Fix all PR review comments from Copilot and CodeQL

- Mask SMB username in startup log (CodeQL cleartext sensitive info)
- Restore NtStatus::Unknown(u32) variant for unknown SMB status codes
- Fix oplock level to 0x00 (SMB2_OPLOCK_LEVEL_NONE)
- Fix decode_read_response to read DataOffset as u16 not u8
- Mask NetBIOS length to 24 bits in frame_packet and send_compound
- Add bounds validation in parse_compound_response
- Restore Option return on RangeSpec::resolve, guard total==0
- Validate multipart parts before removing upload state
- Re-read SMB metadata after put_object for consistent ETag/mtime
- Remove duplicate mod/macro declarations from main.rs, use lib crate
- Restore sccache warm-build assertions and zero-stats reset
- Check Close status in compound create_close

Author: lukekim

scripts/test-sccache.sh

@@ -266,6 +266,8 @@ echo "[test] === cold build (populating cache) ==="
 rm -rf "$TEST_TARGET_DIR"
 CARGO_TARGET_DIR="$TEST_TARGET_DIR" cargo build 2>&1
 
+sccache --zero-stats 2>/dev/null || true
+
 echo ""
 echo "[test] === warm build (should hit cache) ==="
 rm -rf "$TEST_TARGET_DIR"
@@ -277,3 +279,17 @@ echo "[test] sccache stats:"
 echo "======================================="
 sccache --show-stats
 echo "======================================="
+
+# ── Verify cache hits ───────────────────────────────────────────────
+
+STATS=$(sccache --show-stats 2>&1)
+CACHE_HITS=$(echo "$STATS" | grep -m1 "^Cache hits" | awk '{print $NF}' || echo "0")
+WRITE_ERRORS=$(echo "$STATS" | grep -m1 "Cache write errors" | awk '{print $NF}' || echo "0")
+
+echo ""
+if [[ "${CACHE_HITS:-0}" -gt 0 && "${WRITE_ERRORS:-0}" -eq 0 ]]; then
+    echo "[test] PASS: warm build got $CACHE_HITS cache hits, 0 write errors"
+else
+    echo "[test] FAIL: expected cache hits > 0 (got ${CACHE_HITS:-0}) and write errors == 0 (got ${WRITE_ERRORS:-0})"
+    exit 1
+fi

src/main.rs

@@ -1,10 +1,5 @@
 //! spiceio — S3-compatible API proxy to SMB 3.1.1 file shares (macOS 26).
 
-mod crypto;
-mod log;
-mod s3;
-mod smb;
-
 use hyper::Request;
 use hyper::body::Incoming;
 use hyper_util::rt::TokioIo;
@@ -16,27 +11,17 @@ use std::sync::Arc;
 use tokio::net::TcpListener;
 use tokio::signal;
 
+use spiceio::log;
+use spiceio::s3;
+use spiceio::serr;
+use spiceio::slog;
+use spiceio::smb;
+
 use s3::multipart::MultipartStore;
 use s3::router::AppState;
 use smb::client::SmbConfig;
 use smb::ops::ShareSession;
 
-/// Log to stdout and optionally to a file (non-blocking).
-#[macro_export]
-macro_rules! slog {
-    ($($arg:tt)*) => {
-        $crate::log::emit(format_args!($($arg)*))
-    };
-}
-
-/// Log to stderr and optionally to a file (non-blocking).
-#[macro_export]
-macro_rules! serr {
-    ($($arg:tt)*) => {
-        $crate::log::emit_err(format_args!($($arg)*))
-    };
-}
-
 /// Runtime configuration parsed from environment variables.
 struct Config {
     /// Address to bind the HTTP server to
@@ -94,9 +79,15 @@ async fn main() {
 
     let config = Config::from_env();
 
