Merge pull request #509 from faern/mio-socketaddr

Add advisory on mio SocketAddr casting
2025-12-29 07:46:22 +01:00 · 2020-12-03 00:53:47 +01:00
parent abbf24473b 3d7ea41f31
commit d984be9fa4
1 changed files with 23 additions and 0 deletions
--- a/crates/mio/RUSTSEC-0000-0000.md
+++ b/crates/mio/RUSTSEC-0000-0000.md
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "mio"
+date = "2020-11-02"
+url = "https://github.com/tokio-rs/mio/issues/1386"
+keywords = ["memory", "layout", "cast"]
+informational = "unsound"
+
+[versions]
+patched = [">= 0.7.6"]
+unaffected = ["< 0.7.0"]
+```
+
+# `mio` invalidly assumes the memory layout of std::net::SocketAddr
+
+The [`mio`](https://crates.io/crates/mio) crate has assumed `std::net::SocketAddrV4`
+and `std::net::SocketAddrV6` have the same memory layout as the system C representation
+`sockaddr`. It has simply casted the pointers to convert the socket addresses to the
+system representation. The standard library does not say anything about the memory
+layout, and this will cause invalid memory access if the standard library
+changes the implementation. No warnings or errors will be emitted once the
+change happens.