AGL agl-service-can-low-level Stack Buffer Overflow Vulnerability in uds-c Library

A stack buffer overflow vulnerability has been identified in the AGL agl-service-can-low-level component, specifically within the uds-c library. The issue arises in the send_diagnostic_request function, which allocates a 6-byte stack buffer but inadvertently allows the copying of up to 7 bytes via memcpy. This overflow occurs at an offset determined by the payload's PID length, leading to a controlled stack overflow of 1 to 4 bytes. The vulnerability is present in AGL versions through 17.1.12.

Impact

Exploitation of this vulnerability can overwrite the return address on 32-bit ARM automotive ECUs that lack stack canaries, potentially leading to remote code execution.

Reproduction

The vulnerability can be reproduced by sending a UDS request payload that exceeds 6 bytes, with the excess data offset by the PID length. This can be done through the AGL CAN service API, which will trigger the buffer overflow in the uds-c library.