Skip to content

Commit

Permalink
Fix insecure data handling
Browse files Browse the repository at this point in the history
CID 416366: INTEGER_OVERFLOW found with Coverity Scan.
  • Loading branch information
stephane committed Sep 2, 2024
1 parent 957fa7b commit cbb0ab9
Showing 1 changed file with 14 additions and 2 deletions.
16 changes: 14 additions & 2 deletions src/modbus-tcp.c
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <limits.h>
#include <string.h>
#include <errno.h>
#ifndef _MSC_VER
Expand Down Expand Up @@ -478,7 +480,9 @@ static void _modbus_tcp_close(modbus_t *ctx)
static int _modbus_tcp_flush(modbus_t *ctx)
{
int rc;
int rc_sum = 0;
// Use an unsigned 16-bit integer to reduce overflow risk. The flush function
// is not expected to handle huge amounts of data (> 2GB).
uint16_t rc_sum = 0;

do {
/* Extract the garbage from the socket */
Expand All @@ -505,7 +509,15 @@ static int _modbus_tcp_flush(modbus_t *ctx)
}
#endif
if (rc > 0) {
rc_sum += rc;
// Check for overflow before adding
if (rc_sum <= UINT16_MAX - rc) {
rc_sum += rc;
} else {
// Handle overflow
ctx->error_recovery = MODBUS_ERROR_RECOVERY_PROTOCOL;
errno = EOVERFLOW;
return -1;
}
}
} while (rc == MODBUS_TCP_MAX_ADU_LENGTH);

Expand Down

0 comments on commit cbb0ab9

Please # to comment.