temporary_cstring_as_ptr doesn't catch UAF when Result is assigned to a variable

[alex]

Source:

use std::ffi::CString;
use libc::c_char;

extern "C" {
    fn foo(data: *const c_char);
}

pub fn bar(v: &[u8]) {
    let cstr = CString::new(v);
    unsafe {
        foo(cstr.unwrap().as_ptr())
    }
}

clippy doesn't complain about this, even though it's equally dangerous to foo(CString::new(v).unwrap().as_ptr()). It should complain about this formulation as well.

Tested with clippy on play.rust-lang.org: 0.0.212 (2019-08-11 72da101)

[flip1995]

A possible fix would be to search for method chains of .unwrap().as_ptr() and then check the type of the first argument (self) of the unwrap call, if it is Result<CString, _>.

[alex]

For what it's worth, this came from a real world example: mozilla/neqo#145

[Qwaz]

I believe the example in the issue report should store a pointer in another variable to trigger UAF, like the example in clippy lint page:

let c_str = CString::new("foo").unwrap().as_ptr();
unsafe {
    foo(c_str);
}

The pointer is valid in function foo if you use CString in the form of foo(cstr.unwrap().as_ptr()) or foo(cstr.unwrap().as_ptr()), since the temporary value is dropped after foo returns.

See mozilla/neqo#145 (comment)