Instead of these events being generated for invalid byte count values
(they should always be even, not odd), a protocol_violation is raised.
modbus_read_holding_registers_response
modbus_read_input_registers_response
modbus_write_multiple_registers_request
modbus_read_write_multiple_registers_request
modbus_read_write_multiple_registers_response
modbus_read_fifo_queue_respons
For modbus message types that include variable amount of register values
(uint16[]), setting a &length attribute without an explicit array size
could trigger a parsing assertion since it allows for the "element" data
pointer to travel past the "end of data" (e.g. when &length is odd).
This is changed to now give both an array size and &length to earlier
terminate the parsing of elements before the assert is checked and
so a single out-of-bound check can be done for the entire array
(leaving off &length causes an out-of-bound check for each element).
Added another parameter to modbus events that carry register arrays to
the script-layer which indicates the associated byte count from the
message (allowing for invalid values to be detected):
modbus_read_holding_registers_response
modbus_read_input_registers_response
modbus_write_multiple_registers_request
modbus_read_write_multiple_registers_request
modbus_read_write_multiple_registers_response
modbus_read_fifo_queue_response
* remotes/origin/topic/seth/modbus-merge:
Small modbus documentation update and tiny refactoring.
Final touches to modbus analyzer for now.
Major revisions to Modbus analyzer support (not quite done yet).
put some make-up on Modbus analyser
Modbus analyser, added support: FC=20,21
Modbus analyzer,added support: FC=1,2,15,24
Modbus analyzer, current support: FC=3,4,5,6,7,16,22,23
Closes#915.
- There are still some broken events in the modbus analyzer because
I don't have traffic to test with (coil and record related events primarily).
- There are a few example scripts in policy/protocols/modbus
