Fix unsound lifetime on LinuxI2CMessage

The type alias to a struct without a lifetime parameter of its own does
not actually enforce that the borrowed buffer is still valid at the time
it is passed to the ioctl.

Author: kevinmehall

CHANGELOG.md

@@ -12,6 +12,7 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 - Updated nix to version `0.25`.
 - Updated nix to version `0.24`; only use the `ioctl` feature.
 - Use `File.read_exact` instead of `File.read` in `LinuxI2CDevice.read` so that the buffer is filled.
+- Fix the lifetime parameter on LinuxI2CMessage to ensure that it does not outlive the buffer it points to.
 
 ## [v0.5.1] - 2021-11-22
 

src/ffi.rs

@@ -12,14 +12,15 @@
 use byteorder::{NativeEndian, ReadBytesExt, WriteBytesExt};
 use nix;
 use std::io::Cursor;
+use std::marker::PhantomData;
 use std::mem;
 use std::os::unix::prelude::*;
 use std::ptr;
 
 pub type I2CError = nix::Error;
 
 #[repr(C)]
-pub struct i2c_msg {
+pub struct i2c_msg<'a> {
     /// slave address
     pub(crate) addr: u16,
     /// serialized I2CMsgFlags
@@ -28,6 +29,8 @@ pub struct i2c_msg {
     pub(crate) len: u16,
     /// pointer to msg data
     pub(crate) buf: *const u8,
+
+    pub(crate) _p: PhantomData<&'a mut [u8]>,
 }
 
 bitflags! {
@@ -143,9 +146,9 @@ pub struct i2c_smbus_ioctl_data {
 /// This is the structure as used in the I2C_RDWR ioctl call
 // see linux/i2c-dev.h
 #[repr(C)]
-pub struct i2c_rdwr_ioctl_data {
+pub struct i2c_rdwr_ioctl_data<'a> {
     // struct i2c_msg __user *msgs;
-    msgs: *mut i2c_msg,
+    msgs: *mut i2c_msg<'a>,
     // __u32 nmsgs;
     nmsgs: u32,
 }

src/linux.rs

@@ -15,6 +15,7 @@ use std::fs::File;
 use std::fs::OpenOptions;
 use std::io;
 use std::io::prelude::*;
+use std::marker::PhantomData;
 use std::os::unix::prelude::*;
 use std::path::Path;
 
@@ -316,7 +317,7 @@ impl LinuxI2CBus {
 }
 
 /// Linux I2C message
-pub type LinuxI2CMessage<'a> = ffi::i2c_msg;
+pub type LinuxI2CMessage<'a> = ffi::i2c_msg<'a>;
 
 impl<'a> I2CTransfer<'a> for LinuxI2CBus {
     type Error = LinuxI2CError;
@@ -354,21 +355,23 @@ bitflags! {
 }
 
 impl<'a> I2CMessage<'a> for LinuxI2CMessage<'a> {
-    fn read(data: &'a mut [u8]) -> LinuxI2CMessage {
+    fn read(data: &'a mut [u8]) -> LinuxI2CMessage<'a> {
         Self {
             addr: 0, // will be filled later
             flags: I2CMessageFlags::READ.bits(),
             len: data.len() as u16,
             buf: data.as_ptr(),
+            _p: PhantomData,
         }
     }
 
-    fn write(data: &'a [u8]) -> LinuxI2CMessage {
+    fn write(data: &'a [u8]) -> LinuxI2CMessage<'a> {
         Self {
             addr: 0, // will be filled later
             flags: I2CMessageFlags::empty().bits(),
             len: data.len() as u16,
             buf: data.as_ptr(),
+            _p: PhantomData,
         }
     }
 }
@@ -381,6 +384,7 @@ impl<'a> LinuxI2CMessage<'a> {
             flags: self.flags,
             len: self.len,
             buf: self.buf,
+            _p: PhantomData,
         }
     }
 
@@ -391,6 +395,7 @@ impl<'a> LinuxI2CMessage<'a> {
             flags: flags.bits(),
             len: self.len,
             buf: self.buf,
+            _p: PhantomData,
         }
     }
 }