gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.
gpsd, a daemon for handling GPS data, is vulnerable to a critical heap-based out-of-bounds write due to improper input validation in the driver_nmea2000.c file. This flaw allows an attacker to overwrite memory by sending a crafted NMEA2000 message, potentially leading to denial of service (DoS) or remote code execution (RCE).
Step 1: Target Identification: The attacker identifies a system running a vulnerable version of gpsd.
Step 2: Payload Creation: The attacker crafts a malicious NMEA2000 PGN 129540 packet. This packet includes a satellite count greater than 184, triggering the vulnerability.
Step 3: Packet Delivery: The attacker sends the crafted NMEA2000 packet to the gpsd service, typically via a network connection or a serial port connected to a GPS device.
Step 4: Vulnerability Trigger: The hnd_129540 function processes the malicious packet. Due to the missing bounds check, the code attempts to write satellite data beyond the allocated memory for the skyview array.
Step 5: Memory Corruption: The out-of-bounds write corrupts adjacent memory regions on the heap.
Step 6: Exploitation (DoS/RCE): The memory corruption can lead to a crash (DoS) or, if the attacker has sufficient control over the overwritten data, the execution of arbitrary code (RCE). The specific impact depends on the memory layout and the attacker's payload.
The vulnerability lies within the hnd_129540 function in drivers/driver_nmea2000.c. This function processes NMEA2000 PGN 129540 packets, which contain satellite information. The flaw is a missing bounds check on the user-supplied satellite count. The code fails to verify if the provided satellite count exceeds the size of the skyview array (184 elements). This leads to a heap-based buffer overflow when the code attempts to write satellite data into the skyview array, allowing an attacker to overwrite adjacent memory regions. This memory corruption can lead to a crash (DoS) or, with careful crafting of the payload, the execution of arbitrary code.