server: validate labels size to avoid dos

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
Antonio Murdaca 2017-11-11 12:00:48 +01:00
parent befd719812
commit 33f699bad4
No known key found for this signature in database
GPG key ID: B2BEAD150DE936B9
3 changed files with 22 additions and 0 deletions

View file

@ -720,6 +720,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
labels := containerConfig.GetLabels() labels := containerConfig.GetLabels()
if err := validateLabels(labels); err != nil {
return nil, err
}
metadata := containerConfig.GetMetadata() metadata := containerConfig.GetMetadata()
kubeAnnotations := containerConfig.GetAnnotations() kubeAnnotations := containerConfig.GetAnnotations()

View file

@ -224,6 +224,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
// add labels // add labels
labels := req.GetConfig().GetLabels() labels := req.GetConfig().GetLabels()
if err := validateLabels(labels); err != nil {
return nil, err
}
// Add special container name label for the infra container // Add special container name label for the infra container
labelsJSON := []byte{} labelsJSON := []byte{}
if labels != nil { if labels != nil {

View file

@ -18,6 +18,8 @@ const (
// According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html: // According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html:
// "The search list is currently limited to six domains with a total of 256 characters." // "The search list is currently limited to six domains with a total of 256 characters."
maxDNSSearches = 6 maxDNSSearches = 6
maxLabelSize = 4096
) )
func copyFile(src, dest string) error { func copyFile(src, dest string) error {
@ -196,3 +198,15 @@ func recordError(operation string, err error) {
metrics.CRIOOperationsErrors.WithLabelValues(operation).Inc() metrics.CRIOOperationsErrors.WithLabelValues(operation).Inc()
} }
} }
func validateLabels(labels map[string]string) error {
for k, v := range labels {
if (len(k) + len(v)) > maxLabelSize {
if len(k) > 10 {
k = k[:10]
}
return fmt.Errorf("label key and value greater than maximum size (%d bytes), key: %s", maxLabelSize, k)
}
}
return nil
}