From 6d99e1c7dec4c6a37c4c7bf2801bc82cc210351d Mon Sep 17 00:00:00 2001
From: John-John Tedro <udoprog@tedro.se>
Date: Tue, 20 Oct 2020 11:14:02 +0200
Subject: util: prevent read buffer from being swapped during a read_poll
 (#2993)

---
 tokio-util/src/io/poll_read_buf.rs | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tokio-util/src/io/poll_read_buf.rs b/tokio-util/src/io/poll_read_buf.rs
index fe7d14ca..efce7ced 100644
--- a/tokio-util/src/io/poll_read_buf.rs
+++ b/tokio-util/src/io/poll_read_buf.rs
@@ -58,7 +58,25 @@ where
 
     let n = {
         let mut buf = ReadBuf::uninit(buf.bytes_mut());
+        let before = buf.filled().as_ptr();
+
         ready!(read.poll_read(cx, &mut buf)?);
+
+        // This prevents a malicious read implementation from swapping out the
+        // buffer being read, which would allow `filled` to be advanced without
+        // actually initializing the provided buffer.
+        //
+        // We avoid this by asserting that the `ReadBuf` instance wraps the same
+        // memory address both before and after the poll. Which will panic in
+        // case its swapped.
+        //
+        // See https://github.com/tokio-rs/tokio/issues/2827 for more info.
+        assert! {
+            std::ptr::eq(before, buf.filled().as_ptr()),
+            "Read buffer must not be changed during a read poll. \
+            See https://github.com/tokio-rs/tokio/issues/2827 for more info."
+        };
+
         buf.filled().len()
     };
 
-- 
cgit v1.2.3