CVE-2021-21401: nanopb vulnerable to invalid free() call with oneofs and PB_ENABLE_MALLOC
Decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed.
References
- github.com/advisories/GHSA-7mv5-5mxh-qg88
- github.com/nanopb/nanopb
- github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt
- github.com/nanopb/nanopb/commit/4a375a560651a86726e5283be85a9231fd0efe9c
- github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261
- github.com/nanopb/nanopb/issues/647
- github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88
- github.com/pypa/advisory-database/tree/main/vulns/nanopb/PYSEC-2021-432.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-21401
Code Behaviors & Features
Detect and mitigate CVE-2021-21401 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →