[CASSANDRA-15560] Change io.compressor.LZ4Compressor to LZ4SafeDecompressor - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 4.0-beta1, 4.0
Component/s: Feature/Compression
Labels:
None

Change Category:
Quality Assurance
Complexity:
Low Hanging Fruit
Platform:

All
Impacts:

None
Source Control Link:

https://github.com/apache/cassandra/commit/6a42c21cb3e357caf4d7b2e8328f0f8f46f5269b
Test and Documentation Plan:

Hide

CI runs attached to PR

Show
CI runs attached to PR

Description

~~CASSANDRA-15556~~ and related tickets showed that LZ4FastDecompressor can crash the JVM and that LZ4SafeDecompressor performs better w/o the crash risk — its also not deprecated. While we protect ourselves by checksumming the compressed data but that doesn’t mean we should leave deprecated code that can segfault the jvm (providing a potential DDOS vector among other things) in crucial places like io.compress.

Attachments

Issue Links

is related to

CASSANDRA-15782 Compression test failure

Resolved

Activity

People

Assignee:: Berenguer Blasi

Reporter:: Jordan West

Authors:: Berenguer Blasi

Reviewers:: Brandon Williams

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 07/Feb/20 21:36

Updated:: 15/May/20 08:54

Resolved:: 30/Apr/20 15:26

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

0.5h