BACnet Protocol Stack Off-by-One Stack-Based Buffer Overflow Vulnerability in uBASIC Interpreter

A stack-based buffer overflow vulnerability has been identified in the BACnet Protocol Stack library, specifically in versions 1.4.2, 1.5.0.rc2, and earlier. The issue arises in the uBASIC interpreter's tokenizer_string function, which improperly manages null termination for strings that exceed the buffer limit. This flaw leads to a crash (SIGABRT) when processing overly long string literals, as the function writes a null byte to an index that is out of bounds, causing a stack overflow.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, leading to a crash of the application.

Reproduction

The vulnerability can be reproduced by loading a uBASIC program that includes a string variable longer than 40 characters, such as one containing 41 characters including a null terminator. This can be done using the 'let' command to assign the string variable, followed by a 'print' command to output the variable's value. The program will crash with an 'abort' message, indicating a SIGABRT signal was received.

Remediation

Users can upgrade to BACnet Protocol Stack version 1.4.3 or 1.5.0.rc3, where this vulnerability has been patched.