Release of Invalid Pointer or Reference Affecting nanopb package, versions <2.30908.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-COCOAPODS-NANOPB-5725774
- published 12 Jan 2022
- disclosed 23 Mar 2021
- credit Unknown
Introduced: 23 Mar 2021
CVE-2021-21401 Open this link in a new tabHow to fix?
Upgrade nanopb
to version 2.30908.0 or higher.
Overview
nanopb is a plain-C implementation of Google's Protocol Buffers data format.
Affected versions of this package are vulnerable to Release of Invalid Pointer or Reference. Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free()
or realloc()
calls if the message type contains an oneof
field, and the oneof
directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory for more information including workarounds.