { 976 + if (nb_write < 1 || MODBUS_MAX_WR_WRITE_REGISTERS < nb_write ||
  977 + nb < 1 || MODBUS_MAX_WR_READ_REGISTERS < nb ||
  978 + nb_write_bytes != nb_write * 2) {
  979 + if (ctx->debug) {
  980 + fprintf(stderr,
  981 + "Illegal nb of values (W%d, R%d) in write_and_read_registers (max W%d, R%d)\n",
  982 + nb_write, nb,
  983 + MODBUS_MAX_WR_WRITE_REGISTERS, MODBUS_MAX_WR_READ_REGISTERS);
  984 + }
  985 + rsp_length = response_exception(
  986 + ctx, &sft,
  987 + MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
  988 + } else if ((address + nb) > mb_mapping->nb_registers ||
  989 + (address_write + nb_write) > mb_mapping->nb_registers) {
940 if (ctx->debug) { 990 if (ctx->debug) {
941 fprintf(stderr, 991 fprintf(stderr,
942 "Illegal data read address %0X or write address %0X write_and_read_registers\n", 992 "Illegal data read address %0X or write address %0X write_and_read_registers\n",
@@ -1420,21 +1470,21 @@ int modbus_write_and_read_registers(modbus_t *ctx, @@ -1420,21 +1470,21 @@ int modbus_write_and_read_registers(modbus_t *ctx,
1420 return -1; 1470 return -1;
1421 } 1471 }
1422 1472
1423 - if (write_nb > MODBUS_MAX_RW_WRITE_REGISTERS) { 1473 + if (write_nb > MODBUS_MAX_WR_WRITE_REGISTERS) {
1424 if (ctx->debug) { 1474 if (ctx->debug) {
1425 fprintf(stderr, 1475 fprintf(stderr,
1426 "ERROR Too many registers to write (%d > %d)\n", 1476 "ERROR Too many registers to write (%d > %d)\n",
1427 - write_nb, MODBUS_MAX_RW_WRITE_REGISTERS); 1477 + write_nb, MODBUS_MAX_WR_WRITE_REGISTERS);
1428 } 1478 }
1429 errno = EMBMDATA; 1479 errno = EMBMDATA;
1430 return -1; 1480 return -1;
1431 } 1481 }
1432 1482
1433 - if (read_nb > MODBUS_MAX_READ_REGISTERS) { 1483 + if (read_nb > MODBUS_MAX_WR_READ_REGISTERS) {
1434 if (ctx->debug) { 1484 if (ctx->debug) {
1435 fprintf(stderr, 1485 fprintf(stderr,
1436 "ERROR Too many registers requested (%d > %d)\n", 1486 "ERROR Too many registers requested (%d > %d)\n",
1437 - read_nb, MODBUS_MAX_READ_REGISTERS); 1487 + read_nb, MODBUS_MAX_WR_READ_REGISTERS);
1438 } 1488 }
1439 errno = EMBMDATA; 1489 errno = EMBMDATA;
1440 return -1; 1490 return -1;
src/modbus.h
  View file @fc73565
@@ -90,7 +90,8 @@ MODBUS_BEGIN_DECLS @@ -90,7 +90,8 @@ MODBUS_BEGIN_DECLS
90 */ 90 */
91 #define MODBUS_MAX_READ_REGISTERS 125 91 #define MODBUS_MAX_READ_REGISTERS 125
92 #define MODBUS_MAX_WRITE_REGISTERS 123 92 #define MODBUS_MAX_WRITE_REGISTERS 123
93 -#define MODBUS_MAX_RW_WRITE_REGISTERS 121 93 +#define MODBUS_MAX_WR_WRITE_REGISTERS 121
  94 +#define MODBUS_MAX_WR_READ_REGISTERS 125
94 95
95 /* Random number to avoid errno conflicts */ 96 /* Random number to avoid errno conflicts */
96 #define MODBUS_ENOBASE 112345678 97 #define MODBUS_ENOBASE 112345678
tests/bandwidth-client.c
  View file @fc73565
@@ -179,9 +179,9 @@ int main(int argc, char *argv[]) @@ -179,9 +179,9 @@ int main(int argc, char *argv[])
179 printf("* %d KiB/s\n", rate); 179 printf("* %d KiB/s\n", rate);
180 printf("\n\n"); 180 printf("\n\n");
181 181
182 - printf("READ AND WRITE REGISTERS\n\n"); 182 + printf("WRITE AND READ REGISTERS\n\n");
183 183
184 - nb_points = MODBUS_MAX_RW_WRITE_REGISTERS; 184 + nb_points = MODBUS_MAX_WR_WRITE_REGISTERS;
