-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsafe code in Formatter is not panic safe #1534
Comments
This is a good find. I can confirm this is a soundness issue that remains present in 0.5. I am working on a fix now. The impact of this bug is minimal at worst. We already advise users to Nevertheless, the implementation is incorrect. I will be rolling out a fix in a new release immediately. |
Rocket 0.4.7, just released, includes the fix in e325e2f. |
Thanks for the quick fix! Would you mind requesting an unsound advisory to RustSec advisory database about this bug? An unsound advisory is used to represent a bug that has security implications but unlikely to be triggered in normal cases (like this one) and surfaces as a warning instead of an error in security auditing tools. We usually file RustSec advisory request by ourselves for minor crates, but it would be great if it can be written by someone who has more domain knowledge about how the crate is used in this case. An advisory can be marked as an unsound advisory with |
Hello,
we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.
Issue Description
https://github.com/SergioBenitez/Rocket/blob/c24f15c18f02319be83af4f3c1951dc220b52c5e/core/http/src/uri/formatter.rs#L334-L357
with_prefix()
method converts&str
to&'static str
with the justification above.Unfortunately, the prefix is not popped if line 353 panics.
In such case, the transmuted
&'static str
persists inprefixes
field and will lead to use-after-free if the formatter is accessed again.Reproduction
Below is an example program that demonstrates use-after-free using safe APIs of
rocket_http
.Show Detail
The program is expected to write
hello=world
.However, due to the aforementioned use-after-free, it prints
12345=world
instead.Output:
Tested Environment
The text was updated successfully, but these errors were encountered: