Would the Cloudbleed have been prevented if Rust was used? I know it is not the same as Heartbleed, but Rust would probably have prevented Heartbleed.
2 Answers
From the detailed description of the bug it is visible, that they've used already a high level tool to create code but that the did not use the tool properly. To cite:
The equality check is generated automatically by Ragel and was not part of the code that we wrote. This indicated that we were not using Ragel correctly.
Thus, would Rust have prevented to use a high level tool improperly? Probably not. But if the tool would generate Rust code instead of C code, would then the buffer overrun have been detected? This is likely since protecting against buffer overruns is one of the goals of Rust. But since the tool does not generate Rust code one cannot say for sure how this code would look like and if it really would have been prevented the problem.
- 184,332
- 29
- 363
- 424
Tony Arcieri replied at 3/2/17 at 12:28 AM:
Yes, this was a memory safety vulnerability. Though it arose in generated code (from Ragel), were Ragel generating Rust code, it would not have this vulnerability.
- 491
- 2
- 4
- 8