OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-13 21:18:11 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
10843f83727ce2c19085efae881d7a82a9356d0e
advisory-db/crates/miow/RUSTSEC-2020-0080.md
Sergey "Shnatsel" Davidoff 40afced5fb Remove range overlaps, fix some range specifications (#930) 
* Drop some clearly redundant bounds

* Fix RUSTSEC-2020-0091 - the version specification was incorrect, marking 1.0.0 as fixed while in reality it was not

* Fix RUSTSEC-2018-0004: presumably any updates to 0.3.x series would also get the fix, it would not be isolated to 0.3.2

* Fix incorrectly defined, overlapping ranges in RUSTSEC-2020-0080 and RUSTSEC-2019-0035
2021-06-04 23:26:23 +02:00

859 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2020-0080"
package = "miow"
aliases = ["CVE-2020-35921"]
date = "2020-11-13"
url = "https://github.com/yoshuawuyts/miow/issues/38"
keywords = ["memory", "layout", "cast"]
informational = "unsound"

[versions]
patched = ["^ 0.2.2", ">= 0.3.6"]

miow invalidly assumes the memory layout of std::net::SocketAddr

The miow crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the memory layout, and this will cause invalid memory access if the standard library changes the implementation. No warnings or errors will be emitted once the change happens.