From 33f699bad4fea0f512e946a2989610439035e5bd Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Sat, 11 Nov 2017 12:00:48 +0100 Subject: [PATCH] server: validate labels size to avoid dos Signed-off-by: Antonio Murdaca --- server/container_create.go | 4 ++++ server/sandbox_run.go | 4 ++++ server/utils.go | 14 ++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/server/container_create.go b/server/container_create.go index 9b052639..e69adef5 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -720,6 +720,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, labels := containerConfig.GetLabels() + if err := validateLabels(labels); err != nil { + return nil, err + } + metadata := containerConfig.GetMetadata() kubeAnnotations := containerConfig.GetAnnotations() diff --git a/server/sandbox_run.go b/server/sandbox_run.go index e31a3d3a..4f9ced22 100644 --- a/server/sandbox_run.go +++ b/server/sandbox_run.go @@ -224,6 +224,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest // add labels labels := req.GetConfig().GetLabels() + if err := validateLabels(labels); err != nil { + return nil, err + } + // Add special container name label for the infra container labelsJSON := []byte{} if labels != nil { diff --git a/server/utils.go b/server/utils.go index 1e98aef2..2a15ab42 100644 --- a/server/utils.go +++ b/server/utils.go @@ -18,6 +18,8 @@ const ( // According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html: // "The search list is currently limited to six domains with a total of 256 characters." maxDNSSearches = 6 + + maxLabelSize = 4096 ) func copyFile(src, dest string) error { @@ -196,3 +198,15 @@ func recordError(operation string, err error) { metrics.CRIOOperationsErrors.WithLabelValues(operation).Inc() } } + +func validateLabels(labels map[string]string) error { + for k, v := range labels { + if (len(k) + len(v)) > maxLabelSize { + if len(k) > 10 { + k = k[:10] + } + return fmt.Errorf("label key and value greater than maximum size (%d bytes), key: %s", maxLabelSize, k) + } + } + return nil +}