Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: audit protocol handling #3441

Merged
merged 40 commits into from
Aug 24, 2024
Merged

fix: audit protocol handling #3441

merged 40 commits into from
Aug 24, 2024

Conversation

abonander
Copy link
Collaborator

@abonander abonander commented Aug 15, 2024

Fixes #3440

Resolves https://rustsec.org/advisories/RUSTSEC-2024-0363.html

The last three commits may be cherry-picked against 6f29056 to see the exploit in action.

As of writing, only the Postgres driver actually appears to be exploitable before this patch, and appears to no longer be exploitable afterwards.

@FSMaxB
Copy link
Contributor

FSMaxB commented Aug 15, 2024

I know this might be undesirable because it costs performance, but the pattern that I usually follow for these kinds of casts is SmallerIntegerType::try_from(bigger_integer_value).unwrap_or_else(|| unreachable!("Can't fail because <insert reason>"))

@abonander
Copy link
Collaborator Author

For the most part, I'm trying to avoid panics because they've caused issues before. Trying to encode too large of a value is generally a recoverable error.

@abonander abonander force-pushed the validate-casts-dev branch 2 times, most recently from 36b57e5 to ac0448c Compare August 16, 2024 23:37
@abonander abonander changed the title WIP: validate for overflowing and truncating casts WIP: audit protocol handling Aug 17, 2024
@abonander abonander force-pushed the validate-casts-dev branch 2 times, most recently from ef70eae to e9ffde4 Compare August 20, 2024 10:10
@abonander abonander marked this pull request as ready for review August 23, 2024 03:00
@abonander abonander changed the title WIP: audit protocol handling fix: audit protocol handling Aug 23, 2024
@abonander abonander force-pushed the validate-casts-dev branch 2 times, most recently from 2d39649 to 612a767 Compare August 24, 2024 03:08
@abonander abonander force-pushed the validate-casts-dev branch 2 times, most recently from f020d88 to 13594ad Compare August 24, 2024 05:54
@abonander abonander merged commit 0aa0676 into main Aug 24, 2024
158 checks passed
@abonander abonander deleted the validate-casts-dev branch August 24, 2024 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Potential vulnerability: overflowing and truncating casts
2 participants