|author||Petteri Aimonen <email@example.com>||Sat Mar 20 07:45:04 2021|
|committer||Petteri Aimonen <firstname.lastname@example.org>||Sat Mar 20 07:59:09 2021|
Fix invalid free() with oneof (#647) Nanopb would call free() or realloc() on an invalid (attacker controlled) pointer value when all the following conditions are true: - PB_ENABLE_MALLOC is defined at the compile time - Message definition contains an oneof field, and the oneof contains at least one pointer type field and at least one non-pointer type field. - Data being decoded first contains a non-pointer value for the oneof field, and later contains an overwriting pointer value. Depending on message layout, the bug may not be exploitable in all cases, but it is known to be exploitable at least with string and bytes fields. Actual security impact will also depend on the heap implementation used.
Nanopb is a small code-size Protocol Buffers implementation in ansi C. It is especially suitable for use in microcontrollers, but fits any memory restricted system.
To use the nanopb library, you need to do two things:
The easiest way to get started is to study the project in “examples/simple”. It contains a Makefile, which should work directly under most Linux systems. However, for any other kind of build system, see the manual steps in README.txt in that folder.
The nanopb generator is implemented as a plugin for the Google‘s own
protoc compiler. This has the advantage that there is no need to reimplement the basic parsing of .proto files. However, it does mean that you need the Google’s protobuf library in order to run the generator.
If you have downloaded a binary package for nanopb (either Windows, Linux or Mac OS X version), the
protoc binary is included in the ‘generator-bin’ folder. In this case, you are ready to go. Simply run this command:
generator-bin/protoc --nanopb_out=. myprotocol.proto
However, if you are using a git checkout or a plain source distribution, you need to provide your own version of
protoc and the Google‘s protobuf library. On Linux, the necessary packages are
python-protobuf. On Windows, you can either build Google’s protobuf library from source or use one of the binary distributions of it. In either case, if you use a separate
protoc, you need to manually give the path to nanopb generator:
protoc --plugin=protoc-gen-nanopb=nanopb/generator/protoc-gen-nanopb ...
If you want to perform further development of the nanopb core, or to verify its functionality using your compiler and platform, you'll want to run the test suite. The build rules for the test suite are implemented using Scons, so you need to have that installed (ex:
sudo apt install scons on Ubuntu). To run the tests:
cd tests scons
This will show the progress of various test cases. If the output does not end in an error, the test cases were successful.
Note: Mac OS X by default aliases ‘clang’ as ‘gcc’, while not actually supporting the same command line options as gcc does. To run tests on Mac OS X, use: “scons CC=clang CXX=clang”. Same way can be used to run tests with different compilers on any platform.