An integer underflow vulnerability exists in the nextstate() function in gpsd/packet.c of gpsd versions prior to commit ffa1d6f40bca0b035fc7f5e563160ebb67199da7. When parsing a NAVCOM packet, the payload length is calculated using lexer->length = (size_t)c - 4 without checking if the input byte c is less than 4. This results in an unsigned integer underflow, setting lexer->length to a very large value (near SIZE_MAX). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.
Weakness
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gpsd | Gpsd_project | * | 3.27.1 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | gpsd-1:3.26.1-1.el10_1.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | gpsd-minimal-1:3.26.1-1.el9_7.1 | * |
| Gpsd | Ubuntu | devel | * |
| Gpsd | Ubuntu | jammy | * |
| Gpsd | Ubuntu | noble | * |
| Gpsd | Ubuntu | plucky | * |
| Gpsd | Ubuntu | questing | * |
| Gpsd | Ubuntu | upstream | * |