-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential heap buffer overflow in modbus.c #365
Labels
Comments
tinajohnson
added a commit
to tinajohnson/libplctag
that referenced
this issue
Jun 30, 2022
kyle-github
pushed a commit
that referenced
this issue
Jul 1, 2022
Thanks for reporting this and the PR! Did you use some tooling to find these issues? I need to go through my code again as I am certain I had checks on some of this stuff before. I have made a release with your fixes and another fix that was identified when I tried to merge your PRs. |
kyle-github
added a commit
that referenced
this issue
Sep 24, 2022
…rrect comparison (#383) * Add condition to fail tag creation when elem_count is a negative value. (#366) Fixes #365 * Change CI build to use Visual Studio 17 2022. Apparently version 16 is gone on Github? * Add checks to prevent out-of-bounds write on tag->encoded_name (#368) Fixes #367 * Update stable vs. unstable versions. * Bump version for next release. * Fix 378. Refactor condition var signal into common exit path of state SESSION_OPEN_SOCKET_START. * Fix 381. Incorrect comparison in loop guarding cond_wait from spurious wakeups. * Add null terminator to tag->name string (#372) Fixes #371 Co-authored-by: Tina Johnson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
There's a heap buffer overflow vulnerability in the
create_tag_object
function ofsrc/protocols/mb/modbus.c
. The variableelem_count
is user input and thus can be a negative value. Whenelem_count
is a negative value,data_size
variable will also be a negative value and the allocation oftag
object at line 365 will result in an object of size lesser than thesizeof(struct modbus_tag_t)
. Sincetag
object is expected to have a minimum size ofsizeof(struct modbus_tag_t)
, there will be heap buffer overflows when there are writes to certain struct elements that were not allocated. For example, the stack trace below shows a crash produced by AddressSanitizer at line 375 where there is a write to(*tag)->reg_base
andelem_count
is -627.Stack trace:
The text was updated successfully, but these errors were encountered: