CVE-2020-26243: Improper Input Validation
(updated )
Nanopb is a small code-size Protocol Buffers implementation. The following workarounds are available: 1) Set the option no_unions for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to FT_POINTER. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.
References
- github.com/advisories/GHSA-85rr-4rh9-hhwh
- github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt
- github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c
- github.com/nanopb/nanopb/issues/615
- github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh
- nvd.nist.gov/vuln/detail/CVE-2020-26243
Detect and mitigate CVE-2020-26243 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →