AGL Service CAN Low-Level Stack Buffer Overflow Vulnerability in UDS-C Library

A stack buffer overflow vulnerability has been identified in the AGL service CAN low-level component, specifically in versions through 17.1.12. The issue arises in the UDS-C library within the 'send_diagnostic_request' function, where a 6-byte stack buffer is allocated but is vulnerable to overflow by up to 1 byte. This occurs because the 'payload_length' field is copied into the buffer without proper bounds checking, allowing for 1-4 bytes of controlled overflow. On 32-bit ARM automotive ECUs lacking stack canaries, this vulnerability could be exploited to overwrite the return address and execute arbitrary code.

Impact

Exploitation of this vulnerability can lead to a stack-based buffer overflow, allowing for the overwriting of the return address and potentially executing arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a UDS diagnostic request payload that exceeds the allocated buffer size. This can be done through the AGL CAN service API, targeting the 'send_diagnostic_request' function in the UDS-C library.