-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Panic safety issue in SliceDeque::drain_filter #90
Comments
Heads up: this issue has been included in the RustSec advisory database. It will be surfaced by tools such as cargo-audit or cargo-deny from now on. Once a fix is released to crates.io, please open a pull request to update the advisory with the patched version, or file an issue on the advisory database repository. |
This was referenced Mar 30, 2021
LiquidityC
referenced
this issue
in LiquidityC/slice_ring_buffer
Mar 30, 2021
Removes security issue where a panic! from DrainFilter.pred would leave DrainFilter.idx incremented and risking a double drop. Fixes: #90
This was referenced Jun 13, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed a panic safety issue in the
DrainFilter
returned by theSliceDeque::drain_filter
function:slice_deque/src/lib.rs
Lines 3017 to 3039 in 045fb28
Notably, the code increments
self.idx
before it callsself.pred
which can potentially panic. This means for example, that it can leave theSliceDeque
in an inconsistent state resulting in a double drop. Here is an example:This outputs:
The text was updated successfully, but these errors were encountered: