CVE-apply：In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid `free()` or `realloc()` calls if the message type contains an `oneof` field, and the `oneof` directly contains both a pointer field and a non-pointer field.

[hucarxiao]

Version latest

What is the security issue or vulnerability? /nanopb/pb_decode.c In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field.

start from 1195 line: pb_release_single_field(&old_field);

Security issue or vulnerability information description: https://nvd.nist.gov/vuln/detail/CVE-2021-21401

commit:https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261

Could you apply for another new CVE and fix it?

Fix invalid free() with oneof (https://github.com/nanopb/nanopb/issues/647) Nanopb would call free() or realloc() on an invalid (attacker controlled) pointer value when all the following conditions are true:

• PB_ENABLE_MALLOC is defined at the compile time
• Message definition contains an oneof field, and the oneof contains at least one pointer type field and at least one non-pointer type field.
• Data being decoded first contains a non-pointer value for the oneof field, and later contains an overwriting pointer value.

Depending on message layout, the bug may not be exploitable in all cases, but it is known to be exploitable at least with string and bytes fields. Actual security impact will also depend on the heap implementation used.

[cxong]

Thanks, I believe this is low priority. C-Dogs SDL uses fixed message types, and none contain the exact specific message format problem (oneof directly contains both a pointer field and a non-pointer field) so it is impossible for users to exploit this.