reading on uninitialized buffer can cause UB (impl of ReadKVExt)

[JOE1994]

Hello 🦀 , we (Rust group @sslab-gatech) found a memory-safety/soundness issue in this crate while scanning Rust code on crates.io for potential vulnerabilities.

Issue Description

BronzeDB/bronzedb-protocol/src/ext.rs

Lines 32 to 50 in 8ac9214

	impl<T: Read + ?Sized> ReadKVExt for T {
	fn read_key(&mut self) -> io::Result<Vec<u8>> {
	let key_len = self.read_u16::<BigEndian>()? as usize;
	debug_assert!(key_len <= MAX_KEY_LEN);
	let mut key = Vec::with_capacity(key_len);
	unsafe { key.set_len(key_len) };
	self.read_exact(key.as_mut_slice())?;
	Ok(key)
	}
	fn read_value(&mut self) -> io::Result<Value> {
	let value_len = self.read_u16::<BigEndian>()? as usize;
	debug_assert!(value_len <= MAX_VALUE_LEN);
	let mut value = Vec::with_capacity(value_len);
	unsafe { value.set_len(value_len) };
	self.read_exact(value.as_mut_slice())?;
	Ok(value)
	}
	}

read_key() method & read_value() method creates an uninitialized u8 buffer and passes it to user-provided Read implementation. This is unsound, because it allows safe Rust code to exhibit an undefined behavior (read from uninitialized memory).

This part from the Read trait documentation explains the issue:

It is your responsibility to make sure that buf is initialized before calling read. Calling read with an uninitialized buf (of the kind one obtains via MaybeUninit<T>) is not safe, and can lead to undefined behavior.

Suggested Fix

It is safe to zero-initialize the newly allocated u8 buffer before read(), in order to prevent user-provided Read from reading old contents of the newly allocated heap memory.

Thank you for checking out this issue 👍