Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't lie about buffer initialization #47

Merged
merged 3 commits into from
Dec 9, 2023
Merged

Don't lie about buffer initialization #47

merged 3 commits into from
Dec 9, 2023

Conversation

sfackler
Copy link
Collaborator

@sfackler sfackler commented Dec 5, 2023
edited
Loading

It's formally UB to create a &mut [u8] out of possibly-uninitialized bytes. Instead, use the new openssl APIs that work directly with &mut [MaybeUninit<u8>].

Closes #46

@sfackler sfackler requested a review from Darksonn December 5, 2023 01:47
Darksonn
Darksonn reviewed Dec 5, 2023
View reviewed changes
src/lib.rs Outdated
Comment on lines 230 to 237
// SAFETY: read_uninit does not de-initialize the buffer and guarantees that the first nread
// bytes are initialized.
self.with_context(ctx, |s| unsafe {
match cvt(s.read_uninit(buf.unfilled_mut()))? {
Poll::Ready(nread) => {
unsafe {
buf.assume_init(nread);
}
buf.assume_init(nread);
buf.advance(nread);
Poll::Ready(Ok(()))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally you should avoid so large unsafe blocks.

// SAFETY: The `read_uninit` method promises to never deinitialize any of the bytes.
match cvt(s.read_uninit(unsafe { buf.unfilled_mut() }))? {
    Poll::Ready(nread) => {
        // SAFETY: The `read_uninit` method promises that the first `nread` bytes of the buffer are now initialized.
        unsafe { buf.assume_init(nread) };

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated! Sorry for the delay.

Darksonn
Darksonn approved these changes Dec 9, 2023
View reviewed changes
Copy link
Contributor

@Darksonn Darksonn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm happy with this. Feel free to take my nit below or not.

src/lib.rs Outdated
Comment on lines 235 to 237
unsafe {
buf.assume_init(nread);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: If you move the semicolon outside the unsafe block, then rustfmt formats this on one line.

@sfackler sfackler merged commit 8b0b96d into master Dec 9, 2023
2 checks passed
@sfackler sfackler deleted the maybe-uninit branch December 9, 2023 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Darksonn Darksonn Darksonn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SslStream::poll_read creates a slice from potentially uninitialized data
2 participants
@sfackler @Darksonn