Nanopb is vulnerable to denial of service. Decoding a specifically formed message can cause invalid free()
or realloc()
calls if the message type contains an oneof
field, and the oneof
directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed.
github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt#L1
github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261
github.com/nanopb/nanopb/issues/647
github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88
security-tracker.debian.org/tracker/CVE-2021-21401