Skip to content

Security: Fix buffer overflow in src/isotp/send.c isotp_send_single_frame #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Security: Fix buffer overflow in src/isotp/send.c isotp_send_single_frame #26

wants to merge 1 commit into from

Conversation

KIMDONGYEON00
Copy link

Summary

A critical buffer overflow vulnerability exists in isotp_send_single_frame function with no size validation whatsoever. This is more severe than the recent Zephyr RTOS CVE, which at least had debug-time assertions.

Zephyr CVE Reference

Zephyr RTOS had the exact same vulnerability pattern that was recently patched:
https://nvd.nist.gov/vuln/detail/CVE-2023-3725
GHSA-2g3m-p6c7-8rr3
Before (vulnerable):

__ASSERT_NO_MSG(len <= ISOTP_CAN_DL - index);
memcpy(&frame.data[index], data, len);

After (Fixed):

if (len > ISOTP_CAN_DL - index) {
    LOG_ERR("SF len does not fit DL");
    return -ENOSPC;
}
memcpy(&frame.data[index], data, len);

Affected Code in openxc/isotp-c

File: src/isotp/send.c
Function:isotp_send_single_frame

IsoTpSendHandle isotp_send_single_frame(IsoTpShims* shims, IsoTpMessage* message,
        IsoTpMessageSentHandler callback) {
    IsoTpSendHandle handle = {
        success: false,
        completed: true
    };
    // ...
    /* No size valdation */
    if(message->size > 0) {
        memcpy(&can_data[1], message->payload, message->size);
    }
   // ...
}

Vulnerability Details

  1. Debug-only protection
  2. Buffer overflow risk

Impact

  1. Memory corruption (Stack/Heap)
  2. System crashes

Recommended Fix

IsoTpSendHandle isotp_send_single_frame(IsoTpShims* shims, IsoTpMessage* message,
        IsoTpMessageSentHandler callback) {
    IsoTpSendHandle handle = {
        success: false,
        completed: true
    };
    /* multi frame message length must greater than 7  */
    if(message->size > 7) {
        shims->log("Single frame payload exceeds maximum size (7 bytes)");
        return handle;
    }
    // ...
    
    if(message->size > 0) {
        memcpy(&can_data[1], message->payload, message->size);
    }
    // ...
}

Priority

High - Same pattern that warranted CVE in Zephyr RTOS

PoC

Due to the complexity of setting up a CAN hardware environment, I haven't tested this vulnerability against a real embedded system.
However, code analysis clearly demonstrates the buffer overflow potential.

@KIMDONGYEON00 KIMDONGYEON00 changed the title Security Fix : Buffer Overflow in src/isotp/send.c :isotp_send_single_frame, Single Frame Transmission Security: Fix buffer overflow in src/isotp/send.c isotp_send_single_frame Jul 14, 2025
@notsig11
Copy link
Member

I don't think you read the code... :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KIMDONGYEON00 @notsig11