Skip to content

Commit 5ccdf5e

Browse files
committed
Fix VD-1301 and VD-1302 vulnerabilities
This patch was contributed by Maor Vermucht and Or Peles from VDOO Connected Trust.
1 parent 076992f commit 5ccdf5e

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

Diff for: src/modbus.c

+4-2
Original file line numberDiff line numberDiff line change
@@ -839,9 +839,10 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
839839
break;
840840
case MODBUS_FC_WRITE_MULTIPLE_COILS: {
841841
int nb = (req[offset + 3] << 8) + req[offset + 4];
842+
int nb_bits = req[offset + 5];
842843
int mapping_address = address - mb_mapping->start_bits;
843844

844-
if (nb < 1 || MODBUS_MAX_WRITE_BITS < nb) {
845+
if (nb < 1 || MODBUS_MAX_WRITE_BITS < nb || nb_bits * 8 < nb) {
845846
/* May be the indication has been truncated on reading because of
846847
* invalid address (eg. nb is 0 but the request contains values to
847848
* write) so it's necessary to flush. */
@@ -870,9 +871,10 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
870871
break;
871872
case MODBUS_FC_WRITE_MULTIPLE_REGISTERS: {
872873
int nb = (req[offset + 3] << 8) + req[offset + 4];
874+
int nb_bytes = req[offset + 5];
873875
int mapping_address = address - mb_mapping->start_registers;
874876

875-
if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb) {
877+
if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb || nb_bytes * 8 < nb) {
876878
rsp_length = response_exception(
877879
ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp, TRUE,
878880
"Illegal number of values %d in write_registers (max %d)\n",

0 commit comments

Comments
 (0)