Skip to content

fix(image): parallel Range-fetch guards + splitRanges test#17

Merged
CMGS merged 3 commits into
masterfrom
fix/oci-pull-range-guards
Jul 4, 2026
Merged

fix(image): parallel Range-fetch guards + splitRanges test#17
CMGS merged 3 commits into
masterfrom
fix/oci-pull-range-guards

Conversation

@CMGS

@CMGS CMGS commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Adversarial-review finding on tonight's parallel OCI blob pull (mirrors the cocoon parallel-download guards).

Fix

  • fetchRange validated only status 206, then io.Copy'd the body at the chunk offset with no length or range check. A misbehaving CDN edge (short 206 body, or a 206 whose actual range differs from the request) would land bytes at the wrong offset / leave a zero hole. It's backstopped by verifyDigest (digest mismatch), but only after re-hashing the whole multi-GB file three times — an opaque, expensive failure. Add the Content-Range prefix check and the n==want short-body guard so a bad range fails fast and precisely.
  • splitRanges extracted from fetchParallel and unit-tested (contiguous, non-overlapping, covers [0,size), ≤n chunks) so the disjoint-offset invariant that makes concurrent pwrite safe can't silently regress.

(pullConns is a const 8 here, so the unbounded-conn footgun flagged in cocoon does not apply.)

Verification

GOWORK=off build/test/-race green; lint 0 issues both GOOS; fmt-check clean.

CMGS added 3 commits July 4, 2026 03:10
fetchRange checked only status 206, then blindly copied the body at the
chunk offset. A misbehaving edge (short 206, or a 206 whose actual span
differs from the request) would land bytes at the wrong offset or leave
a zero hole, surfaced only after verifyDigest re-hashes the whole
multi-GB file three times. Add the Content-Range prefix check and the
n==want short-body guard (cocoon parity) so a bad range fails fast and
precisely. Extract splitRanges and unit-test the contiguous /
non-overlapping / covers-[0,size) invariant.
Bumps cocoon to master (pseudo-version) which exports the shared range
helpers, and drops the local splitRanges + inline response guards; the
split-contract test moved to cocoon utils with the implementation.
cloudimg.New grew a pullConns parameter — pass 0 for its default.
@CMGS CMGS merged commit a5d25d0 into master Jul 4, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant