CVE-2020-26243

Name of the Vulnerable Software and Affected Versions Nanopb versions prior to 0.3.9.7 Nanopb versions prior to 0.4.4

Description Decoding specifically formed messages can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed.

Recommendations For versions prior to 0.3.9.7, update to version 0.3.9.7 to resolve the issue. For versions prior to 0.4.4, update to version 0.4.4 to resolve the issue. As a temporary workaround, consider setting the option no unions for the oneof field to generate fields as separate instead of C union. Alternatively, set the type of the submessage field inside oneof to FT POINTER to dynamically allocate the whole submessage. Using an arena allocator for nanopb can also ensure all memory can be released afterwards.