[Openstack-security] [openstack/glance] SecurityImpact review request change Ief37d1e29487bb03e612320f5cc06910cfd1c23a

gerrit2 at review.openstack.org gerrit2 at review.openstack.org
Wed Feb 4 21:17:47 UTC 2015


Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/148574

Log:
commit 86d3eb369c90e9f20e65af84eec5522086cbc625
Author: Alexander Tivelkov <ativelkov at mirantis.com>
Date:   Tue Jan 20 17:25:07 2015 +0300

    Fix for CooperativeReader to properly process read length
    
    CooperativeReader, being an eventlet-friendly wrapper around the generator-
    based reader of image data, actually transforms chunk-by-chunk iteration into
    the readable stream. It is used when the image is being copied from the remote
    source: some generator-based image data representing the remote source acts as
    its underlying object, and the instance of CooperativeReader is passed as a
    data stream to the backend client which uses it to read the data.
    
    Before this patch, the CooperativeReader was ignoring the "length" parameter of
    the read method, always returning the whole chunk returned by the underlying
    generator (in case of HTTP source the size of this chunk is 16 M). This was
    causing problems for the clients attempting to read data from it, and - under
    some circumstances - the loss of data.
    
    For chunked storage of files in Swift a special class (ChunkReader, declared in
    the swift store driver) is used to reduce the requested read length so no extra
    data is read and transferred. However, this was not working as the
    CooperativeReader (which was the underlying stream for the ChunkReader) was
    ignoring the requested size. This was causing the data to be lost when reading
    behind the boundaries of the Chunks.
    
    This patchset introduces a buffer in the CooperativeReader to store the most
    recently fetched iterator chunk. The reads are independent from requests to
    iterator, so the CooperativeReader is able to return the exact requested amount
    of bytes and no data is lost due to extra-reads.
    
    SecurityImpact
    
    Change-Id: Ief37d1e29487bb03e612320f5cc06910cfd1c23a
    Closes-bug: #1412802





More information about the Openstack-security mailing list