NASA cFS Memory Corruption Vulnerability in CFE_SB_TransmitMsg Function

A memory corruption vulnerability has been identified in NASA's Core Flight System (cFS) version 7.0.0. The issue arises in the CFE_SB_TransmitMsg function within the cfe_sb_priv.c file, specifically related to the CCSDS Header Size Handler component. The vulnerability occurs because the function reads the message size from the CCSDS header and uses it as the length for memcpy operations, without validating that the caller's buffer contains the claimed number of bytes. This oversight allows for buffer over-read vulnerabilities, where data from adjacent memory is incorrectly accessed and potentially leaked to subscribers of the message ID. On certain real-time operating systems, this could enable cross-application information disclosure.

Impact

Exploitation of this vulnerability leads to memory corruption, with the potential for cross-application information disclosure on flat-memory RTOS deployments without MMU isolation.

Reproduction

The vulnerability can be reproduced by allocating a small message buffer on the heap, setting the CCSDS Length field to claim a larger size, and then calling the CFE_SB_TransmitMsg function with this buffer. The internal memcpy operation will over-read from the buffer, accessing adjacent memory and causing a heap-buffer-overflow error, as confirmed by AddressSanitizer.