Fix Out-of-Bounds Read issue in modbus_reply

[PGZXB]

Fixes #837

The root cause of the stack-buffer-overflow is that modbus_reply() unconditionally reads two bytes after the function code to compute the address variable. However, for some function codes (like MODBUS_FC_REPORT_SLAVE_ID or MODBUS_FC_READ_EXCEPTION_STATUS) or malformed short packets, these bytes may not exist in the request buffer, leading to an out-of-bounds read.

To fix this, we must ensure that the request buffer contains enough data before attempting to read the address. Since most Modbus functions require an address, we will initialize address to 0 and only perform the 16-bit decoding if the req_length is sufficient. Additionally, we should add a check for function codes that require an address but were sent in a packet too short to contain one. This prevents the logic from proceeding with a default address of 0 when the packet is truncated.

Verification Before Fix

Running the PoC triggers AddressSanitizer error:

=================================================================
==4172==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f0bcbc00058 at pc 0x55d20fd2cdcc bp 0x7ffceedf1f10 sp 0x7ffceedf1f08
READ of size 1 at 0x7f0bcbc00058 thread T0
    #0 0x55d20fd2cdcb in modbus_reply /src/libmodbus/src/modbus.c:803:16
    #1 0x55d20fd29ada in main /src/libmodbus/tests/asan-net-server.c:37:5
    #2 0x7f0bce109082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #3 0x55d20fc5349d in _start (/tmp/asan-net-server+0x2e49d)

Address 0x7f0bcbc00058 is located in stack of thread T0 at offset 88 in frame
    #0 0x55d20fd2980f in main /src/libmodbus/tests/asan-net-server.c:10

  This frame has 3 object(s):
    [32, 36) 'enable' (line 12)
    [48, 64) 'addr' (line 16)
    [80, 88) 'req' (line 29) <== Memory access at offset 88 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /src/libmodbus/src/modbus.c:803:16 in modbus_reply
Shadow bytes around the buggy address:
  0x7f0bcbbffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f0bcbbffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f0bcbbffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f0bcbbfff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f0bcbbfff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7f0bcbc00000: f1 f1 f1 f1 04 f2 00 00 f2 f2 00[f3]f3 f3 f3 f3
  0x7f0bcbc00080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f0bcbc00100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f0bcbc00180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f0bcbc00200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f0bcbc00280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4172==ABORTING

Verification After Fix

Running the PoC:

# No output.

[cla-bot]

We require contributors to sign our Contributor License Agreement. In order for us to review and merge your code, please fill https://forms.gle/5635zjphDo5JEJQSA to get added. Your document will be manually checked by the maintainer. Be patient...

[PGZXB]

We require contributors to sign our Contributor License Agreement. In order for us to review and merge your code, please fill https://forms.gle/5635zjphDo5JEJQSA to get added. Your document will be manually checked by the maintainer. Be patient...

I’ve filled out the form.