Bytes Library Integer Overflow Vulnerability in BytesMut::reserve Allowing Memory Corruption

A vulnerability exists in the Bytes library, specifically in the BytesMut::reserve function, versions 1.2.1 prior to 1.11.1. The issue arises from an integer overflow in the unique reclaim path of the reserve function. The condition that checks vector capacity uses an unchecked addition, which can lead to an incorrect capacity value being set. This corrupted value can then be trusted by subsequent APIs, potentially creating out-of-bounds slices and causing undefined behavior. This vulnerability is present in release builds, where the integer overflow wraps, while debug builds correctly panic due to overflow checks.

Impact

Exploitation of this vulnerability can lead to memory corruption, allowing for the creation of out-of-bounds slices that cause undefined behavior.

Reproduction

The vulnerability can be reproduced by using the BytesMut::reserve method in a release build, with integer overflow checks configured to wrap. After reserving an amount that causes an overflow, the corrupted capacity can be used to create an out-of-bounds slice, demonstrating the undefined behavior.

Remediation

Users should upgrade to Bytes version 1.11.1 or later, where this vulnerability has been patched.