GPSd NTRIP Stream Parsing access violation vulnerability
An integer underflow in GPSd (GPS daemon) in the parsing of Network Transport of RTCM via IP (NTRIP) packets. When parsing the HTTP response that contains the table of records for getting GPS data, they parse line-by-line until a carriage return (\r\n) or null byte is encountered. The getline()
routine will do some buffer tracking and decrement inbuflen
on each character of the buffer as it parses. The problem is, getline()
will be called continuously until the carriage return or null byte is provided without accounting for how much data is left in the buffer. While the loop in getline()
will break out when inbuflen == 0
, getline()
will be called again, decrement inbuflen
under zero, and underflow to a large value. Later, the left over bytes will be copied via memmove()
with the larger value and overflow.