CVE-2021-29941

Vulnerability

Overview

The reorder crate (version < 1.1.0) for Rust has a soundness bug in the swap_index function. The function uses the len() method of an ExactSizeIterator to allocate a vector and set its length in unsafe code. According to Rust's documentation, the len() method should not be trusted for safety guarantees in unsafe contexts, but swap_index does exactly that [1][3]. If an iterator returns a len() that is larger than the actual number of elements, the function writes past the allocated buffer and later exposes uninitialized memory [3].

Exploitation

Conditions

An attacker can trigger the vulnerability by providing any iterator that implements ExactSizeIterator but returns an incorrect len() value. No special privileges or user interaction are required; the attack vector is network-based, and exploitation complexity is low [1]. The proof-of-concept code demonstrates a simple iterator that returns len() = 1024 but yields no elements, causing swap_index to write out-of-bounds and produce a vector with uninitialized content [3].

Impact

A successful exploit can lead to memory corruption, potentially allowing an attacker to read sensitive information (via uninitialized memory) or cause a denial of service. Depending on how the corrupted vector is used, further impact may include integrity violations [1][2].

Mitigation

The vulnerability has been patched in version 1.1.0 and later of the reorder crate [1]. Users should update to the latest version. No workarounds are documented; the unsafe code in swap_index must rely on the iterator's correct len() implementation, which cannot be assumed in generic code.