Fix VD-1301 and VD-1302 vulnerabilities

stephane · stephane · commit 2b5cb5896120 · 2019-07-29T01:55:25.000+02:00
This patch was contributed by Maor Vermucht and Or Peles from
VDOO Connected Trust.
diff --git a/src/modbus.c b/src/modbus.c
@@ -832,8 +832,9 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
         break;
     case _FC_WRITE_MULTIPLE_COILS: {
         int nb = (req[offset + 3] << 8) + req[offset + 4];
+        int nb_bits = req[offset + 5];
 
-        if (nb < 1 || MODBUS_MAX_WRITE_BITS < nb) {
+        if (nb < 1 || MODBUS_MAX_WRITE_BITS < nb || nb_bits * 8 < nb) {
             if (ctx->debug) {
                 fprintf(stderr,
                         "Illegal number of values %d in write_bits (max %d)\n",
@@ -842,7 +843,7 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
             rsp_length = response_exception(
                 ctx, &sft,
                 MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp);
-        } else if ((address + nb) > mb_mapping->nb_bits) {
+        } else if ((address + nb) > mb_mapping->nb_bits ) {
             if (ctx->debug) {
                 fprintf(stderr, "Illegal data address %0X in write_bits\n",
                         address + nb);
@@ -863,8 +864,9 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
         break;
     case _FC_WRITE_MULTIPLE_REGISTERS: {
         int nb = (req[offset + 3] << 8) + req[offset + 4];
+        int nb_bytes = req[offset + 5];
 
-        if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb) {
+        if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb || nb_bytes * 8 < nb) {
             if (ctx->debug) {
                 fprintf(stderr,
                         "Illegal number of values %d in write_registers (max %d)\n",
