BACnet Protocol Stack Out-of-Bounds Read Vulnerability in NPDU Reply Matcher Allowing Denial-of-Service

A vulnerability exists in the BACnet Protocol Stack library, specifically in versions prior to 1.5.0.rc2. The issue arises in the NPDU reply matching function, which improperly indexes APDU bytes without verifying their existence. This flaw can lead to out-of-bounds reads, causing an immediate crash in sanitized builds or undefined behavior in unprotected ones. The vulnerability can misroute replies, and while remote code execution is unlikely, the denial-of-service impact is reliable.

Impact

Exploitation of this vulnerability causes an out-of-bounds read that leads to a stack buffer overflow, causing a crash on ASan/MPU/strict builds. On unprotected builds, the out-of-bounds read results in undefined behavior, such as misrouting replies. However, remote code execution is unlikely because the vulnerability only involves read operations.

Reproduction

The vulnerability can be reproduced by crafting a DATA_EXPECTING_REPLY frame that contains only a 2-byte NPDU, which passes the version check and is then read out of bounds by the `npdu_is_expected_reply` function. This can be done by sending a normal confirmed request, followed by injecting the crafted frame onto the MS/TP bus, where it will be processed by the reply matcher, triggering the out-of-bounds read and causing a crash.

Remediation

Users can upgrade to BACnet Protocol Stack version 1.5.0.rc2 or later, where this vulnerability has been patched.