Impact
Problem affects all nanopb versions since PB_ENABLE_MALLOC
support was added in nanopb-0.2.7.
When the following conditions apply:
- nanopb is compiled with
PB_ENABLE_MALLOC
and
- message to be decoded contains a repeated
string
, bytes
or message
field and
realloc()
runs out of memory when expanding the array
nanopb can end up calling free()
on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases.
Patches
Problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4.
Patches are available in git commits 45582f1 (0.4 series), aa9d0d1 (0.3 series), 7b39682 (0.2 series)
Workarounds
Problem can be avoided by limiting input message length to small enough value that system doesn't run out of memory. The maximum length will depend on the message type used.
Acknowledgements
This problem was found using Google's OSSFuzz project.
Impact
Problem affects all nanopb versions since
PB_ENABLE_MALLOC
support was added in nanopb-0.2.7.When the following conditions apply:
PB_ENABLE_MALLOC
andstring
,bytes
ormessage
field andrealloc()
runs out of memory when expanding the arraynanopb can end up calling
free()
on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases.Patches
Problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4.
Patches are available in git commits 45582f1 (0.4 series), aa9d0d1 (0.3 series), 7b39682 (0.2 series)
Workarounds
Problem can be avoided by limiting input message length to small enough value that system doesn't run out of memory. The maximum length will depend on the message type used.
Acknowledgements
This problem was found using Google's OSSFuzz project.