Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix invalid free() with oneof (#647)
Nanopb would call free() or realloc() on an invalid
(attacker controlled) pointer value when all the following
conditions are true:

- PB_ENABLE_MALLOC is defined at the compile time
- Message definition contains an oneof field, and the oneof
  contains at least one pointer type field and at least one
  non-pointer type field.
- Data being decoded first contains a non-pointer value for
  the oneof field, and later contains an overwriting pointer
  value.

Depending on message layout, the bug may not be exploitable in all
cases, but it is known to be exploitable at least with string and
bytes fields. Actual security impact will also depend on the heap
implementation used.
  • Loading branch information
PetteriAimonen committed Mar 20, 2021
1 parent 9cbe4ae commit e2f0ccf
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions pb_decode.c
Expand Up @@ -1203,6 +1203,14 @@ static bool pb_release_union_field(pb_istream_t *stream, pb_field_iter_t *field)

pb_release_single_field(&old_field);

if (PB_ATYPE(field->type) == PB_ATYPE_POINTER)
{
/* Initialize the pointer to NULL to make sure it is valid
* even in case of error return. */
*(void**)field->pField = NULL;
field->pData = NULL;
}

return true;
}

Expand Down

0 comments on commit e2f0ccf

Please sign in to comment.