Fix #581: Add CRC32 checksum verification for pushdata/fetchdata data channels

[OmDoshi13]

Summary

Fixes #581 — silent data corruption caused by network-layer corruption between leader and followers going undetected until user read/write time.

• Root cause: Data left the leader intact but could be corrupted in the network layer. Followers accepted and stored whatever arrived; users only discovered corruption at read/write time.
• Fix: Attach a CRC32 checksum to every data packet sent over the PushData and FetchData channels. The receiver recomputes the checksum and drops the packet on mismatch, letting Raft retry rather than writing corrupted bytes to disk.

Key implementation details

• CRC32 computed over the full data payload at send time; verified before any write on the follower
• FetchData response uses a self-describing magic-byte framing header (FETCH_DATA_RESPONSE_MAGIC) so receivers detect the header without consulting per-node config — safe under hotswap config asymmetry during rolling upgrades
• data_checksum_enabled defaults to false; operators enable via hotswap after all nodes are running the new binary to avoid old nodes misinterpreting the framing header as block data
• Added data_checksum_mismatch_cnt metric for observability
• FlatBuffer verifier added on the receive path to guard against malformed headers
• Per-entry lsn/dsn/raft_term attached to ResponseEntry for richer diagnostics

Correctness fixes (commit 3)

Three issues identified during review and fixed before merge:

• F1 — Immediate re-fetch on FetchData checksum mismatch: Previously a mismatch silently dropped the entry and waited for the full data_receive_timeout_ms (10s) before Raft retried. Now mismatched rreqs are collected during the response loop and passed to check_and_fetch_remote_data() immediately after, eliminating the stall.
• F2 — Unsigned underflow guard in handle_fetch_data_response: A truncated or malformed response could cause total_size -= data_size to wrap to ~4GB and advance raw_data past the buffer boundary in release builds. Added an explicit data_size > total_size guard with early return before each subtraction.
• F3 — FlatBuffer verifier on PushData receive path: push_req fields were accessed before the buffer was verified in on_push_data_received. A corrupted or crafted push RPC could cause out-of-bounds reads via the unverified FlatBuffer accessor. Added flatbuffers::Verifier call before any field access, matching the pattern already present on the FetchData response path.

Test plan

• Checksum_Enabled_PushData_Path — happy path with checksums on; writes commit correctly across all replicas
• Checksum_Enabled_FetchData_Path — drops all push-data on followers forcing fetch path; verifies framing header is parsed correctly and data arrives intact
• Existing Follower_Fetch_OnActive_ReplicaGroup still passes (no regression)

All 3 tests passed across all 4 CI build variants (Debug/Sanitize, Debug/Coverage, Release/tcmalloc prerelease, Release/tcmalloc) — 100% tests passed, 0 failed out of 21 total.

[xiaoxichen]

@OmDoshi13 thanks for taking this and helping with the tech debt, It looks nice in general.

I think your changes can be categorised into 3 parts
A: Corner cases fixes, mainly in your commit 3.
B: Moving FetchDataResponse from raw to Flatbuffer
C: CRC implementation.

I dont have any problem with A and hoping A can be done in a separate PR to allow it be merged sooner.

For B, I saw you added a FETCH_DATA_RESPONSE_MAGIC as well as corresponding logic to support rolling upgrade and hybrid version, that is nice. And yes, It is totally a mistake in the past that skipping flatbuffer instead using raw format...

however, using the magic header is another dead-end, as we have to carry this "compatibility" tax forever, it doesnt help us in next release that removing the magic header and merge back to the native flat-buffer approach.

With this thinking, do you think we can directly using FlatBuffer w/o MAGIC, as flatbuffer is size-prefixed, we can read the first size_bytes, and check if that number makes sense , then proceed to flatbuffer::verify, if that is also passing it is very likely it is new format, then we check CRCs of raw data against what was in flatbuffer.

Basically I am trying to suggest try-and-fallback pattern.Note the raw data should be a homeobject blobs/shards where has a DataHeader with magic uint64_t magic{0x21fdffdba8d68fc6};, , that makes the flatbuffer prefixed size to be 2.6GB, which will very probably fails the basic size check.

    struct DataHeader {
        static constexpr uint8_t data_header_version = 0x02;
        static constexpr uint64_t data_header_magic = 0x21fdffdba8d68fc6; // echo "BlobHeader" | md5sum

        enum class data_type_t : uint32_t { SHARD_INFO = 1, BLOB_INFO = 2 };

        bool valid() const { return ((magic == data_header_magic) && (version <= data_header_version)); }

        uint64_t magic{data_header_magic};
        uint8_t version{data_header_version};
        data_type_t type{data_type_t::BLOB_INFO};
    };

[xiaoxichen]

For C:
Lets try to separate the enablement of CRC with the wire-format changes. If in B we moved to Flatbuffer, then checksum would have a default value of zero if not enabled, we probably want to skip the CRC checking if CRC field is zero.

