metadata server errors out with a request missing X-Instance-ID-Signature header

Bug #1408625 reported by Tomoe Sugihara
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Tomoe Sugihara

Bug Description

When metadata server (nova-api:8775 by default) gets a request without X-Instance-ID-Signature header, the server errors out with the following stacktrace:

2015-01-08 18:10:51.955 INFO nova.metadata.wsgi.server [-] 127.0.0.1 "GET / HTTP/1.1" status: 200 len: 215 time: 0.0011151
2015-01-08 18:10:55.354 ERROR nova.api.ec2 [-] FaultWrapper: object of type 'NoneType' has no len()
2015-01-08 18:10:55.354 TRACE nova.api.ec2 Traceback (most recent call last):
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "/opt/stack/nova/nova/api/ec2/__init__.py", line 90, in __call__
2015-01-08 18:10:55.354 TRACE nova.api.ec2 return req.get_response(self.application)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "build/bdist.linux-x86_64/egg/webob/request.py", line 1320, in send
2015-01-08 18:10:55.354 TRACE nova.api.ec2 application, catch_exc_info=False)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "build/bdist.linux-x86_64/egg/webob/request.py", line 1284, in call_application
2015-01-08 18:10:55.354 TRACE nova.api.ec2 app_iter = application(self.environ, start_response)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "build/bdist.linux-x86_64/egg/webob/dec.py", line 130, in __call__
2015-01-08 18:10:55.354 TRACE nova.api.ec2 resp = self.call_func(req, *args, **self.kwargs)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "build/bdist.linux-x86_64/egg/webob/dec.py", line 195, in call_func
2015-01-08 18:10:55.354 TRACE nova.api.ec2 return self.func(req, *args, **kwargs)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "/opt/stack/nova/nova/api/ec2/__init__.py", line 102, in __call__
2015-01-08 18:10:55.354 TRACE nova.api.ec2 rv = req.get_response(self.application)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "build/bdist.linux-x86_64/egg/webob/request.py", line 1320, in send
2015-01-08 18:10:55.354 TRACE nova.api.ec2 application, catch_exc_info=False)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "build/bdist.linux-x86_64/egg/webob/request.py", line 1284, in call_application
2015-01-08 18:10:55.354 TRACE nova.api.ec2 app_iter = application(self.environ, start_response)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "build/bdist.linux-x86_64/egg/webob/dec.py", line 130, in __call__
2015-01-08 18:10:55.354 TRACE nova.api.ec2 resp = self.call_func(req, *args, **self.kwargs)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "build/bdist.linux-x86_64/egg/webob/dec.py", line 195, in call_func
2015-01-08 18:10:55.354 TRACE nova.api.ec2 return self.func(req, *args, **kwargs)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "/opt/stack/nova/nova/api/metadata/handler.py", line 110, in __call__
2015-01-08 18:10:55.354 TRACE nova.api.ec2 meta_data = self._handle_instance_id_request(req)
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "/opt/stack/nova/nova/api/metadata/handler.py", line 187, in _handle_instance_id_request
2015-01-08 18:10:55.354 TRACE nova.api.ec2 if not utils.constant_time_compare(expected_signature, signature):
2015-01-08 18:10:55.354 TRACE nova.api.ec2 File "/opt/stack/nova/nova/utils.py", line 1140, in constant_time_compare
2015-01-08 18:10:55.354 TRACE nova.api.ec2 if len(first) != len(second):
2015-01-08 18:10:55.354 TRACE nova.api.ec2 TypeError: object of type 'NoneType' has no len()
2015-01-08 18:10:55.354 TRACE nova.api.ec2

It'd be safer to validate against non-existence.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/145755

Changed in nova:
assignee: nobody → Tomoe Sugihara (tomoe)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/145755
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=77d09813344651114ac5acd0c126b42f888b61fa
Submitter: Jenkins
Branch: master

commit 77d09813344651114ac5acd0c126b42f888b61fa
Author: Tomoe Sugihara <email address hidden>
Date: Thu Jan 8 18:23:42 2015 +0900

    Guard against missing X-Instance-ID-Signature header

    Metadata server errors out if the X-Instance-ID-Signature
    header is missing in the request. This patch
    validates the existance to return 400 error if missing.

    Closes-bug: #1408625

    Change-Id: Id6d32cc2d141a6248f6021831fd431ee143e3473

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → kilo-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: kilo-2 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.