RUSTSEC-2021-0032

Deserializing an array can drop uninitialized memory on panic

Reported

March 1, 2021

Issued

March 2, 2021 (last modified: June 13, 2023)

Package

byte_struct (crates.io)

Type

Vulnerability

Categories

memory-corruption

Keywords

#memory-safety

Aliases

References

https://github.com/wwylele/byte-struct-rs/issues/1

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

>=0.6.1

Description

The read_bytes_default_le function for [T; n] arrays, used to deserialize arrays of T from bytes created a [T; n] array with std::mem::uninitialized and then called T's deserialization method.

If T's deserialization method panicked, the uninitialized memory could drop invalid objects.

This flaw was corrected in a535678 by removing the unsafe block and using a .map function to deserialize each element of the array instead.

Advisory available under CC0-1.0 license.