Hi, I'm attaching an updated patch, already prepared as NMU.
Feel free to upload yourself. I can do it also, if you want. Thanks, Roland
diff -ruN libmodbus-3.0.2.orig/debian/changelog libmodbus-3.0.2/debian/changelog --- libmodbus-3.0.2.orig/debian/changelog 2012-02-20 17:18:40.000000000 +0100 +++ libmodbus-3.0.2/debian/changelog 2012-03-30 09:47:16.000000000 +0200 @@ -1,3 +1,11 @@ +libmodbus (3.0.2-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Added patch: Fix crash by adding length checks (Closes: #664740) + thanks to Josef Holzmayr + + -- Roland Stigge <sti...@antcom.de> Fri, 30 Mar 2012 09:45:51 +0200 + libmodbus (3.0.2-1) unstable; urgency=low * New upstream release diff -ruN libmodbus-3.0.2.orig/debian/patches/01-add-length-checks.patch libmodbus-3.0.2/debian/patches/01-add-length-checks.patch --- libmodbus-3.0.2.orig/debian/patches/01-add-length-checks.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmodbus-3.0.2/debian/patches/01-add-length-checks.patch 2012-03-30 09:54:51.000000000 +0200 @@ -0,0 +1,88 @@ +Description: Fix crash with length check on long reads + Long read requests, e.g. 140 bytes, can make libmodbus crash. This patch fixes + it. +Author: Josef Holzmayr <holzm...@rsi-elektrotechnik.de> +Bug-Debian: http://bugs.debian.org/664740 + +--- + src/modbus.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/src/modbus.c b/src/modbus.c +index 2860d29..ccee878 100644 +--- a/src/modbus.c ++++ b/src/modbus.c +@@ -662,7 +662,8 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + case _FC_READ_COILS: { + int nb = (req[offset + 3] << 8) + req[offset + 4]; + +- if ((address + nb) > mb_mapping->nb_bits) { ++ if ((address + nb) > mb_mapping->nb_bits || ++ nb > MODBUS_MAX_READ_BITS) { + if (ctx->debug) { + fprintf(stderr, "Illegal data address %0X in read_bits\n", + address + nb); +@@ -684,7 +685,8 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + * function) */ + int nb = (req[offset + 3] << 8) + req[offset + 4]; + +- if ((address + nb) > mb_mapping->nb_input_bits) { ++ if ((address + nb) > mb_mapping->nb_input_bits || ++ nb > MODBUS_MAX_READ_BITS) { + if (ctx->debug) { + fprintf(stderr, "Illegal data address %0X in read_input_bits\n", + address + nb); +@@ -704,7 +706,8 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + case _FC_READ_HOLDING_REGISTERS: { + int nb = (req[offset + 3] << 8) + req[offset + 4]; + +- if ((address + nb) > mb_mapping->nb_registers) { ++ if ((address + nb) > mb_mapping->nb_registers || ++ nb > MODBUS_MAX_READ_REGISTERS) { + if (ctx->debug) { + fprintf(stderr, "Illegal data address %0X in read_registers\n", + address + nb); +@@ -729,7 +732,8 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + * function) */ + int nb = (req[offset + 3] << 8) + req[offset + 4]; + +- if ((address + nb) > mb_mapping->nb_input_registers) { ++ if ((address + nb) > mb_mapping->nb_input_registers || ++ nb > MODBUS_MAX_READ_REGISTERS) { + if (ctx->debug) { + fprintf(stderr, "Illegal data address %0X in read_input_registers\n", + address + nb); +@@ -797,7 +801,8 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + case _FC_WRITE_MULTIPLE_COILS: { + int nb = (req[offset + 3] << 8) + req[offset + 4]; + +- if ((address + nb) > mb_mapping->nb_bits) { ++ if ((address + nb) > mb_mapping->nb_bits || ++ nb > MODBUS_MAX_WRITE_BITS) { + if (ctx->debug) { + fprintf(stderr, "Illegal data address %0X in write_bits\n", + address + nb); +@@ -819,7 +824,8 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + case _FC_WRITE_MULTIPLE_REGISTERS: { + int nb = (req[offset + 3] << 8) + req[offset + 4]; + +- if ((address + nb) > mb_mapping->nb_registers) { ++ if ((address + nb) > mb_mapping->nb_registers || ++ nb > MODBUS_MAX_WRITE_REGISTERS) { + if (ctx->debug) { + fprintf(stderr, "Illegal data address %0X in write_registers\n", + address + nb); +@@ -873,7 +879,9 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + int nb_write = (req[offset + 7] << 8) + req[offset + 8]; + + if ((address + nb) > mb_mapping->nb_registers || +- (address_write + nb_write) > mb_mapping->nb_registers) { ++ (address_write + nb_write) > mb_mapping->nb_registers || ++ nb > MODBUS_MAX_RW_WRITE_REGISTERS || ++ nb_write > MODBUS_MAX_RW_WRITE_REGISTERS) { + if (ctx->debug) { + fprintf(stderr, + "Illegal data read address %0X or write address %0X write_and_read_registers\n", +-- +1.7.9.4 + diff -ruN libmodbus-3.0.2.orig/debian/patches/series libmodbus-3.0.2/debian/patches/series --- libmodbus-3.0.2.orig/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libmodbus-3.0.2/debian/patches/series 2012-03-30 09:47:52.000000000 +0200 @@ -0,0 +1 @@ +01-add-length-checks.patch