Closed hucarxiao closed 6 months ago
Thanks, I believe this is low priority. C-Dogs SDL uses fixed message types, and none contain the exact specific message format problem (oneof directly contains both a pointer field and a non-pointer field) so it is impossible for users to exploit this.
Version latest
What is the security issue or vulnerability? /nanopb/pb_decode.c In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid
free()
orrealloc()
calls if the message type contains anoneof
field, and theoneof
directly contains both a pointer field and a non-pointer field.start from 1195 line: pb_release_single_field(&old_field);
Security issue or vulnerability information description: https://nvd.nist.gov/vuln/detail/CVE-2021-21401
commit:https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261
Could you apply for another new CVE and fix it?
Fix invalid free() with oneof (https://github.com/nanopb/nanopb/issues/647) Nanopb would call free() or realloc() on an invalid (attacker controlled) pointer value when all the following conditions are true:
Depending on message layout, the bug may not be exploitable in all cases, but it is known to be exploitable at least with string and bytes fields. Actual security impact will also depend on the heap implementation used.