Add advisory on net2 making invalid memory assumptions

2026-01-02 01:26:42 +01:00 · 2020-12-02 22:56:21 +01:00
parent fc6aabb66e
commit 4c2a45a1db
1 changed files with 21 additions and 0 deletions
--- a/crates/net2/RUSTSEC-0000-0000.md
+++ b/crates/net2/RUSTSEC-0000-0000.md
@@ -0,0 +1,21 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "net2"
+date = "2020-11-07"
+url = "https://github.com/deprecrated/net2-rs/issues/105"
+keywords = ["memory", "layout", "cast"]
+
+[versions]
+patched = [">= 0.2.36"]
+```
+
+# `net2` invalidly assumes the memory layout of std::net::SocketAddr
+
+The [`net2`](https://crates.io/crates/net2) crate has converted `std::net::SocketAddr`
+instances into C `sockaddr` pointers simply by casting the pointer. This will cause
+invalid memory access if/when the standard library ever changes the implementation.
+No warnings or errors will be emitted once the change happens.
+
+Please stop using `net2` completely (it's deprecated, use `socket2`) or at least
+upgrade to version `0.2.36` where the socket address conversion is done safely.