WIP buffer overflow on received data
This commit is contained in:
Valerio De Benedetto
parent
dba38fc917
commit
dde2653cb8
32
nanomodbus.c
32
nanomodbus.c
@ -467,6 +467,10 @@ static nmbs_error recv_read_discrete_res(nmbs_t* nmbs, nmbs_bitfield values) {
|
|||||||
uint8_t coils_bytes = get_1(nmbs);
|
uint8_t coils_bytes = get_1(nmbs);
|
||||||
NMBS_DEBUG_PRINT("b %d\t", coils_bytes);
|
NMBS_DEBUG_PRINT("b %d\t", coils_bytes);
|
||||||
|
|
||||||
|
if (coils_bytes > 250) {
|
||||||
|
return NMBS_ERROR_INVALID_RESPONSE;
|
||||||
|
}
|
||||||
|
|
||||||
err = recv(nmbs, coils_bytes);
|
err = recv(nmbs, coils_bytes);
|
||||||
if (err != NMBS_ERROR_NONE)
|
if (err != NMBS_ERROR_NONE)
|
||||||
return err;
|
return err;
|
||||||
@ -499,6 +503,9 @@ static nmbs_error recv_read_registers_res(nmbs_t* nmbs, uint16_t quantity, uint1
|
|||||||
uint8_t registers_bytes = get_1(nmbs);
|
uint8_t registers_bytes = get_1(nmbs);
|
||||||
NMBS_DEBUG_PRINT("b %d\t", registers_bytes);
|
NMBS_DEBUG_PRINT("b %d\t", registers_bytes);
|
||||||
|
|
||||||
|
if (registers_bytes > 250)
|
||||||
|
return NMBS_ERROR_INVALID_RESPONSE;
|
||||||
|
|
||||||
err = recv(nmbs, registers_bytes);
|
err = recv(nmbs, registers_bytes);
|
||||||
if (err != NMBS_ERROR_NONE)
|
if (err != NMBS_ERROR_NONE)
|
||||||
return err;
|
return err;
|
||||||
@ -641,6 +648,9 @@ nmbs_error recv_read_file_record_res(nmbs_t* nmbs, uint16_t* registers, uint16_t
|
|||||||
return err;
|
return err;
|
||||||
|
|
||||||
uint8_t response_size = get_1(nmbs);
|
uint8_t response_size = get_1(nmbs);
|
||||||
|
if (response_size > 245) {
|
||||||
|
return NMBS_ERROR_INVALID_RESPONSE;
|
||||||
|
}
|
||||||
|
|
||||||
err = recv(nmbs, response_size);
|
err = recv(nmbs, response_size);
|
||||||
if (err != NMBS_ERROR_NONE)
|
if (err != NMBS_ERROR_NONE)
|
||||||
@ -680,6 +690,8 @@ nmbs_error recv_write_file_record_res(nmbs_t* nmbs, uint16_t file_number, uint16
|
|||||||
return err;
|
return err;
|
||||||
|
|
||||||
uint8_t response_size = get_1(nmbs);
|
uint8_t response_size = get_1(nmbs);
|
||||||
|
if (response_size > 251)
|
||||||
|
return NMBS_ERROR_INVALID_RESPONSE;
|
||||||
|
|
||||||
err = recv(nmbs, response_size);
|
err = recv(nmbs, response_size);
|
||||||
if (err != NMBS_ERROR_NONE)
|
if (err != NMBS_ERROR_NONE)
|
||||||
@ -995,6 +1007,9 @@ static nmbs_error handle_write_multiple_coils(nmbs_t* nmbs) {
|
|||||||
|
|
||||||
NMBS_DEBUG_PRINT("a %d\tq %d\tb %d\tcoils ", address, quantity, coils_bytes);
|
NMBS_DEBUG_PRINT("a %d\tq %d\tb %d\tcoils ", address, quantity, coils_bytes);
|
||||||
|
|
||||||
|
if (coils_bytes > 246)
|
||||||
|
return NMBS_ERROR_INVALID_REQUEST;
|
||||||
|
|
||||||
err = recv(nmbs, coils_bytes);
|
err = recv(nmbs, coils_bytes);
|
||||||
if (err != NMBS_ERROR_NONE)
|
if (err != NMBS_ERROR_NONE)
|
||||||
return err;
|
return err;
|
||||||
@ -1023,7 +1038,8 @@ static nmbs_error handle_write_multiple_coils(nmbs_t* nmbs) {
|
|||||||
return send_exception_msg(nmbs, NMBS_EXCEPTION_ILLEGAL_DATA_VALUE);
|
return send_exception_msg(nmbs, NMBS_EXCEPTION_ILLEGAL_DATA_VALUE);
|
||||||
|
|
||||||
if (nmbs->callbacks.write_multiple_coils) {
|
if (nmbs->callbacks.write_multiple_coils) {
|
||||||
err = nmbs->callbacks.write_multiple_coils(address, quantity, coils, nmbs->msg.unit_id, nmbs->callbacks.arg);
|
err = nmbs->callbacks.write_multiple_coils(address, quantity, coils, nmbs->msg.unit_id,
|
||||||
|
nmbs->callbacks.arg);
|
||||||
if (err != NMBS_ERROR_NONE) {
|
if (err != NMBS_ERROR_NONE) {
|
||||||
if (nmbs_error_is_exception(err))
|
if (nmbs_error_is_exception(err))
|
||||||
return send_exception_msg(nmbs, err);
|
return send_exception_msg(nmbs, err);
|
||||||
@ -1072,6 +1088,9 @@ static nmbs_error handle_write_multiple_registers(nmbs_t* nmbs) {
