OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-03 10:05:26 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
d8701fad2d40aeca8e8564692f14a8d7c30a5136
advisory-db/crates/socket2/RUSTSEC-2020-0079.md
Sergey "Shnatsel" Davidoff 45f9665f13 Fix CVE alias CVE-2020-35920 (#1003) 
* drop wrong alias in net2 advisory

* add CVE-2020-35920 alias to the proper crate
2021-08-23 13:51:39 +03:00

866 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2020-0079"
package = "socket2"
date = "2020-11-06"
url = "https://github.com/rust-lang/socket2-rs/issues/119"
keywords = ["memory", "layout", "cast"]
informational = "unsound"
aliases = ["CVE-2020-35920"]

[versions]
patched = [">= 0.3.16"]

socket2 invalidly assumes the memory layout of std::net::SocketAddr

The socket2 crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the memory layout, and this will cause invalid memory access if the standard library changes the implementation. No warnings or errors will be emitted once the change happens.