gpsd Integer Underflow Vulnerability in NAVCOM Packet Parsing Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in gpsd, specifically in versions prior to 3.27.1. The issue arises from an integer underflow in the 'nextstate()' function within 'gpsd/packet.c', when the parser handles NAVCOM packets. The vulnerability occurs because the payload length is calculated by subtracting 4 from the packet ID byte, without verifying if the ID is greater than or equal to 4. This oversight allows the calculation to underflow, resulting in a very large length value. Consequently, the parser enters a loop trying to process this excessive amount of data, causing 100% CPU usage and effectively hanging the daemon until it is restarted.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the gpsd process consumes all available CPU resources, causing the daemon to become unresponsive to clients. This state persists until the process is manually restarted.

Reproduction

The vulnerability can be reproduced by sending a NAVCOM packet with an ID byte value less than 4, either over a network connection to a port where gpsd is listening, or through a serial device connected to the host running gpsd.

Remediation

Users can upgrade to gpsd version 3.27.1 or later to address this vulnerability.