|
|||||||
if (err != NMBS_ERROR_NONE)
|
if (err != NMBS_ERROR_NONE)
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
|
if (registers_bytes > 246)
|
||||||
|
return NMBS_ERROR_INVALID_REQUEST;
|
||||||
|
|
||||||
uint16_t registers[0x007B];
|
uint16_t registers[0x007B];
|
||||||
for (int i = 0; i < registers_bytes / 2; i++) {
|
for (int i = 0; i < registers_bytes / 2; i++) {
|
||||||
registers[i] = get_2(nmbs);
|
registers[i] = get_2(nmbs);
|
||||||
@ -1136,6 +1155,8 @@ static nmbs_error handle_read_file_record(nmbs_t* nmbs) {
|
|||||||
return err;
|
return err;
|
||||||
|
|
||||||
uint8_t request_size = get_1(nmbs);
|
uint8_t request_size = get_1(nmbs);
|
||||||
|
if (request_size > 245)
|
||||||
|
return NMBS_ERROR_INVALID_REQUEST;
|
||||||
|
|
||||||
err = recv(nmbs, request_size);
|
err = recv(nmbs, request_size);
|
||||||
if (err != NMBS_ERROR_NONE)
|
if (err != NMBS_ERROR_NONE)
|
||||||
@ -1244,6 +1265,9 @@ static nmbs_error handle_write_file_record(nmbs_t* nmbs) {
|
|||||||
return err;
|
return err;
|
||||||
|
|
||||||
uint8_t request_size = get_1(nmbs);
|
uint8_t request_size = get_1(nmbs);
|
||||||
|
if (request_size > 251) {
|
||||||
|
return NMBS_ERROR_INVALID_REQUEST;
|
||||||
|
}
|
||||||
|
|
||||||
err = recv(nmbs, request_size);
|
err = recv(nmbs, request_size);
|
||||||
if (err != NMBS_ERROR_NONE)
|
if (err != NMBS_ERROR_NONE)
|
||||||
@ -1358,6 +1382,9 @@ static nmbs_error handle_read_write_registers(nmbs_t* nmbs) {
|
|||||||
NMBS_DEBUG_PRINT("ra %d\trq %d\t wa %d\t wq %d\t b %d\tregs ", read_address, read_quantity, write_address,
|
NMBS_DEBUG_PRINT("ra %d\trq %d\t wa %d\t wq %d\t b %d\tregs ", read_address, read_quantity, write_address,
|
||||||
write_quantity, byte_count_write);
|
write_quantity, byte_count_write);
|
||||||
|
|
||||||
|
if (byte_count_write > 242)
|
||||||
|
return NMBS_ERROR_INVALID_REQUEST;
|
||||||
|
|
||||||
err = recv(nmbs, byte_count_write);
|
err = recv(nmbs, byte_count_write);
|
||||||
if (err != NMBS_ERROR_NONE)
|
if (err != NMBS_ERROR_NONE)
|
||||||
return err;
|
return err;
|
||||||
@ -1576,8 +1603,7 @@ nmbs_error nmbs_server_poll(nmbs_t* nmbs) {
|
|||||||
return NMBS_ERROR_NONE;
|
return NMBS_ERROR_NONE;
|
||||||
}
|
}
|
||||||
|
|
||||||
void nmbs_set_callbacks_arg(nmbs_t* nmbs, void* arg)
|
void nmbs_set_callbacks_arg(nmbs_t* nmbs, void* arg) {
|
||||||
{
|
|
||||||
nmbs->callbacks.arg = arg;
|
nmbs->callbacks.arg = arg;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -54,6 +54,7 @@ extern "C" {
|
|||||||
*/
|
*/
|
||||||
typedef enum nmbs_error {
|
typedef enum nmbs_error {
|
||||||
// Library errors
|
// Library errors
|
||||||
|
NMBS_ERROR_INVALID_REQUEST = -8, /**< Received invalid request from client */
|
||||||
NMBS_ERROR_INVALID_UNIT_ID = -7, /**< Received invalid unit ID in response from server */
|
NMBS_ERROR_INVALID_UNIT_ID = -7, /**< Received invalid unit ID in response from server */
|
||||||
NMBS_ERROR_INVALID_TCP_MBAP = -6, /**< Received invalid TCP MBAP */
|
NMBS_ERROR_INVALID_TCP_MBAP = -6, /**< Received invalid TCP MBAP */
|
||||||
NMBS_ERROR_CRC = -5, /**< Received invalid CRC */
|
NMBS_ERROR_CRC = -5, /**< Received invalid CRC */
|
||||||
|
|||||||
@ -934,7 +934,7 @@ void test_fc20(nmbs_transport transport) {
|
|||||||
expect(registers[2] == 0xAA55);
|
expect(registers[2] == 0xAA55);
|
||||||
expect(registers[3] == 0xFFFF);
|
expect(registers[3] == 0xFFFF);
|
||||||
|
|
||||||
check(nmbs_read_file_record(&CLIENT, 255, 9999, registers, 124));
|
check(nmbs_read_file_record(&CLIENT, 255, 9999, registers, 120));
|
||||||
expect(registers[123] == 42);
|
expect(registers[123] == 42);
|
||||||
|
|
||||||
stop_client_and_server();
|
stop_client_and_server();
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user