CVE-2021-21401

Name of the Vulnerable Software and Affected Versions Nanopb versions prior to 0.3.9.8 and 0.4.5

Description Decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed.

Recommendations For versions prior to 0.3.9.8, update to version 0.3.9.8. For versions prior to 0.4.5, update to version 0.4.5. As a temporary workaround, consider setting the option no unions for the oneof field to generate fields as separate instead of C union, which avoids triggering the problematic code. Alternatively, set the type of all fields inside the oneof to FT POINTER to ensure that the data contained inside the union is always a valid pointer. Heap implementations that guard against invalid free() provide a partial mitigation.