A bit more context on the CRC: once we added length check, we never saw data corruption on wire anymore. Basically it is hard to see bit rot in TCP protocol as TCP protocol already provides its CRC in TCP-Header. Usually the error was caused by early terminating --- sender disconnected before sending full data, receiver received partial data and blindly using it without checking the prefix-size.

With this assumption and observation in production , I think we wont enable the CRC for generic use cases, only use in more durability sensitive environment if needed.

[OmDoshi13]

Hey @xiaoxichen, the branch has been updated — 147fcc8a is the latest commit and addresses your review feedback on parts B and C. Please ignore the earlier push events in the timeline.

[xiaoxichen]

lgtm.
cc @Besroy note this "might" be a breaking change if the detect-and-fallback on receiver side doesn't works as expected.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 23.63636% with 84 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (stable/v7.x@9c5bf78). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
src/lib/replication/repl_dev/raft_repl_dev.cpp	24.07%	43 Missing and 39 partials ⚠️
src/lib/replication/repl_dev/raft_repl_dev.h	0.00%	0 Missing and 2 partials ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@              Coverage Diff               @@
##             stable/v7.x     #887   +/-   ##
==============================================
  Coverage               ?   47.90%           
==============================================
  Files                  ?      110           
  Lines                  ?    13056           
  Branches               ?     6289           
==============================================
  Hits                   ?     6254           
  Misses                 ?     2634           
  Partials               ?     4168           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[JacksonYao287]

we should not make any assumption of the layer above homestore. raft_repl_dev is not only used by homeobject , it`s probably used by other storage applicaion in the future.

if another application built on homestore has a very small first 4 bytes(let`s say 0x10, for example), the following logic will confuse the old version with the new one

[xiaoxichen]

who is "another" application as of now? If there is no one, then it is safe. Tomorrow after the PR merged if there is new application on top of homestore they already on new code.

[OmDoshi13]

Thanks @JacksonYao287 — and that's a valid concern in principle, but the detection doesn't rely on the DataHeader magic at all. The code uses three independent gates before treating a response as the new format:

1. BufferHasIdentifier(raw_data + sizeof(uoffset_t), "FDRS") — bytes 4–7 must literally be the ASCII string FDRS. This is emitted only by FinishSizePrefixedBuffer(..., "FDRS") in our on_fetch_data_received, so it cannot accidentally appear in a future application's raw block data.
2. Parsed size must be ≤ data_fetch_max_size_kb (2 MB).
3. flatbuffers::Verifier — validates internal FlatBuffer structure.

Any future application's raw block data would need to accidentally have 0x46 0x44 0x52 0x53 at byte offset 4, then pass the size check, then satisfy the Verifier — all three independently. The DataHeader magic example @xiaoxichen gave was illustrating why the size check works for the current application, but the "FDRS" identifier gate is what makes this safe for any future application.

Also fully agree with @xiaoxichen: any new application built on top of HomeStore after this PR merges will already have the new receiver code, so there's no backward compatibility concern there either.

[JacksonYao287]

the detection doesn't rely on the DataHeader magic at all
yes, this is what I want. it makes sense to me to involve independent gate handling this case.

my thought is that , as you said, we should have independent gate and not rely on the header magic(defined by the application).

@OmDoshi13 thanks for the change

[JacksonYao287]

can we distinguish push_data_checksum_mismatch_cnt and fetch_data_checksum_mismatch_cnt

[xiaoxichen]

reason?

[OmDoshi13]

Done — both push_data_checksum_mismatch_cnt and fetch_data_checksum_mismatch_cnt are now separate counters.

To answer @xiaoxichen's "reason?": push and fetch are distinct data paths with different failure modes. A mismatch on push (leader → follower direct RPC) narrows the problem to in-flight corruption or a sender-side CRC bug. A mismatch on fetch (follower pulling from leader) points to the same class of issue on a different code path. Keeping them separate lets operators immediately identify which channel is affected without having to correlate log timestamps or RPC traces.

[OmDoshi13]

@xiaoxichen — A, B, and C are all addressed in the current branch:

A (corner cases): The three fixes (F1 immediate re-fetch on mismatch, F2 underflow guard, F3 PushData Verifier null-guard) are all included.

B (FlatBuffer with try-and-fallback, no magic): The FETCH_DATA_RESPONSE_MAGIC approach has been replaced with the pattern you suggested. The receiver reads bytes 4–7 for the "FDRS" file identifier (set via FinishSizePrefixedBuffer), checks the parsed size against data_fetch_max_size_kb, then runs flatbuffers::Verifier. All three must pass before treating the response as the new format; otherwise it falls through to legacy raw-block processing. Old senders' DataHeader magic (0x21fdffdba8d68fc6) produces a uoffset_t of ~2.64 GB which fails the size check independently.

C (CRC with checksum=0 = disabled): The receiver skips CRC verification whenever the checksum field is zero (the FlatBuffer default). The config flag only controls the send side. The comment on data_checksum_enabled has been expanded to explicitly call out the UNSAFE direction (new sender with flag enabled → old receiver = silent corruption) and adds a DEPLOYMENT RULE: do not enable via hotswap until every node in the cluster has the try-and-fallback receiver.