server: validate labels size to avoid dos
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
parent
befd719812
commit
33f699bad4
3 changed files with 22 additions and 0 deletions
|
@ -720,6 +720,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
||||||
|
|
||||||
labels := containerConfig.GetLabels()
|
labels := containerConfig.GetLabels()
|
||||||
|
|
||||||
|
if err := validateLabels(labels); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
metadata := containerConfig.GetMetadata()
|
metadata := containerConfig.GetMetadata()
|
||||||
|
|
||||||
kubeAnnotations := containerConfig.GetAnnotations()
|
kubeAnnotations := containerConfig.GetAnnotations()
|
||||||
|
|
|
@ -224,6 +224,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
|
||||||
// add labels
|
// add labels
|
||||||
labels := req.GetConfig().GetLabels()
|
labels := req.GetConfig().GetLabels()
|
||||||
|
|
||||||
|
if err := validateLabels(labels); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
// Add special container name label for the infra container
|
// Add special container name label for the infra container
|
||||||
labelsJSON := []byte{}
|
labelsJSON := []byte{}
|
||||||
if labels != nil {
|
if labels != nil {
|
||||||
|
|
|
@ -18,6 +18,8 @@ const (
|
||||||
// According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html:
|
// According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html:
|
||||||
// "The search list is currently limited to six domains with a total of 256 characters."
|
// "The search list is currently limited to six domains with a total of 256 characters."
|
||||||
maxDNSSearches = 6
|
maxDNSSearches = 6
|
||||||
|
|
||||||
|
maxLabelSize = 4096
|
||||||
)
|
)
|
||||||
|
|
||||||
func copyFile(src, dest string) error {
|
func copyFile(src, dest string) error {
|
||||||
|
@ -196,3 +198,15 @@ func recordError(operation string, err error) {
|
||||||
metrics.CRIOOperationsErrors.WithLabelValues(operation).Inc()
|
metrics.CRIOOperationsErrors.WithLabelValues(operation).Inc()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func validateLabels(labels map[string]string) error {
|
||||||
|
for k, v := range labels {
|
||||||
|
if (len(k) + len(v)) > maxLabelSize {
|
||||||
|
if len(k) > 10 {
|
||||||
|
k = k[:10]
|
||||||
|
}
|
||||||
|
return fmt.Errorf("label key and value greater than maximum size (%d bytes), key: %s", maxLabelSize, k)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue