Memory Corruption Affecting socket2 package, versions <0.3.16


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-SOCKET2-1296124
  • published21 May 2021
  • disclosed6 Nov 2020
  • creditUnknown

Introduced: 6 Nov 2020

CVE NOT AVAILABLE CWE-119  (opens in a new tab)

How to fix?

Upgrade socket2 to version 0.3.16 or higher.

Overview

Affected versions of this package are vulnerable to Memory Corruption. The socket2 crate has assumed std::net::SocketAddrV4 and std::net::SocketAddrV6 have the same memory layout as the system C representation sockaddr. It has simply casted the pointers to convert the socket addresses to the system representation. The standard library does not say anything about the memory layout, and this will cause invalid memory access if the standard library changes the implementation. No warnings or errors will be emitted once the change happens.

CVSS Scores

version 3.1