-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsoundness problem in Node::tree #169
Comments
Good point. I'll make it private. I think it was initially private, but was made public to support a cross-crate access that is no longer necessary. |
Hello again, I think maybe current fix is not sufficient :( blitz/packages/blitz-dom/src/node.rs Line 97 in 017f8ea
the user can still pass a Null pointer through the new methodmaybe we should mark new method as private or add check to make sure the pointer is not null? |
I've made the |
Thanks, I will keep search if there are other cases. If I found, I will report it in this issue. |
Also, given that this is an Unsound issue, I'm not sure if we should report it to RustSec? |
I think we should probably avoid that for now. Blitz doesn't have any real users yet, so they won't have run into it. And our wrapper libraries were not triggering the unsafety. |
Ok, I'm not quite familiar with the requirements of the report, thanks for clarification. |
Hello, thank you for your contribution in this project, I am scanning the unsoundness problem in rust project.
I notice the following code:
Considering that
tree
is a pub field, I assume that users can directly manipulate this field. This potential situation could result inself.tree
being a null pointer, and directly dereferencing it might trigger undefined behavior (UB).PoC:
If there is no external using for
Node
, maybe it should not be marked aspub
, at least for its field should not be mark aspub
.The text was updated successfully, but these errors were encountered: