gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution.
The hnd_129540 function in the file drivers/driver_nmea2000.c processes NMEA2000 PGN 129540 packets (GNSS Satellites in View) without validating the number of satellites provided by the user against the size of the skyview array (184 elements). An attacker can provide a satellite count value up to 255, which causes a write outside the array boundaries on the heap. This results in memory corruption that can be exploited to execute arbitrary code or cause a process crash.
An attacker can cause a crash of the gpsd service (DoS) or potentially execute arbitrary code on the system with the privileges of the gpsd process. Due to the lack of authentication requirements and network attack vector, the threat is particularly serious.
Update gpsd to a version containing commit dc966aa74c075d0a6535811d98628625cbfbe3f4 or later. If updating is not possible, restrict network access to the gpsd service at the firewall level and consider disabling NMEA2000 interface support until the patch is applied.
gpsd (Gpsd Project) in all versions prior to commit dc966aa in the ntpsec/gpsd repository
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGpsd Project Gpsd
APPGpsd Project< 3.27.1
Related vulnerabilities
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions pr...
gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open source project, allow a stack-based buff...
An integer underflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. A spec...
The NMEA0183 driver in gpsd before 3.9 allows remote attackers to cause a denial of service (daemon terminatio...