+    let masked_user = if config.smb_username.is_empty() {
+        "***".to_string()
+    } else {
+        let first = &config.smb_username[..config.smb_username.chars().next().unwrap().len_utf8()];
+        format!("{first}***")
+    };
     slog!(
         "[spiceio] connecting to smb://{}@{}:{}/{}",
-        config.smb_username,
+        masked_user,
         config.smb_server,
         config.smb_port,
         config.smb_share

src/s3/headers.rs

@@ -60,12 +60,26 @@ pub fn parse_range(header: &str) -> Option<RangeSpec> {
 
 impl RangeSpec {
     /// Resolve to absolute byte positions given total file size.
-    pub fn resolve(&self, total: u64) -> (u64, u64) {
+    /// Returns `None` if `total == 0` or `start >= total`.
+    pub fn resolve(&self, total: u64) -> Option<(u64, u64)> {
+        if total == 0 {
+            return None;
+        }
         match (self.start, self.end) {
-            (Some(s), Some(e)) => (s, e.min(total - 1)),
-            (Some(s), None) => (s, total - 1),
-            (None, Some(suffix)) => (total.saturating_sub(suffix), total - 1),
-            (None, None) => (0, total - 1),
+            (Some(s), Some(e)) => {
+                if s >= total {
+                    return None;
+                }
+                Some((s, e.min(total - 1)))
+            }
+            (Some(s), None) => {
+                if s >= total {
+                    return None;
+                }
+                Some((s, total - 1))
+            }
+            (None, Some(suffix)) => Some((total.saturating_sub(suffix), total - 1)),
+            (None, None) => Some((0, total - 1)),
         }
     }
 }
@@ -199,7 +213,7 @@ mod tests {
             start: Some(0),
             end: Some(99),
         };
-        assert_eq!(r.resolve(100), (0, 99));
+        assert_eq!(r.resolve(100), Some((0, 99)));
     }
 
     #[test]
@@ -208,7 +222,7 @@ mod tests {
             start: Some(0),
             end: Some(999),
         };
-        assert_eq!(r.resolve(100), (0, 99));
+        assert_eq!(r.resolve(100), Some((0, 99)));
     }
 
     #[test]
@@ -217,7 +231,7 @@ mod tests {
             start: Some(50),
             end: None,
         };
-        assert_eq!(r.resolve(100), (50, 99));
+        assert_eq!(r.resolve(100), Some((50, 99)));
     }
 
     #[test]
@@ -226,7 +240,7 @@ mod tests {
             start: None,
             end: Some(10),
         };
-        assert_eq!(r.resolve(100), (90, 99));
+        assert_eq!(r.resolve(100), Some((90, 99)));
     }
 
     #[test]
@@ -235,7 +249,25 @@ mod tests {
             start: None,
             end: Some(200),
         };
-        assert_eq!(r.resolve(100), (0, 99));
+        assert_eq!(r.resolve(100), Some((0, 99)));
+    }
+
+    #[test]
+    fn resolve_zero_total() {
+        let r = RangeSpec {
+            start: Some(0),
+            end: Some(99),
+        };
+        assert_eq!(r.resolve(0), None);
+    }
+
+    #[test]
+    fn resolve_start_past_end() {
+        let r = RangeSpec {
+            start: Some(200),
+            end: None,
+        };
+        assert_eq!(r.resolve(100), None);
     }
 
     // ── parse_http_date ──────────────────────────────────────────────

src/s3/router.rs

@@ -571,8 +571,17 @@ async fn handle_get_object(
     // Determine read range
     let (start, end, is_range) = if let Some(ref range_str) = range_header {
         if let Some(range) = parse_range(range_str) {
-            let (s, e) = range.resolve(file_size);
-            (s, e, true)
+            match range.resolve(file_size) {
+                Some((s, e)) => (s, e, true),
+                None => {
+                    let _ = handle.close().await;
+                    return error_response(
+                        StatusCode::RANGE_NOT_SATISFIABLE,
+                        "InvalidRange",
+                        "The requested range is not satisfiable",
+                    );
+                }
+            }
         } else {
             (0, file_size.saturating_sub(1), false)
         }
@@ -1042,7 +1051,7 @@ async fn handle_complete_multipart_upload(
     key: &str,
     upload_id: &str,
 ) -> Response<SpiceioBody> {
-    let upload = match state.multipart.complete(upload_id).await {
+    let upload = match state.multipart.get(upload_id).await {
         Some(u) => u,
         None => {
             return error_response(
@@ -1062,14 +1071,24 @@ async fn handle_complete_multipart_upload(
         })
         .collect();
 
