diff options
| author | Mara Bos <m-ou.se@m-ou.se> | 2021-01-14 18:00:11 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-14 18:00:11 +0000 |
| commit | ce48709405270cae2dfdf99d9a8d57a4f672ad34 (patch) | |
| tree | f6beea366bf91ad77fb7157323b52591dfe95a3a /library/std/src/sys/unix/stack_overflow.rs | |
| parent | 9e9aba87af74362f9fcf5e077c7a53412dd41f28 (diff) | |
| parent | e6c07b0628938b0003ecbae0f60b588eebf474aa (diff) | |
| download | rust-ce48709405270cae2dfdf99d9a8d57a4f672ad34.tar.gz rust-ce48709405270cae2dfdf99d9a8d57a4f672ad34.zip | |
Rollup merge of #80895 - sfackler:read-to-end-ub, r=m-ou-se
Fix handling of malicious Readers in read_to_end A malicious `Read` impl could return overly large values from `read`, which would result in the guard's drop impl setting the buffer's length to greater than its capacity! ~~To fix this, the drop impl now uses the safe `truncate` function instead of `set_len` which ensures that this will not happen. The result of calling the function will be nonsensical, but that's fine given the contract violation of the `Read` impl.~~ ~~The `Guard` type is also used by `append_to_string` which does not pass untrusted values into the length field, so I've copied the guard type into each function and only modified the one used by `read_to_end`. We could just keep a single one and modify it, but it seems a bit cleaner to keep the guard code close to the functions and related specifically to them.~~ To fix this, we now assert that the returned length is not larger than the buffer passed to the method. For reference, this bug has been present for ~2.5 years since 1.20: https://github.com/rust-lang/rust/commit/ecbb896b9eb2acadefde57be493e4298c1aa04a3. Closes #80894.
Diffstat (limited to 'library/std/src/sys/unix/stack_overflow.rs')
0 files changed, 0 insertions, 0 deletions