185 start = gettime_ms(); 185 start = gettime_ms();
186 for (i=0; i<n_loop; i++) { 186 for (i=0; i<n_loop; i++) {
187 rc = modbus_write_and_read_registers(ctx, 187 rc = modbus_write_and_read_registers(ctx,
tests/bandwidth-server-one.c
  View file @fc73565
@@ -59,6 +59,7 @@ int main(int argc, char *argv[]) @@ -59,6 +59,7 @@ int main(int argc, char *argv[])
59 59
60 if (use_backend == TCP) { 60 if (use_backend == TCP) {
61 ctx = modbus_new_tcp("127.0.0.1", 1502); 61 ctx = modbus_new_tcp("127.0.0.1", 1502);
  62 + modbus_set_debug(ctx, TRUE);
62 s = modbus_tcp_listen(ctx, 1); 63 s = modbus_tcp_listen(ctx, 1);
63 modbus_tcp_accept(ctx, &s); 64 modbus_tcp_accept(ctx, &s);
64 65
@@ -68,8 +69,7 @@ int main(int argc, char *argv[]) @@ -68,8 +69,7 @@ int main(int argc, char *argv[])
68 modbus_connect(ctx); 69 modbus_connect(ctx);
69 } 70 }
70 71
71 - mb_mapping = modbus_mapping_new(MODBUS_MAX_READ_BITS, 0,  
72 - MODBUS_MAX_READ_REGISTERS, 0); 72 + mb_mapping = modbus_mapping_new(1000, 1000, 1000, 1000);
73 if (mb_mapping == NULL) { 73 if (mb_mapping == NULL) {
74 fprintf(stderr, "Failed to allocate the mapping: %s\n", 74 fprintf(stderr, "Failed to allocate the mapping: %s\n",
75 modbus_strerror(errno)); 75 modbus_strerror(errno));
tests/unit-test-client.c
  View file @fc73565
1 /* 1 /*
2 - * Copyright © 2008-2010 Stéphane Raimbault <stephane.raimbault@gmail.com> 2 + * Copyright © 2008-2013 Stéphane Raimbault <stephane.raimbault@gmail.com>
3 * 3 *
4 * This program is free software: you can redistribute it and/or modify 4 * This program is free software: you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by 5 * it under the terms of the GNU General Public License as published by
@@ -255,8 +255,8 @@ int main(int argc, char *argv[]) @@ -255,8 +255,8 @@ int main(int argc, char *argv[])
255 rc = modbus_read_registers(ctx, UT_REGISTERS_ADDRESS, 255 rc = modbus_read_registers(ctx, UT_REGISTERS_ADDRESS,
256 0, tab_rp_registers); 256 0, tab_rp_registers);
257 printf("3/5 modbus_read_registers (0): "); 257 printf("3/5 modbus_read_registers (0): ");
258 - if (rc != 0) {  
259 - printf("FAILED (nb points %d)\n", rc); 258 + if (rc != -1) {
  259 + printf("FAILED (nb_points %d)\n", rc);
260 goto close; 260 goto close;
261 } 261 }
262 printf("OK\n"); 262 printf("OK\n");
@@ -270,7 +270,8 @@ int main(int argc, char *argv[]) @@ -270,7 +270,8 @@ int main(int argc, char *argv[])
270 into tab_rp_registers. So the read registers must set to 0, except the 270 into tab_rp_registers. So the read registers must set to 0, except the
271 first one because there is an offset of 1 register on write. */ 271 first one because there is an offset of 1 register on write. */
272 rc = modbus_write_and_read_registers(ctx, 272 rc = modbus_write_and_read_registers(ctx,
273 - UT_REGISTERS_ADDRESS + 1, UT_REGISTERS_NB - 1, 273 + UT_REGISTERS_ADDRESS + 1,
  274 + UT_REGISTERS_NB - 1,
274 tab_rp_registers, 275 tab_rp_registers,
275 UT_REGISTERS_ADDRESS, 276 UT_REGISTERS_ADDRESS,
276 UT_REGISTERS_NB, 277 UT_REGISTERS_NB,
@@ -430,8 +431,8 @@ int main(int argc, char *argv[]) @@ -430,8 +431,8 @@ int main(int argc, char *argv[])
430 goto close; 431 goto close;
431 } 432 }
432 433
433 - rc = modbus_write_registers(ctx, UT_REGISTERS_ADDRESS + UT_REGISTERS_NB,  
434 - UT_REGISTERS_NB, tab_rp_registers); 434 + rc = modbus_read_registers(ctx, UT_REGISTERS_ADDRESS + UT_REGISTERS_NB,
  435 + UT_REGISTERS_NB, tab_rp_registers);
435 printf("* modbus_write_registers: "); 436 printf("* modbus_write_registers: ");
436 if (rc == -1 && errno == EMBXILADD) { 437 if (rc == -1 && errno == EMBXILADD) {
437 printf("OK\n"); 438 printf("OK\n");
@@ -440,7 +441,6 @@ int main(int argc, char *argv[]) @@ -440,7 +441,6 @@ int main(int argc, char *argv[])
440 goto close; 441 goto close;
441 } 442 }
442 443
443 -  
444 /** TOO MANY DATA **/ 444 /** TOO MANY DATA **/
445 printf("\nTEST TOO MANY DATA ERROR:\n"); 445 printf("\nTEST TOO MANY DATA ERROR:\n");
446 446
@@ -535,7 +535,7 @@ int main(int argc, char *argv[]) @@ -535,7 +535,7 @@ int main(int argc, char *argv[])
535 * indication for another slave is received, a confirmation must follow */ 535 * indication for another slave is received, a confirmation must follow */
536 536
537 537
538 - /* Send a pair of indication/confimration to the slave with a different 538 + /* Send a pair of indication/confirmation to the slave with a different
539 * slave ID to simulate a communication on a RS485 bus. At first, the 539 * slave ID to simulate a communication on a RS485 bus. At first, the
540 * slave will see the indication message then the confirmation, and it must 540 * slave will see the indication message then the confirmation, and it must
541 * ignore both. */ 541 * ignore both. */
@@ -699,13 +699,23 @@ int main(int argc, char *argv[]) @@ -699,13 +699,23 @@ int main(int argc, char *argv[])
699 } 699 }
700 700
701 /** RAW REQUEST */ 701 /** RAW REQUEST */
702 - printf("\nTEST RAW REQUEST:\n"); 702 + printf("\nTEST RAW REQUESTS:\n");
703 { 703 {
  704 + int j;
704 const int RAW_REQ_LENGTH = 6; 705 const int RAW_REQ_LENGTH = 6;
705 - uint8_t raw_req[] = { (use_backend == RTU) ? SERVER_ID : 0xFF,  
706 - 0x03, 0x00, 0x01, 0x0, 0x05 }; 706 + uint8_t raw_req[] = {
  707 + (use_backend == RTU) ? SERVER_ID : 0xFF,
  708 + 0x03, 0x00, 0x01, 0x0, 0x05,
  709 + };
707 int req_length; 710 int req_length;
708 uint8_t rsp[MODBUS_TCP_MAX_ADU_LENGTH]; 711 uint8_t rsp[MODBUS_TCP_MAX_ADU_LENGTH];
  712 + int tab_function[] = {0x01, 0x02, 0x03, 0x04};
  713 + int tab_nb_max[] = {
  714 + MODBUS_MAX_READ_BITS + 1,
  715 + MODBUS_MAX_READ_BITS + 1,
  716 + MODBUS_MAX_READ_REGISTERS + 1,
  717 + MODBUS_MAX_READ_REGISTERS + 1
  718 + };
709 719
710 req_length = modbus_send_raw_request(ctx, raw_req, 720 req_length = modbus_send_raw_request(ctx, raw_req,
711 RAW_REQ_LENGTH * sizeof(uint8_t)); 721 RAW_REQ_LENGTH * sizeof(uint8_t));
@@ -730,6 +740,44 @@ int main(int argc, char *argv[]) @@ -730,6 +740,44 @@ int main(int argc, char *argv[])
730 printf("FAILED (%d)\n", rc); 740 printf("FAILED (%d)\n", rc);
731 goto close; 741 goto close;
732 } 742 }
  743 +
  744 + /* Try to crash server with raw requests to bypass checks of client. */
  745 +
  746 + /* Address */
  747 + raw_req[2] = 0;
  748 + raw_req[3] = 0;
  749 +
  750 + /* Try to read more values than a response could hold for all data
  751 + * types.
