hubcio opened a new pull request, #2741:
URL: https://github.com/apache/iggy/pull/2741
A single truncated or corrupted network packet could panic the
server via unchecked slice indexing in from_bytes/from_raw_bytes
across 24 command deserializers. Since each IggyShard runs on a
single compio thread, one panic kills the entire shard.
Replace every direct bytes[n] and bytes[a..b] access with
checked .get().ok_or(IggyError::InvalidCommand) so malformed
input returns an error instead of crashing.
Notable fixes beyond the mechanical pattern:
- IggyMessageView::new() now returns Result, validating full
message size upfront; payload()/calculate_checksum() no
longer use unwrap_or_default() on potentially corrupt data
- update_permissions had an .unwrap() on attacker-controlled
permissions_length — replaced with proper error propagation
- send_messages_handler message_size arithmetic could underflow
replaced with checked_sub() chain
- LoginUser now rejects 1-3 trailing bytes as corrupt instead
of silently ignoring incomplete length prefixes
- Removed dead name.len() != name_length guards that were
unreachable after .get() + from_utf8() validation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
