CVE-2021-29942

The swap_index function in the reorder crate for Rust trusts the len() method of an ExactSizeIterator to allocate a Vec and set its length via unsafe code. If the iterator returns a len() larger than the actual number of elements, the function will expose uninitialized memory when the Vec is returned [1][3]. This violates the safety guarantees documented for ExactSizeIterator::len(), which states that the value must not be trusted for bounds checks in unsafe code [3].

An attacker can exploit this by providing a crafted iterator that implements ExactSizeIterator with an inflated len() but yields fewer items. The function does not validate the iterator's length against the actual number of elements, allowing an attacker to trigger out-of-bounds writes or reads of uninitialized memory. The attack requires no authentication and can be performed over a network, as reflected in the CVSS vector (AV:N/AC:L/PR:N/UI:N) [1].

Successful exploitation could lead to memory corruption, potentially resulting in information disclosure (reading uninitialized memory) or denial of service (due to undefined behavior). The vulnerability is rated HIGH with a CVSS score of 7.3 [1].

The issue was reported on February 24, 2021, and patched in version 1.1.0 of the reorder crate. Users are advised to update to the latest version to mitigate the risk [1].