Skip to content

Unsound usages of unsafe implementation about c_void #119

Description

@llooFlashooll

Hi, I am scanning this crate in the latest version using my own static analyzer tool.

Unsafe pointer conversion is found at:

pub fn set_opt<T: Copy>(sock: Socket, opt: c_int, val: c_int,
                       payload: T) -> io::Result<()> {
    unsafe {
        let payload = &payload as *const T as *const c_void;
        try!(::cvt(setsockopt(sock, opt, val, payload as *const _,
                              mem::size_of::<T>() as socklen_t)));
    }
    Ok(())
}

This unsound implementation would create memory issues such as overflow, underflow, or misalignment. The attacker can manipulate the argument payload associated with the c_void pointer with an unexpected type or layout, which can lead to an out-of-bounds memory access bug. The c_void pointer and its associated size argument are passed through the FFI (setsockopt), which can further corrupt the C/C++ code.

This would cause undefined behaviors in Rust. Adversaries can manipulate the associated argument to cause memory safety bugs. I am reporting this issue for your attention.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions