gpsd Heap-Based Out-of-Bounds Write Vulnerability in NMEA2000 Driver Allows Memory Corruption and Potential Code Execution

A heap-based out-of-bounds write vulnerability exists in gpsd versions prior to 3.27.1, specifically within the NMEA2000 driver. The issue arises in the 'hnd_129540' function, which processes NMEA2000 PGN 129540 (GNSS Satellites in View) packets. The function fails to properly validate the user-supplied satellite count against the fixed size of the skyview array, which can lead to memory corruption. An attacker can exploit this vulnerability by sending a packet with a satellite count of up to 255, causing the application to write beyond the array's bounds. This exploitation can result in a denial-of-service condition, memory corruption, and potentially allow for arbitrary code execution.

Impact

Exploitation of this vulnerability can cause memory corruption by overwriting adjacent heap memory, leading to unpredictable behavior, corruption of active sessions, and causing the gpsd daemon to crash or enter an inconsistent state where it cannot properly serve clients.

Reproduction

To reproduce this vulnerability, send a NMEA2000 Fast Packet containing PGN 129540 with the satellite count byte set to 255. This can be done using a CAN bus interface that supports NMEA2000 messaging.

Remediation

Users can update to gpsd version 3.27.1 or later, where this vulnerability has been fixed.