server: validate labels size to avoid dos

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-11-11 12:00:48 +01:00 · 2017-11-11 12:00:48 +01:00 · ed34ff3255
commit ed34ff3255
parent ce319adcfe
3 changed files with 22 additions and 0 deletions
--- a/server/container_create.go
+++ b/server/container_create.go
@ -620,6 +620,10 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,

 	labels := containerConfig.GetLabels()

+	if err := validateLabels(labels); err != nil {
+		return nil, err
+	}
+
 	metadata := containerConfig.GetMetadata()

 	kubeAnnotations := containerConfig.GetAnnotations()
--- a/server/sandbox_run.go
+++ b/server/sandbox_run.go
@ -227,6 +227,10 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	// add labels
 	labels := req.GetConfig().GetLabels()

+	if err := validateLabels(labels); err != nil {
+		return nil, err
+	}
+
 	// Add special container name label for the infra container
 	labelsJSON := []byte{}
 	if labels != nil {
--- a/server/utils.go
+++ b/server/utils.go
@ -18,6 +18,8 @@ const (
 	// According to http://man7.org/linux/man-pages/man5/resolv.conf.5.html:
 	// "The search list is currently limited to six domains with a total of 256 characters."
 	maxDNSSearches = 6
+
+	maxLabelSize = 4096
 )

 func copyFile(src, dest string) error {
@ -196,3 +198,15 @@ func recordError(operation string, err error) {
 		metrics.CRIOOperationsErrors.WithLabelValues(operation).Inc()
 	}
 }
+
+func validateLabels(labels map[string]string) error {
+	for k, v := range labels {
+		if (len(k) + len(v)) > maxLabelSize {
+			if len(k) > 10 {
+				k = k[:10]
+			}
+			return fmt.Errorf("label key and value greater than maximum size (%d bytes), key: %s", maxLabelSize, k)
+		}
+	}
+	return nil
+}