summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2014-09-11Update changelogPetteri Aimonen1-0/+8
2014-09-11Add a fuzz testing stub for ability to use external generators alsoPetteri Aimonen5-0/+209
2014-09-11Protect against size_t overflows in pb_dec_bytes/pb_dec_string.Petteri Aimonen1-7/+13
Possible consequences of bug: 1) Denial of service by causing a crash Possible when all of the following apply: - Untrusted data is passed to pb_decode() - The top-level message contains a static string field as the first field. Causes a single write of '0' byte to 1 byte before the message struct. 2) Remote code execution Possible when all of the following apply: - 64-bit platform - The message or a submessage contains a static/pointer string field. - Decoding directly from a custom pb_istream_t - bytes_left on the stream is set to larger than 4 GB Causes a write of up to 4 GB of data past the string field. 3) Possible heap corruption or remote code execution Possible when all of the following apply: - less than 64-bit platform - The message or a submessage contains a pointer-type bytes field. Causes a write of sizeof(pb_size_t) bytes of data past a 0-byte long malloc()ed buffer. On many malloc() implementations, this causes at most a crash. However, remote code execution through a controlled jump cannot be ruled out. -- Detailed analysis follows In the following consideration, I define "platform bitness" as equal to number of bits in size_t datatype. Therefore most 8-bit platforms are regarded as 16-bit for the purposes of this discussion. 1. The overflow in pb_dec_string The overflow happens in this computation: uint32_t size; size_t alloc_size; alloc_size = size + 1; There are two ways in which the overflow can occur: In the uint32_t addition, or in the cast to size_t. This depends on the platform bitness. On 32- and 64-bit platforms, the size has to be UINT32_MAX for the overflow to occur. In that case alloc_size will be 0. On 16-bit platforms, overflow will happen whenever size is more than UINT16_MAX, and resulting alloc_size is attacker controlled. For static fields, the alloc_size value is just checked against the field data size. For pointer fields, the alloc_size value is passed to malloc(). End result in both cases is the same, the storage is 0 or just a few bytes in length. On 16-bit platforms, another overflow occurs in the call to pb_read(), when passing the original size. An attacker will want the passed value to be larger than the alloc_size, therefore the only reasonable choice is to have size = UINT16_MAX and alloc_size = 0. Any larger multiple will truncate to the same values. At this point we have read atleast the tag and the string length of the message, i.e. atleast 3 bytes. The maximum initial value for stream bytes_left is SIZE_MAX, thus at this point at most SIZE_MAX-3 bytes are remaining. On 32-bit and 16-bit platforms this means that the size passed to pb_read() is always larger than the number of remaining bytes. This causes pb_read() to fail immediately, before reading any bytes. On 64-bit platforms, it is possible for the bytes_left value to be set to a value larger than UINT32_MAX, which is the wraparound point in size calculation. In this case pb_read() will succeed and write up to 4 GB of attacker controlled data over the RAM that comes after the string field. On all platforms, there is an unconditional write of a terminating null byte. Because the size of size_t typically reflects the size of the processor address space, a write at UINT16_MAX or UINT32_MAX bytes after the string field actually wraps back to before the string field. Consequently, on 32-bit and 16-bit platforms, the bug causes a single write of '0' byte at one byte before the string field. If the string field is in the middle of a message, this will just corrupt other data in the message struct. Because the message contents is attacker controlled anyway, this is a non-issue. However, if the string field is the first field in the top-level message, it can corrupt other data on the stack/heap before it. Typically a single '0' write at a location not controlled by attacker is enough only for a denial-of-service attack. When using pointer fields and malloc(), the attacker controlled alloc_size will cause a 0-size allocation to happen. By the same logic as before, on 32-bit and 16-bit platforms this causes a '0' byte write only. On 64-bit platforms, however, it will again allow up to 4 GB of malicious data to be written over memory, if the stream length allows the read. 2. The overflow in pb_dec_bytes This overflow happens in the PB_BYTES_ARRAY_T_ALLOCSIZE macro: The computation is done in size_t data type this time. This means that an overflow is possible only when n is larger than SIZE_MAX - offsetof(..). The offsetof value in this case is equal to sizeof(pb_size_t) bytes. Because the incoming size value is limited to 32 bits, no overflow can happen here on 64-bit platforms. The size will be passed to pb_read(). Like before, on 32-bit and 16-bit platforms the read will always fail before writing anything. This leaves only the write of bdest->size as exploitable. On statically allocated fields, the size field will always be allocated, regardless of alloc_size. In this case, no buffer overflow is possible here, but user code could possibly use the attacker controlled size value and read past a buffer. If the field is allocated through malloc(), this will allow a write of sizeof(pb_size_t) attacker controlled bytes to past a 0-byte long buffer. In typical malloc implementations, this will either fit in unused alignment padding area, or cause a heap corruption and a crash. Under very exceptional situation it could allow attacker to influence the behaviour of malloc(), possibly jumping into an attacker-controlled location and thus leading to remote code execution.
