-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potentially unsafe uses of unsafe #145
Comments
FWIW the second issue is caught by clippy, https://rust-lang.github.io/rust-clippy/master/index.html#temporary_cstring_as_ptr You may consider integrating clippy into your CI. |
Thanks for catching those @alex. I'm surprised that we didn't get reports from clippy, because it is enabled in CI. |
Ooof, looks like clippy doesn't catch it in the exact structure that neqo has it (https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=409adc9305ceb2fcc63a9eca0f716933). I'll go file a bug on clippy for that. |
Alex Gaynor saving the world, one PR or issue at a time :D |
Is the second example an actual UAF? In my test, the temporary |
It depends on wether the original |
Yes, but that is another UAF from what was discussed in this thread. The discussed bug is UAF only if the temporary |
(I'm super excited to see QUIC for Firefox built in rust!)
I did a quick review of the uses of
unsafe
and a few potential issues jumped out at me.neqo/neqo-crypto/src/aead.rs
Lines 79 to 86 in 5e5249a
If
p.len()
larger than can fit inu32
, you'll wrap around and produce an incorrect result. I don't think this can happen in reality, but using something liketry_into()
to propagate an error in that case would be safer.neqo/neqo-crypto/src/agent.rs
Lines 680 to 684 in 5e5249a
I believe this produces a use-after-free issue.
CString::new
returns aResult<CString, SomeError>
. Callingunwrap()
gives you aCString
, and thenas_ptr()
gets you the raw* const c_char
. However, becauseas_ptr()
returns a raw pointer, it doesn't participate in the lifetime, and thus nothing is keeping theCString
alive. This issue is described here: https://doc.rust-lang.org/stable/std/ffi/struct.CString.html#method.as_ptrThe text was updated successfully, but these errors were encountered: