From e065d6675c95e37144284f2ee5af3f7e326f9efe Mon Sep 17 00:00:00 2001 From: zhangyu235 Date: Fri, 18 Jan 2019 22:11:29 +0800 Subject: [PATCH 062/111] docker: check file size before reading "envfile" and "labelfile", in case OOM reason:check file size before reading "envfile" and "labelfile", in case OOM Cherry-pick from docker 1.11.2: - 931660a check file size before reading "envfile" and "labelfile", in case OOM Change-Id: I32bc7951565d0e6e720cf7d9f1d53f8709ebc8b3 Signed-off-by: panwenxiang Signed-off-by: zhangyu235 --- components/cli/cli/command/container/opts.go | 28 +++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/components/cli/cli/command/container/opts.go b/components/cli/cli/command/container/opts.go index cbbc110f9c..a1bf2be79a 100644 --- a/components/cli/cli/command/container/opts.go +++ b/components/cli/cli/command/container/opts.go @@ -28,7 +28,7 @@ var ( deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`) ) -const seccompFileMaxSize = 10 * 1024 * 1024 +const fileMaxSize = 10 * 1024 * 1024 // containerOptions is a data object with all the options for creating a container type containerOptions struct { @@ -435,12 +435,20 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err } // collect all the environment variables for the container + err = checkFileSizeValid(copts.envFile.GetAll()) + if err != nil { + return nil, err + } envVariables, err := opts.ReadKVEnvStrings(copts.envFile.GetAll(), copts.env.GetAll()) if err != nil { return nil, err } // collect all the labels for the container + err = checkFileSizeValid(copts.envFile.GetAll()) + if err != nil { + return nil, err + } labels, err := opts.ReadKVStrings(copts.labelsFile.GetAll(), copts.labels.GetAll()) if err != nil { return nil, err @@ -692,6 +700,20 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err }, nil } +// check file size +func checkFileSizeValid(files []string) error { + for _, ef := range files { + fileInfo, err := os.Stat(ef) + if err != nil { + return err + } + if fileInfo.Size() > fileMaxSize { + return fmt.Errorf("check (%s) file size is %d, size exceed limit %d ", ef, fileInfo.Size(), fileMaxSize) + } + } + return nil +} + func parsePortOpts(publishOpts []string) ([]string, error) { optsList := []string{} for _, publish := range publishOpts { @@ -731,8 +753,8 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) { if con[0] == "seccomp" && con[1] != "unconfined" { if fileInfo, err := os.Stat(con[1]); err != nil { return securityOpts, fmt.Errorf("stat seccomp profile (%s) failed: %v", con[1], err) - } else if fileInfo.Size() > seccompFileMaxSize { - return securityOpts, fmt.Errorf("stat seccomp profile (%s) failed: size exceed limit %dM", con[1], seccompFileMaxSize/1024/1024) + } else if fileInfo.Size() > fileMaxSize { + return securityOpts, fmt.Errorf("stat seccomp profile (%s) failed: size exceed limit %dM", con[1], fileMaxSize/1024/1024) } f, err := ioutil.ReadFile(con[1]) if err != nil { -- 2.17.1