  752 + */
  753 + for (i=0; i<4; i++) {
  754 + raw_req[1] = tab_function[i];
  755 +
  756 + for (j=0; j<2; j++) {
  757 + if (j == 0) {
  758 + /* Try to read zero values on first iteration */
  759 + raw_req[4] = 0x00;
  760 + raw_req[5] = 0x00;
  761 + } else {
  762 + /* Try to read max values + 1 on second iteration */
  763 + raw_req[4] = (tab_nb_max[i] >> 8) & 0xFF;
  764 + raw_req[5] = tab_nb_max[i] & 0xFF;
  765 + }
  766 +
  767 + req_length = modbus_send_raw_request(ctx, raw_req,
  768 + RAW_REQ_LENGTH * sizeof(uint8_t));
  769 + printf("* try an exploit on function %d: ", tab_function[i]);
  770 + rc = modbus_receive_confirmation(ctx, rsp);
  771 + if (rc == 9 &&
  772 + rsp[7] == (0x80 + tab_function[i]) &&
  773 + rsp[8] == MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE) {
  774 + printf("OK\n");
  775 + } else {
  776 + printf("FAILED\n");
  777 + goto close;
  778 + }
  779 + }
  780 + }
733 } 781 }
734 782
735 printf("\nALL TESTS PASS WITH SUCCESS.\n"); 783 printf("\nALL TESTS PASS WITH SUCCESS.\n");
tests/unit-test.h.in
  View file @fc73565
@@ -36,15 +36,16 @@ @@ -36,15 +36,16 @@
36 #define SERVER_ID 17 36 #define SERVER_ID 17
37 #define INVALID_SERVER_ID 18 37 #define INVALID_SERVER_ID 18
38 38
39 -const uint16_t UT_BITS_ADDRESS = 0x13; 39 +/* Server allocates address + nb */
  40 +const uint16_t UT_BITS_ADDRESS = 0x130;
40 const uint16_t UT_BITS_NB = 0x25; 41 const uint16_t UT_BITS_NB = 0x25;
41 const uint8_t UT_BITS_TAB[] = { 0xCD, 0x6B, 0xB2, 0x0E, 0x1B }; 42 const uint8_t UT_BITS_TAB[] = { 0xCD, 0x6B, 0xB2, 0x0E, 0x1B };
42 43
43 -const uint16_t UT_INPUT_BITS_ADDRESS = 0xC4; 44 +const uint16_t UT_INPUT_BITS_ADDRESS = 0x1C4;
44 const uint16_t UT_INPUT_BITS_NB = 0x16; 45 const uint16_t UT_INPUT_BITS_NB = 0x16;
45 const uint8_t UT_INPUT_BITS_TAB[] = { 0xAC, 0xDB, 0x35 }; 46 const uint8_t UT_INPUT_BITS_TAB[] = { 0xAC, 0xDB, 0x35 };
46 47
47 -const uint16_t UT_REGISTERS_ADDRESS = 0x6B; 48 +const uint16_t UT_REGISTERS_ADDRESS = 0x16B;
48 /* Raise a manual exception when this address is used for the first byte */ 49 /* Raise a manual exception when this address is used for the first byte */
49 const uint16_t UT_REGISTERS_ADDRESS_SPECIAL = 0x6C; 50 const uint16_t UT_REGISTERS_ADDRESS_SPECIAL = 0x6C;
50 /* The response of the server will contains an invalid TID or slave */ 51 /* The response of the server will contains an invalid TID or slave */
@@ -57,7 +58,7 @@ const uint16_t UT_REGISTERS_TAB[] = { 0x022B, 0x0001, 0x0064 }; @@ -57,7 +58,7 @@ const uint16_t UT_REGISTERS_TAB[] = { 0x022B, 0x0001, 0x0064 };
57 UT_REGISTERS_NB_POINTS to try to raise a segfault. */ 58 UT_REGISTERS_NB_POINTS to try to raise a segfault. */
58 const uint16_t UT_REGISTERS_NB_SPECIAL = 0x2; 59 const uint16_t UT_REGISTERS_NB_SPECIAL = 0x2;
59 60
60 -const uint16_t UT_INPUT_REGISTERS_ADDRESS = 0x08; 61 +const uint16_t UT_INPUT_REGISTERS_ADDRESS = 0x108;
61 const uint16_t UT_INPUT_REGISTERS_NB = 0x1; 62 const uint16_t UT_INPUT_REGISTERS_NB = 0x1;
62 const uint16_t UT_INPUT_REGISTERS_TAB[] = { 0x000A }; 63 const uint16_t UT_INPUT_REGISTERS_TAB[] = { 0x000A };
63 64