2014-09-11Add just-to-be-sure check to allocate_field().Petteri Aimonen1-5/+11
This check will help to detect bugs earlier, and is quite lightweight compared to malloc() anyway.
2014-09-11Fix memory leak with duplicated fields and PB_ENABLE_MALLOC.Petteri Aimonen1-44/+60
If a required or optional field appeared twice in the message data, pb_decode will overwrite the old data with new one. That is fine, but with submessage fields, it didn't release the allocated subfields before overwriting. This bug can manifest if all of the following conditions are true: 1. There is a message with a "optional" or "required" submessage field that has type:FT_POINTER. 2. The submessage contains atleast one field with type:FT_POINTER. 3. The message data to be decoded has the submessage field twice in it.
2014-09-11Fix crash in pb_release() if called twice on same message.Petteri Aimonen1-10/+15
There was a double-free bug in pb_release() because it didn't set size fields to zero after deallocation. Most commonly this happens if pb_decode() fails, internally calls pb_release() and then application code also calls pb_release().
2014-09-11Add a better fuzz test.Petteri Aimonen8-1/+565
Attempts to verify all the properties defined in the security model, while also being portable and able to run on many platforms.
2014-09-07Add test case for simulated io errors.Petteri Aimonen5-0/+203
Update issue 126 Status: FixedInGit
2014-09-07Add a few missing unit testsPetteri Aimonen3-0/+36
2014-09-07Fix compilation error with generated initializers for repeated pointer fieldsPetteri Aimonen1-0/+2
2014-09-07Code coverage results were ignoring the data from encode/decode unittests.Petteri Aimonen1-3/+3
Update issue 126 Status: Started
2014-09-07Update security model with regards to pointer fieldsPetteri Aimonen1-5/+7
2014-08-28Fix cyclic messages support in generator. Beginnings of test.Petteri Aimonen5-1/+192
Update issue 130 Status: Started
2014-08-26Add missing * in migration docsPetteri Aimonen1-2/+2
2014-08-26Setting version to 0.3.1-devPetteri Aimonen2-2/+2
2014-08-26Publishing nanopb-0.3.0Petteri Aimonen2-2/+2
2014-08-26Update changelogPetteri Aimonen2-1/+13
2014-08-26Add pb_common.c to examplesPetteri Aimonen3-3/+4
2014-08-19Add #if guard for .pb.h version.Petteri Aimonen6-115/+384
The version in PB_PROTO_HEADER_VERSION can be bumped whenever there is a breaking change to the generated files, and it will then alert to the difference. Update issue 129 Status: FixedInGit
2014-08-18Rename poorly named identifier to avoid name conflicts.Petteri Aimonen7-28/+66
Update issue 106 Status: FixedInGit
2014-08-18Rename UNUSED() and STATIC_ASSERT() macros with PB_ prefix.Petteri Aimonen5-31/+35
This avoids possible namespace conflicts with other macros.
2014-08-18Change the _count fields to use pb_size_t datatype.Petteri Aimonen8-44/+77
Update issue 82 Status: FixedInGit
2014-08-10Fix windows build error in testsPetteri Aimonen1-2/+2
2014-08-10Add document detailing migration from old versionsPetteri Aimonen3-1/+189
2014-08-10Switch pb_encode to use the common iterator logic in pb_common.cPetteri Aimonen5-43/+42
Update issue 128 Status: FixedInGit
2014-08-10Separate field iterator logic from pb_decode to pb_common.Petteri Aimonen22-138/+199
2014-08-09Setting version to 0.3.0-devPetteri Aimonen2-2/+2
2014-08-09Publishing nanopb-0.2.9Petteri Aimonen3-3/+3
2014-08-04Update changelogPetteri Aimonen1-0/+13
2014-08-04Generate #defines for initializing message structures.Petteri Aimonen5-20/+84
Usage like: MyMessage foo = MyMessage_init_default; MyMessage_init_default will initialize to default values defined in .proto. MyMessage_init_zero will initialize to null/zero values. Same results as {} or {0}, but will avoid compiler warnings by initializing everything explicitly. Update issue 79 Status: FixedInGit
2014-07-20Add skip_message option to generator.Petteri Aimonen4-3/+17
Update issue 121 Status: FixedInGit
2014-07-20Add support for inverted patterns in test framework.Petteri Aimonen1-3/+14
2014-07-20Cleanup and comment the code of network_server example.Petteri Aimonen2-65/+118
Update issue 123 Status: FixedInGit
2014-07-20Do not automatically add a dot with generator -e option.Petteri Aimonen1-6/+6
Now -e option in generator is more versatile. Especially it avoids double-dot problem with some build systems. Given foobar.proto, we now get: -e .pb => foobar.pb.c (default) -e _pb => foobar_pb.c -e '' => foobar.c Note that if you have used -e option previously, you will have to prepend . to the argument to get the same filenames as before. Update issue 122 Status: FixedInGit
2014-07-20Give better messages about the .options file path.Petteri Aimonen1-1/+10
Update issue 124 Status: FixedInGit
2014-07-20Fix problem with .options file and extension fields.Petteri Aimonen6-2/+34
The options for an extension field were being looked up under wrong name (MessageName instead of MessageName.fieldname). Fixed the problem and added regression test. Created a new subfolder for regression test cases. Update issue 125 Status: FixedInGit
2014-06-02Add unit tests for allocate_field().Petteri Aimonen1-0/+23
2014-06-02Make clearer that size = 0 in allocate_field() is not allowed.Petteri Aimonen1-17/+12
Back in design phase the code used realloc() for freeing the memory also. However, this is not entirely portable, and therefore the finished implementation used free() separately. There were some remnants of the size = 0 code in the allocate_field() code, which made it somewhat confusing. This change makes it clearer that size = 0 is not allowed (and not used by nanopb).
2014-06-02Don't use SIZE_MAX macro, as it is not in C89.Petteri Aimonen1-1/+2
Update issue 120 Status: FixedInGit
2014-05-30Add PB_PACKED_STRUCT support for Keil MDK-ARM toolchainPetteri Aimonen1-2/+2
Patch from Jon Read. Update issue 119 Status: FixedInGit
2014-05-20Setting version to 0.2.9-devPetteri Aimonen2-2/+2
2014-05-20Update changelog for 0.2.8Petteri Aimonen1-0/+6
2014-05-20Publishing nanopb-0.2.8Petteri Aimonen2-2/+2
2014-05-17Fix bug in alltypes test case that made fuzzing difficult.Petteri Aimonen5-0/+7
2014-05-17Fix security issue with PB_ENABLE_MALLOC.Petteri Aimonen1-2/+22
The multiplication in allocate_field could potentially overflow, leading to allocating too little memory. This could subsequently allow an attacker to cause a write past the buffer, overwriting other memory contents. The attack is possible if untrusted message data is decoded using nanopb, and the message type includes a pointer-type string or bytes field, or a repeated numeric field. Submessage fields are not affected. This issue only affects systems that have been compiled with PB_ENABLE_MALLOC enabled. Only version nanopb-0.2.7 is affected, as prior versions do not include this functionality. Update issue 117 Status: FixedInGit
2014-04-26Docs update, remove malloc from limitations listPetteri Aimonen1-1/+0
2014-04-18Add option to not add timestamps to .pb.h and .pb.c preambles.Petteri Aimonen1-2/+10
Patch by rusnakp. Update issue 115 Status: FixedInGit
2014-04-15Fix typos in scons command line optionsPetteri Aimonen1-2/+2
2014-04-15Remove -O0 from tests CFLAGS so that optimized builds can be tested alsoPetteri Aimonen1-4/+4
2014-04-09Fix bug in missing_fields test casePetteri Aimonen1-2/+5