Scope
Add byte overrun checks and saturating duration math.
Problem
Peer/origin byte copies are not overrun-checked against expected size, and budget/stall duration math can overflow for very large size inputs.
Evidence:
internal/gantry/mirror/mirror.go:1965internal/gantry/mirror/mirror.go:1469cmd/gantry/main.go:2140cmd/gantry/main.go:2066internal/gantry/inflight/inflight.go:118
Changes
- Add overrun-detecting byte limits, not silent truncation.
- Do not use a bare
io.LimitReader(rc, expectedSize) because it can hide extra bytes.
- When an expected size is trustworthy, read at most
expectedSize + 1; fail if more than expectedSize bytes arrive.
- Treat peer-advertised
Content-Length as untrusted unless it is backed by a descriptor from a trusted manifest/origin path.
- Keep final digest verification as the correctness boundary.
- Saturate duration math.
- Clamp seconds before converting to
time.Duration and multiplying by time.Second in runOriginPull and inflight.ResolveStall.
Tests
- Overrun test fails when the stream sends
expectedSize + 1 bytes.
- Very large sizes clamp to the ceiling instead of overflowing.
Scope
Add byte overrun checks and saturating duration math.
Problem
Peer/origin byte copies are not overrun-checked against expected size, and budget/stall duration math can overflow for very large size inputs.
Evidence:
internal/gantry/mirror/mirror.go:1965internal/gantry/mirror/mirror.go:1469cmd/gantry/main.go:2140cmd/gantry/main.go:2066internal/gantry/inflight/inflight.go:118Changes
io.LimitReader(rc, expectedSize)because it can hide extra bytes.expectedSize + 1; fail if more thanexpectedSizebytes arrive.Content-Lengthas untrusted unless it is backed by a descriptor from a trusted manifest/origin path.time.Durationand multiplying bytime.SecondinrunOriginPullandinflight.ResolveStall.Tests
expectedSize + 1bytes.