New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix remote buffer overflow vulnerability #105

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
2 participants
@LetoThe2nd

Hello Stephane,

please consider pulling this patch. It is also already in the debian repositories.

Add checks so modbus_reply returns a
MODBUS_EXCEPTION_ILLEGAL_DATA_ADDRESS if the count of requested
registers exceeds the spec as noted in modbus.h, line 73ff.

Josef Holzmayr
Add register count checks to modbus_reply
Add checks so modbus_reply returns a
MODBUS_EXCEPTION_ILLEGAL_DATA_ADDRESS if the count of requested
registers exceeds the spec as noted in modbus.h, line 73ff.
@stephane

This comment has been minimized.

Show comment
Hide comment
@stephane

stephane Sep 25, 2013

Owner

Don't ask me why I didn't merged this important fix sooner (shame on me)!
I'll merge this fix this week with unit tests.

Owner

stephane commented Sep 25, 2013

Don't ask me why I didn't merged this important fix sooner (shame on me)!
I'll merge this fix this week with unit tests.

stephane added a commit that referenced this pull request Oct 6, 2013

Fix remote buffer overflow vulnerability (closes #25, #105)
It's strongly recommended to update your libmodbus library if you
use it in a slave/server application in a not trusted environment.

Debian package of libmodbus 3.0.4 already contains a patch to
mitigate the exploit but the patch isn't as strong than this one.

@stephane stephane closed this Oct 6, 2013

mk8 added a commit to mk8/libmodbus that referenced this pull request Jan 29, 2014

Fix remote buffer overflow vulnerability (closes #25, #105)
It's strongly recommended to update your libmodbus library if you
use it in a slave/server application in a not trusted environment.

Debian package of libmodbus 3.0.4 already contains a patch to
mitigate the exploit but the patch isn't as strong than this one.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment