From 790ff6dad16b70e68804a2d53ad54db40412e889 Mon Sep 17 00:00:00 2001
From: Michael Heimpold <mhei@heimpold.de>
Date: Sat, 8 Jan 2022 20:00:50 +0100
Subject: [PATCH] modbus_reply: fix copy & paste error in sanity check (fixes
 #614)

[ Upstream commit b4ef4c17d618eba0adccc4c7d9e9a1ef809fc9b6 ]

While handling MODBUS_FC_WRITE_AND_READ_REGISTERS, both address offsets
must be checked, i.e. the read and the write address must be within the
mapping range.

At the moment, only the read address was considered, it looks like a
simple copy and paste error, so let's fix it.

CVE: CVE-2022-0367

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
---
 src/modbus.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/modbus.c b/src/modbus.c
index 68a28a3..c871152 100644
--- a/src/modbus.c
+++ b/src/modbus.c
@@ -961,7 +961,7 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
                 nb_write, nb, MODBUS_MAX_WR_WRITE_REGISTERS, MODBUS_MAX_WR_READ_REGISTERS);
         } else if (mapping_address < 0 ||
                    (mapping_address + nb) > mb_mapping->nb_registers ||
-                   mapping_address < 0 ||
+                   mapping_address_write < 0 ||
                    (mapping_address_write + nb_write) > mb_mapping->nb_registers) {
             rsp_length = response_exception(
                 ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_ADDRESS, rsp, FALSE,
--
2.39.1