fix: Validate frame size in QModbusAduRtu and QModbusAduTcp classes

sanny32 · sanny32 · commit 5f464ee88449 · 2026-03-21T19:08:28.000+03:00
diff --git a/src/qmodbusadurtu.h b/src/qmodbusadurtu.h
@@ -10,6 +10,9 @@
 class QModbusAduRtu : public QModbusAdu
 {
 public:
+    /// Minimum RTU frame size: address(1) + function(1) + data(0+) + CRC(2)
+    static constexpr int MinRtuFrameSize = 4;
+
     explicit QModbusAduRtu(const QByteArray& rawData)
         : QModbusAdu()
     {
@@ -21,6 +24,8 @@ class QModbusAduRtu : public QModbusAdu
     /// \return
     ///
     bool isValid() const override {
+        if (_data.size() < MinRtuFrameSize)
+            return false;
         return matchingChecksum() && _pdu.isValid();
     }
 
@@ -30,15 +35,23 @@ class QModbusAduRtu : public QModbusAdu
     ///
     void setRawData(const QByteArray& data) override {
         _data = data;
-        _pdu.setFunctionCode(QModbusPdu::FunctionCode((quint8)_data[1]));
-        _pdu.setData(_data.mid(2, _data.size() - 4));
+        if (_data.size() >= MinRtuFrameSize) {
+            _pdu.setFunctionCode(QModbusPdu::FunctionCode(quint8(_data[1])));
+            _pdu.setData(_data.mid(2, _data.size() - MinRtuFrameSize));
+        } else {
+            _pdu.setFunctionCode(QModbusPdu::Invalid);  // reset to invalid state
+            _pdu.setData(QByteArray());
+        }
     }
 
     ///
     /// \brief serverAddress
     /// \return
     ///
     quint8 serverAddress() const override {
+        if (_data.isEmpty())
+            return 0;
+
         return quint8(_data[0]);
     }
 
@@ -47,17 +60,23 @@ class QModbusAduRtu : public QModbusAdu
     /// \return
     ///
     quint16 checksum() const {
-        return makeUInt16(_data[_data.size() - 1], _data[_data.size() - 2], ByteOrder::Direct);
+        if (_data.size() >= MinRtuFrameSize) {
+            return makeUInt16(_data[_data.size() - 1], _data[_data.size() - 2], ByteOrder::Direct);
+        }
+        return 0;
     }
 
     ///
     /// \brief calcChecksum
     /// \return
     ///
     quint16 calcChecksum() const {
-        const auto size = _data.size() - 2; // two bytes, CRC
-        const auto data = _data.left(size);
-        return calculateCRC(data, size);
+        if (_data.size() < MinRtuFrameSize)
+            return 0;
+
+        const int crcDataSize = _data.size() - 2;
+        const QByteArray crcData = _data.left(crcDataSize);
+        return calculateCRC(crcData.constData(), crcDataSize);
     }
 
     ///
@@ -68,7 +87,10 @@ class QModbusAduRtu : public QModbusAdu
         return checksum() == calcChecksum();
     }
 
-    inline static quint16 calculateCRC(const char* data, qint32 len){
+    inline static quint16 calculateCRC(const char* data, qint32 len) {
+        if (len <= 0 || data == nullptr)
+            return 0;
+
         quint16 crc = 0xFFFF;
         while (len--) {
             const quint8 c = *data++;
@@ -82,12 +104,12 @@ class QModbusAduRtu : public QModbusAdu
             }
             crc &= 0xFFFF;
         }
-        crc = crc_reflect(crc & 0xFFFF, 16) ^ 0x0000;
-        return (crc >> 8) | (crc << 8); // swap bytes
+        crc = crc_reflect(crc, 16);
+        return (crc >> 8) | (crc << 8);  // swap bytes
     }
 
 private:
-    inline static quint16 crc_reflect(quint16 data, qint32 len){
+    inline static quint16 crc_reflect(quint16 data, qint32 len) {
         quint16 ret = data & 0x01;
         for (qint32 i = 1; i < len; i++) {
             data >>= 1;
diff --git a/src/qmodbusadutcp.h b/src/qmodbusadutcp.h
@@ -10,6 +10,9 @@
 class QModbusAduTcp : public QModbusAdu
 {
 public:
+    /// Minimum TCP frame size: header(6) + unitId(1) + function(1) = 8 bytes
+    static constexpr int MinTcpFrameSize = 8;
+
     explicit QModbusAduTcp(const QByteArray& rawData)
         : QModbusAdu()
     {
@@ -21,6 +24,9 @@ class QModbusAduTcp : public QModbusAdu
     /// \return
     ///
     bool isValid() const override {
+        if (_data.size() < MinTcpFrameSize)
+            return false;
+
         return _pdu.isValid() && length() == _pdu.size() + 1;
     }
 
@@ -30,15 +36,23 @@ class QModbusAduTcp : public QModbusAdu
     ///
     void setRawData(const QByteArray& data) override {
         _data = data;
-        _pdu.setFunctionCode(QModbusPdu::FunctionCode((quint8)_data[7]));
-        _pdu.setData(_data.mid(8));
+        if (_data.size() >= MinTcpFrameSize) {
+            _pdu.setFunctionCode(QModbusPdu::FunctionCode(quint8(_data[7])));
+            _pdu.setData(_data.mid(8, _data.size() - MinTcpFrameSize));
+        } else {
+            _pdu.setFunctionCode(QModbusPdu::Invalid);  // reset to invalid state
+            _pdu.setData(QByteArray());
+        }
     }
 
     ///
     /// \brief transactionId
     /// \return
     ///
     quint16 transactionId() const {
+        if (_data.size() < MinTcpFrameSize)
+            return 0;
+
         return makeUInt16(_data[1], _data[0], ByteOrder::Direct);
     }
 
@@ -47,6 +61,9 @@ class QModbusAduTcp : public QModbusAdu
     /// \param id
     ///
     void setTransactionId(quint16 id) {
+        if (_data.size() < MinTcpFrameSize)
+            return;
+
         quint8 lo,hi;
         breakUInt16(id, lo, hi, ByteOrder::Direct);
         _data[1] = lo; _data[0] = hi;
@@ -57,6 +74,9 @@ class QModbusAduTcp : public QModbusAdu
     /// \return
     ///
     quint16 protocolId() const {
+        if (_data.size() < MinTcpFrameSize)
+            return 0;
+
         return makeUInt16(_data[3], _data[2], ByteOrder::Direct);
     }
 
@@ -65,6 +85,9 @@ class QModbusAduTcp : public QModbusAdu
     /// \return
     ///
     quint16 length() const {
+        if (_data.size() < MinTcpFrameSize)
+            return 0;
+
         return makeUInt16(_data[5], _data[4], ByteOrder::Direct);
     }
 
@@ -73,6 +96,9 @@ class QModbusAduTcp : public QModbusAdu
     /// \return
     ///
     quint8 serverAddress() const override {
+        if (_data.size() < MinTcpFrameSize)
+            return 0;
+
         return quint8(_data[6]);
     }
 
