|
|
@@ -839,9 +839,10 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
|
|
|
break;
|
|
|
case MODBUS_FC_WRITE_MULTIPLE_COILS: {
|
|
|
int nb = (req[offset + 3] << 8) + req[offset + 4];
|
|
|
+ int nb_bits = req[offset + 5];
|
|
|
int mapping_address = address - mb_mapping->start_bits;
|
|
|
|
|
|
- if (nb < 1 || MODBUS_MAX_WRITE_BITS < nb) {
|
|
|
+ if (nb < 1 || MODBUS_MAX_WRITE_BITS < nb || nb_bits * 8 < nb) {
|
|
|
/* May be the indication has been truncated on reading because of
|
|
|
* invalid address (eg. nb is 0 but the request contains values to
|
|
|
* write) so it's necessary to flush. */
|
|
|
@@ -870,9 +871,10 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req,
|
|
|
break;
|
|
|
case MODBUS_FC_WRITE_MULTIPLE_REGISTERS: {
|
|
|
int nb = (req[offset + 3] << 8) + req[offset + 4];
|
|
|
+ int nb_bytes = req[offset + 5];
|
|
|
int mapping_address = address - mb_mapping->start_registers;
|
|
|
|
|
|
- if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb) {
|
|
|
+ if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb || nb_bytes * 8 < nb) {
|
|
|
rsp_length = response_exception(
|
|
|
ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp, TRUE,
|
|
|
"Illegal number of values %d in write_registers (max %d)\n",
|
Stéphane Raimbault