BUG/MEDIUM: protobuf: fix nested path bypass in field lookup
The previous implementation of protobuf_field_lookup() was susceptible
to a security bypass where flat sibling fields could be incorrectly matched
as nested children. This occurred because the parser did not strictly
enforce hierarchical boundaries and depth matching during sequential
iteration, allowing flat structures to satisfy nested path requirements (e.g.
treating a root-level sibling field as if it were nested under a parent).
This patch refactors the lookup logic into a strict, iterative stream
parser that progresses through the defined configuration path (depth).
The new logic guarantees that:
- intermediate matching parent fields must be of type LENGTH_DELIMITED.
If an intermediate match is found but is a primitive type, the parsing
aborts immediately.
- when descending into an intermediate parent, the scanning boundary
(*len) is strictly narrowed down to the nested sub-message size (vlen)
with an upfront validation against buffer overflow (vlen > *len).
- sibling fields at the current level are skipped cleanly without polluting
higher or lower hierarchy levels.
This implementation achieves absolute stack safety (O(1) memory complexity,
no recursion) and guarantees strict validation of nested Protobuf paths.
Many thanks to Red Hat and AISLE Research for reporting this.