rik/nanopb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update security model with regards to pointer fields

Browse Source
This commit is contained in:
Petteri Aimonen
2014-09-04 21:19:54 +03:00
parent df7234fd8b
commit d82a264c41
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docs/security.rst
View File

@@ -26,9 +26,9 @@ The following data is regarded as **trusted**. It must be under the control of
the application writer. Malicious data in these structures could cause the application writer. Malicious data in these structures could cause
security issues, such as execution of arbitrary code: security issues, such as execution of arbitrary code:
1. Callback and extension fields in message structures given to pb_encode() 1. Callback, pointer and extension fields in message structures given to
and pb_decode(). These fields are memory pointers, and are generated pb_encode() and pb_decode(). These fields are memory pointers, and are
depending on the .proto file. generated depending on the message definition in the .proto file.
2. The automatically generated field definitions, i.e. *pb_field_t* lists. 2. The automatically generated field definitions, i.e. *pb_field_t* lists.
3. Contents of the *pb_istream_t* and *pb_ostream_t* structures (this does not 3. Contents of the *pb_istream_t* and *pb_ostream_t* structures (this does not
mean the contents of the stream itself, just the stream definition). mean the contents of the stream itself, just the stream definition).
@@ -38,7 +38,7 @@ these will cause "garbage in, garbage out" behaviour. It will not cause
buffer overflows, information disclosure or other security problems: buffer overflows, information disclosure or other security problems:
1. All data read from *pb_istream_t*. 1. All data read from *pb_istream_t*.
2. All fields in message structures, except callbacks and extensions. 2. All fields in message structures, except callbacks, pointers and extensions.
(Beginning with nanopb-0.2.4, in earlier versions the field sizes are partially unchecked.) (Beginning with nanopb-0.2.4, in earlier versions the field sizes are partially unchecked.)
Invariants Invariants
@@ -76,4 +76,6 @@ The following list is not comprehensive:
stop a denial of service attack from using an infinite message. stop a denial of service attack from using an infinite message.
4. If using network sockets as streams, a timeout should be set to stop 4. If using network sockets as streams, a timeout should be set to stop
denial of service attacks. denial of service attacks.
5. If using *malloc()* support, some method of limiting memory use should be
employed. This can be done by defining custom *pb_realloc()* function.
Nanopb will properly detect and handle failed memory allocations.