modbus_send_raw_request does not check raw_req_length before memcpy #207

Closed
hneuer opened this Issue Mar 11, 2014 · 0 comments

Comments

Projects
None yet
1 participant
@hneuer

hneuer commented Mar 11, 2014

In modbus_send_raw_request the raw request is checked to contain at least a function and a slave. On the other end the maximum length of the raw request is not checked but instead it is copied directly into the request.

It would be useful to perform a length check before the memcpy to avoid buffer overflows. In case of a too long raw request the same errno as for missing slave/function should be set.

mhei added a commit to mhei/libmodbus that referenced this issue Jan 26, 2015

modbus_send_raw_request: limit request length (fixes #207)
Do not allow raw request length longer than the PDU size plus
the additional requested slave address byte.
Without this check modbus_send_raw_request could be used to
trigger a buffer overflow on the stack since the parameter
is passed unchecked to memcpy.

Thanks to Hanno Neuer for spotting this security flaw.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

mhei added a commit to mhei/libmodbus that referenced this issue Feb 13, 2015

modbus_send_raw_request: limit request length (fixes #207)
Do not allow raw request length longer than the PDU size plus
the additional requested slave address byte.
Without this check modbus_send_raw_request could be used to
trigger a buffer overflow on the stack since the parameter
is passed unchecked to memcpy.

Thanks to Hanno Neuer for spotting this security flaw.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

@stephane stephane closed this in e98fd68 Feb 18, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment