Common Vulnerabilities and Exposures

CVE vulnerability data CVE-2021-29941

CVE-2021-29941

An issue was discovered in the reorder crate through 2021-02-24 for Rust. swap_index has an out-of-bounds write if an iterator returns a len() that is too small.

Description

swap_index takes an iterator and swaps the items with their corresponding indexes. It reserves capacity and sets the length of the vector based on the .len() method of the iterator.

If the len() returned by the iterator is larger than the actual number of elements yielded, then swap_index creates a vector containing uninitialized members. If the len() returned by the iterator is smaller than the actual number of members yielded, then swap_index can write out of bounds past its allocated vector.

As noted by the Rust documentation, len() and size_hint() are primarily meant for optimization and incorrect values from their implementations should not lead to memory safety violations.

Access

Vector Complexity Authentication
NETWORK LOW NONE

Impact

Confidentiality Integrity Availability
PARTIAL PARTIAL PARTIAL

Exploitability v3.1

Attack Complexity Attack vector Privileges Required Scope User Interaction
LOW NETWORK NONE UNCHANGED NONE

Impact v3.1

Confidentiality Integrity Availability
LOW LOW LOW
Related Articles