From 4c2a45a1db6656f3b8f14a36cd7012db357dbec7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20F=C3=A4rnstrand?= Date: Wed, 2 Dec 2020 22:56:21 +0100 Subject: [PATCH 1/4] Add advisory on net2 making invalid memory assumptions --- crates/net2/RUSTSEC-0000-0000.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 crates/net2/RUSTSEC-0000-0000.md diff --git a/crates/net2/RUSTSEC-0000-0000.md b/crates/net2/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..04bbf74 --- /dev/null +++ b/crates/net2/RUSTSEC-0000-0000.md @@ -0,0 +1,21 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "net2" +date = "2020-11-07" +url = "https://github.com/deprecrated/net2-rs/issues/105" +keywords = ["memory", "layout", "cast"] + +[versions] +patched = [">= 0.2.36"] +``` + +# `net2` invalidly assumes the memory layout of std::net::SocketAddr + +The [`net2`](https://crates.io/crates/net2) crate has converted `std::net::SocketAddr` +instances into C `sockaddr` pointers simply by casting the pointer. This will cause +invalid memory access if/when the standard library ever changes the implementation. +No warnings or errors will be emitted once the change happens. + +Please stop using `net2` completely (it's deprecated, use `socket2`) or at least +upgrade to version `0.2.36` where the socket address conversion is done safely. \ No newline at end of file From 8e4861d90cd09c1f4cb2ce16ccce4698eb35bca7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20F=C3=A4rnstrand?= Date: Wed, 2 Dec 2020 23:25:25 +0100 Subject: [PATCH 2/4] Reword advisory description --- crates/net2/RUSTSEC-0000-0000.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/crates/net2/RUSTSEC-0000-0000.md b/crates/net2/RUSTSEC-0000-0000.md index 04bbf74..d35a022 100644 --- a/crates/net2/RUSTSEC-0000-0000.md +++ b/crates/net2/RUSTSEC-0000-0000.md @@ -12,10 +12,13 @@ patched = [">= 0.2.36"] # `net2` invalidly assumes the memory layout of std::net::SocketAddr -The [`net2`](https://crates.io/crates/net2) crate has converted `std::net::SocketAddr` -instances into C `sockaddr` pointers simply by casting the pointer. This will cause -invalid memory access if/when the standard library ever changes the implementation. -No warnings or errors will be emitted once the change happens. +The [`net2`](https://crates.io/crates/net2) crate has assumed `std::net::SocketAddrV4` +and `std::net::SocketAddrV6` have the same memory layout as the system C representation +`sockaddr`. It has simply casted the pointers to convert the socket addresess to the +system representation. The standard library does not say anything about the memory +layout, and this will cause invalid memory access if the standard library +changes the implementation. No warnings or errors will be emitted once the +change happens. -Please stop using `net2` completely (it's deprecated, use `socket2`) or at least +Please stop using `net2` completely (it is deprecated, use `socket2`) or at least upgrade to version `0.2.36` where the socket address conversion is done safely. \ No newline at end of file From 4876ce3b910f73b4f0d2ccd2f2a29d368c3d8147 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20F=C3=A4rnstrand?= Date: Thu, 3 Dec 2020 00:01:03 +0100 Subject: [PATCH 3/4] Add `informational` field about unsoundness --- crates/net2/RUSTSEC-0000-0000.md | 1 + 1 file changed, 1 insertion(+) diff --git a/crates/net2/RUSTSEC-0000-0000.md b/crates/net2/RUSTSEC-0000-0000.md index d35a022..4853bb1 100644 --- a/crates/net2/RUSTSEC-0000-0000.md +++ b/crates/net2/RUSTSEC-0000-0000.md @@ -5,6 +5,7 @@ package = "net2" date = "2020-11-07" url = "https://github.com/deprecrated/net2-rs/issues/105" keywords = ["memory", "layout", "cast"] +informational = "unsound" [versions] patched = [">= 0.2.36"] From 4ddf6680a7a0b5f6a6e22f199c4dd0b8a5f1081f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20F=C3=A4rnstrand?= Date: Thu, 3 Dec 2020 00:21:06 +0100 Subject: [PATCH 4/4] Remove deprecation/upgrade text --- crates/net2/RUSTSEC-0000-0000.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/crates/net2/RUSTSEC-0000-0000.md b/crates/net2/RUSTSEC-0000-0000.md index 4853bb1..d917c9d 100644 --- a/crates/net2/RUSTSEC-0000-0000.md +++ b/crates/net2/RUSTSEC-0000-0000.md @@ -19,7 +19,4 @@ and `std::net::SocketAddrV6` have the same memory layout as the system C represe system representation. The standard library does not say anything about the memory layout, and this will cause invalid memory access if the standard library changes the implementation. No warnings or errors will be emitted once the -change happens. - -Please stop using `net2` completely (it is deprecated, use `socket2`) or at least -upgrade to version `0.2.36` where the socket address conversion is done safely. \ No newline at end of file +change happens. \ No newline at end of file