From cbb0ab9c8fc6e8e3d37d77ef2677f79c16b2c56e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Raimbault?= Date: Tue, 3 Sep 2024 00:05:14 +0200 Subject: [PATCH] Fix insecure data handling CID 416366: INTEGER_OVERFLOW found with Coverity Scan. --- src/modbus-tcp.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/modbus-tcp.c b/src/modbus-tcp.c index 31bbfcaf..733a4a96 100644 --- a/src/modbus-tcp.c +++ b/src/modbus-tcp.c @@ -16,6 +16,8 @@ #include #include +#include +#include #include #include #ifndef _MSC_VER @@ -478,7 +480,9 @@ static void _modbus_tcp_close(modbus_t *ctx) static int _modbus_tcp_flush(modbus_t *ctx) { int rc; - int rc_sum = 0; + // Use an unsigned 16-bit integer to reduce overflow risk. The flush function + // is not expected to handle huge amounts of data (> 2GB). + uint16_t rc_sum = 0; do { /* Extract the garbage from the socket */ @@ -505,7 +509,15 @@ static int _modbus_tcp_flush(modbus_t *ctx) } #endif if (rc > 0) { - rc_sum += rc; + // Check for overflow before adding + if (rc_sum <= UINT16_MAX - rc) { + rc_sum += rc; + } else { + // Handle overflow + ctx->error_recovery = MODBUS_ERROR_RECOVERY_PROTOCOL; + errno = EOVERFLOW; + return -1; + } } } while (rc == MODBUS_TCP_MAX_ADU_LENGTH);