Question 1

Is there a bug in http?

Accepted Answer

Integer Overflow/Infinite Loop in the http crate HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode.

If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).

The flaw was corrected in 0.1.20 release of http crate. Fixed in http 0.1.20.

Question 2

Is there a bug in http 0.0.0-0?

Accepted Answer

HeaderMap::Drain API is unsound Affected versions of this crate incorrectly used raw pointer,
which introduced unsoundness in its public safe API.

[Failing to drop the Drain struct causes double-free](https://github.com/hyperium/http/issues/354),
and [it is possible to violate Rust's alias rule and cause data race with Drain's Iterator implementation](https://github.com/hyperium/http/issues/355).

The flaw was corrected in 0.1.20 release of `http` crate. Fixed in http 0.1.20.

Question 3

Is there a bug in http 0.0.0-0?

Accepted Answer

Integer Overflow in HeaderMap::reserve() can cause Denial of Service `HeaderMap::reserve()` used `usize::next_power_of_two()` to calculate the increased capacity.
However, `next_power_of_two()` silently overflows to 0 if given a sufficiently large number
in release mode.

If the map was not empty when the overflow happens,
the library will invoke `self.grow(0)` and start infinite probing.
This allows an attacker who controls the argument to `reserve()`
to cause a potential denial of service (DoS).

The flaw was corrected in 0.1.20 release of `http` crate. Fixed in http 0.1.20.

Question 4

Is there a bug in http?

Accepted Answer

Double free in http An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness. Fixed in http 0.1.20.

Severity	Affected	Fixed in	Title	Status	Source
high	any	0.1.20	Integer Overflow/Infinite Loop in the http crate HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode. If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS). The flaw was corrected in 0.1.20 release of http crate.	fixed	osv:GHSA-x7vr-c387-8w57
medium	0.0.0-0	0.1.20	HeaderMap::Drain API is unsound Affected versions of this crate incorrectly used raw pointer, which introduced unsoundness in its public safe API. [Failing to drop the Drain struct causes double-free](https://github.com/hyperium/http/issues/354), and [it is possible to violate Rust's alias rule and cause data race with Drain's Iterator implementation](https://github.com/hyperium/http/issues/355). The flaw was corrected in 0.1.20 release of `http` crate.	fixed	osv:RUSTSEC-2019-0034
medium	0.0.0-0	0.1.20	Integer Overflow in HeaderMap::reserve() can cause Denial of Service `HeaderMap::reserve()` used `usize::next_power_of_two()` to calculate the increased capacity. However, `next_power_of_two()` silently overflows to 0 if given a sufficiently large number in release mode. If the map was not empty when the overflow happens, the library will invoke `self.grow(0)` and start infinite probing. This allows an attacker who controls the argument to `reserve()` to cause a potential denial of service (DoS). The flaw was corrected in 0.1.20 release of `http` crate.	fixed	osv:RUSTSEC-2019-0033
critical	any	0.1.20	Double free in http An issue was discovered in the http crate before 0.1.20 for Rust. The HeaderMap::Drain API can use a raw pointer, defeating soundness.	fixed	osv:GHSA-6rhx-hqxm-8p36

http known bugs