AGL isotp-c Library Heap Buffer Over-Read Vulnerability

A heap buffer over-read vulnerability has been identified in the AGL agl-service-can-low-level component, through version 17.1.12. The issue arises in the isotp-c library during the ISO-TP multi-frame reassembly process. The vulnerability occurs when the payload length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, allowing values between 0 and 15. However, standard CAN frames are only 8 bytes long, with the payload starting at the second byte, leaving only 7 bytes available. When the extracted payload length exceeds the available data—such as when the nibble value is 15—the memcpy function reads up to 8 bytes beyond the end of the data buffer, leading to a heap buffer over-read.

Impact

Exploitation of this vulnerability causes a heap buffer over-read, which can potentially be leveraged for further attacks, such as memory corruption or information disclosure.

Reproduction

The vulnerability can be reproduced by sending a CAN frame with a payload length nibble that exceeds the available data bytes. For example, a nibble value of 15 can be used to trigger the over-read, as only 7 payload bytes are available.