+    // Validate all requested parts exist before assembly
+    for pn in &part_numbers {
+        if !upload.parts.contains_key(pn) {
+            return error_response(
+                StatusCode::BAD_REQUEST,
+                "InvalidPart",
+                &format!("Part {pn} not found"),
+            );
+        }
+    }
+
     // Concatenate parts in order and write the final object
     let mut final_data = Vec::new();
     for pn in &part_numbers {
         if let Some(part) = upload.parts.get(pn) {
             match state.share.read_temp(&part.temp_path).await {
                 Ok(data) => final_data.extend_from_slice(&data),
                 Err(e) => {
-                    // Re-register the upload since we consumed it
                     return io_to_s3_error(&e);
                 }
             }
@@ -1082,9 +1101,14 @@ async fn handle_complete_multipart_upload(
         Err(e) => return io_to_s3_error(&e),
     };
 
+    // Only now remove the upload from the store
+    let upload = state.multipart.complete(upload_id).await;
+
     // Clean up temp files (best effort)
-    for part in upload.parts.values() {
-        state.share.delete_temp(&part.temp_path).await;
+    if let Some(upload) = upload {
+        for part in upload.parts.values() {
+            state.share.delete_temp(&part.temp_path).await;
+        }
     }
     let marker_path = format!("{}\\marker", MultipartStore::temp_dir(upload_id));
     state.share.delete_temp(&marker_path).await;

src/smb/client.rs

@@ -518,7 +518,7 @@ impl SmbClient {
 
         let total: usize = sizes.iter().sum();
         let mut buf = BytesMut::with_capacity(4 + total);
-        buf.put_u32(total as u32); // NetBIOS length (big-endian)
+        buf.put_u32((total as u32) & 0x00FF_FFFF); // NetBIOS length (big-endian, masked to 24 bits)
 
         for (i, (mut header, body)) in requests.into_iter().enumerate() {
             let body_len = body.len();
@@ -620,6 +620,12 @@ impl SmbClient {
         }
         let cr = decode_create_response(&resp[0].1)
             .ok_or_else(|| io::Error::new(io::ErrorKind::InvalidData, "invalid create response"))?;
+        if NtStatus::from_u32(resp[1].0.status).is_error() {
+            crate::serr!(
+                "[spiceio] smb compound close failed: 0x{:08X}",
+                resp[1].0.status
+            );
+        }
         let cl = decode_close_response(&resp[1].1).unwrap_or(CloseResponse {
             last_write_time: cr.last_write_time,
             file_size: cr.file_size,
@@ -899,7 +905,18 @@ fn parse_compound_response(msg: &[u8]) -> Vec<(Header, Vec<u8>)> {
 
         let next = header.next_command as usize;
         let body_start = offset + SMB2_HEADER_SIZE;
-        let body_end = if next > 0 { offset + next } else { msg.len() };
+        let body_end = if next > 0 {
+            let end = offset + next;
+            if end > msg.len() || end < body_start {
+                break;
+            }
+            end
+        } else {
+            msg.len()
+        };
+        if body_start > body_end || body_end > msg.len() {
+            break;
+        }
 
         let body = msg[body_start..body_end].to_vec();
         results.push((header, body));

src/smb/ops.rs

@@ -302,13 +302,11 @@ impl ShareSession {
 
         let _ = self.client.close(self.tree_id, &file.file_id).await;
 
+        let meta = self.head_object(key).await?;
         Ok(ObjectMeta {
             size: data.len() as u64,
-            last_modified: std::time::SystemTime::now()
-                .duration_since(std::time::UNIX_EPOCH)
-                .unwrap_or_default()
-                .as_secs(),
-            etag: format!("{:016x}", simple_hash(data)),
+            last_modified: meta.last_modified,
+            etag: meta.etag,
             content_type: guess_content_type(key),
         })
     }
@@ -609,17 +607,6 @@ fn guess_content_type(key: &str) -> String {
     .into()
 }
 
-/// Simple non-cryptographic hash for ETags.
-fn simple_hash(data: &[u8]) -> u64 {
-    // FNV-1a
-    let mut hash: u64 = 0xcbf29ce484222325;
-    for &byte in data {
-        hash ^= byte as u64;
-        hash = hash.wrapping_mul(0x100000001b3);
-    }
-    hash
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;