Reader reads free memory

[geigerzaehler]

It is possible for the reader to read freed memory.

The following example will panic at the assertion. The reader will read from the memory location previously occupied by write_buf which is now occupied by read_buf.

let (mut writer, mut reader) = pipe();
let mut write_buf = vec![0u8; 1024];
let _ = futures::poll!(writer.write_all(&mut write_buf));
drop(write_buf);

// Fill the space previously used by `write_buf`
let write_buf_overwrite = vec![1u8; 1024];
let mut read_buf = vec![0u8; 1024];
reader.read_exact(&mut read_buf).await.unwrap();
assert_eq!(read_buf, vec![0u8; 1024]);
drop(write_buf_overwrite);

To address this I’d suggest to copy the the write buffer into state.data instead of using *const u8.

[rousan]

We are using *const u8 to gain performance, if we have copied every buffer in-between, there will be a lot of memory allocation and de-allocation.

The internal architecture is such that, until the reader reads the chunk data, the writer's write method will block (asynchronously off-course).

let (mut writer, mut reader) = pipe();
let mut write_buf = vec![0u8; 1024];
let _ = futures::poll!(writer.write_all(&mut write_buf)); //---> This statement should block until the reader reads the data.
drop(write_buf);

[rousan]

I will check this once.

[seanpianka]

The latest version of the AsyncRead trait now uses ReadBuf to handle potentially uninitialized memory. Here's the issue with the proposal and background.

If we can prioritize #8, we can make swifter headway on this issue. 🙂