openxc isotp-c Out-of-Bounds Read Vulnerability in ISO-TP Single Frame Receive Handler

A vulnerability allowing out-of-bounds read has been identified in the openxc isotp-c library, specifically in versions through commit 5a5d19245f65189202719321facd49ce6f5d46ac. The issue arises in the ISO-TP single frame receive handler, where the 4-bit payload length nibble is used directly for memory copying without validating it against the actual CAN data length. This flaw can be exploited by sending a malicious CAN frame with an oversized length nibble, causing memory reads beyond the buffer. As a result, attackers could access sensitive information or cause a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to an out-of-bounds read, which can cause a denial-of-service or allow attackers to access sensitive information.

Reproduction

The vulnerability can be reproduced by sending a crafted CAN frame with an oversized length nibble to a vehicle or system using the affected version of the openxc isotp-c library. The frame will be processed by the ISO-TP single frame receive handler, causing an out-of-bounds read by overwriting the receive buffer with data from beyond its allocated memory.