-
Notifications
You must be signed in to change notification settings - Fork 782
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
embassy-net: {Tcp,Udp}Socket::new are unsound #2175
Comments
just "lying" about lifetimes is not UB in and of itself. You need to actually use the buffer beyond its lifetime to get UB. |
@Dirbaio First of all, thank you for taking time to respond to this issue. :) It's well known that relying on I'm fully aware that the vast majority of code using embassy-net will not accidentally leak sockets, which is necessary for use-after-free to happen this way. However, this is not how unsoundness is handled in the Rust ecosystem; Rust programmers consider it necessary for all possible uses of a safe API to never trigger UB, not just "most" uses, or "all reasonable" uses by any non-trivial definition of "reasonable". This is the reason why standard library containers like There are at least three ways to make
They're all breaking changes that entail different trade-offs, which is why I didn't just submit a pull request but opened this issue first. embassy-net is currently at major version 0, where breaking changes can be freely made between minor versions and patches; I believe it's better to change the API during version 0 than to let it go into version 1 as-is, where embassy will have much more dependents and will not be able to make breaking changes until major version 2. |
Hi, I just read the implementation of |
TcpSocket::new
is defined asAlthough this particular
stack
is'a
,SocketStack
(which is the type ofstack.socket
moduloRefCell
) itself is'static
:TcpSocket::new
indirectly storesrx_buffer
andtx_buffer
, which are references whose pointed-to data only lives for'a
, into aSocketStack
, which must only contain'static
references. This is unsound:The same issue exists for
UdpSocket::new
.The text was updated successfully, but these errors were encountered: