88 lines
3.2 KiB
Diff
88 lines
3.2 KiB
Diff
From e065d6675c95e37144284f2ee5af3f7e326f9efe Mon Sep 17 00:00:00 2001
|
|
From: zhangyu235 <zhangyu235@huawei.com>
|
|
Date: Fri, 18 Jan 2019 22:11:29 +0800
|
|
Subject: [PATCH 062/111] docker: check file size before reading
|
|
"envfile" and "labelfile", in case OOM
|
|
|
|
reason:check file size before reading "envfile" and "labelfile", in case OOM
|
|
|
|
Cherry-pick from docker 1.11.2:
|
|
- 931660a check file size before reading "envfile" and "labelfile", in case OOM
|
|
|
|
Change-Id: I32bc7951565d0e6e720cf7d9f1d53f8709ebc8b3
|
|
Signed-off-by: panwenxiang <panwenxiang@huawei.com>
|
|
Signed-off-by: zhangyu235 <zhangyu235@huawei.com>
|
|
---
|
|
components/cli/cli/command/container/opts.go | 28 +++++++++++++++++---
|
|
1 file changed, 25 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/components/cli/cli/command/container/opts.go b/components/cli/cli/command/container/opts.go
|
|
index cbbc110f9c..a1bf2be79a 100644
|
|
--- a/components/cli/cli/command/container/opts.go
|
|
+++ b/components/cli/cli/command/container/opts.go
|
|
@@ -28,7 +28,7 @@ var (
|
|
deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`)
|
|
)
|
|
|
|
-const seccompFileMaxSize = 10 * 1024 * 1024
|
|
+const fileMaxSize = 10 * 1024 * 1024
|
|
|
|
// containerOptions is a data object with all the options for creating a container
|
|
type containerOptions struct {
|
|
@@ -435,12 +435,20 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
|
|
}
|
|
|
|
// collect all the environment variables for the container
|
|
+ err = checkFileSizeValid(copts.envFile.GetAll())
|
|
+ if err != nil {
|
|
+ return nil, err
|
|
+ }
|
|
envVariables, err := opts.ReadKVEnvStrings(copts.envFile.GetAll(), copts.env.GetAll())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// collect all the labels for the container
|
|
+ err = checkFileSizeValid(copts.envFile.GetAll())
|
|
+ if err != nil {
|
|
+ return nil, err
|
|
+ }
|
|
labels, err := opts.ReadKVStrings(copts.labelsFile.GetAll(), copts.labels.GetAll())
|
|
if err != nil {
|
|
return nil, err
|
|
@@ -692,6 +700,20 @@ func parse(flags *pflag.FlagSet, copts *containerOptions) (*containerConfig, err
|
|
}, nil
|
|
}
|
|
|
|
+// check file size
|
|
+func checkFileSizeValid(files []string) error {
|
|
+ for _, ef := range files {
|
|
+ fileInfo, err := os.Stat(ef)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+ if fileInfo.Size() > fileMaxSize {
|
|
+ return fmt.Errorf("check (%s) file size is %d, size exceed limit %d ", ef, fileInfo.Size(), fileMaxSize)
|
|
+ }
|
|
+ }
|
|
+ return nil
|
|
+}
|
|
+
|
|
func parsePortOpts(publishOpts []string) ([]string, error) {
|
|
optsList := []string{}
|
|
for _, publish := range publishOpts {
|
|
@@ -731,8 +753,8 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
|
|
if con[0] == "seccomp" && con[1] != "unconfined" {
|
|
if fileInfo, err := os.Stat(con[1]); err != nil {
|
|
return securityOpts, fmt.Errorf("stat seccomp profile (%s) failed: %v", con[1], err)
|
|
- } else if fileInfo.Size() > seccompFileMaxSize {
|
|
- return securityOpts, fmt.Errorf("stat seccomp profile (%s) failed: size exceed limit %dM", con[1], seccompFileMaxSize/1024/1024)
|
|
+ } else if fileInfo.Size() > fileMaxSize {
|
|
+ return securityOpts, fmt.Errorf("stat seccomp profile (%s) failed: size exceed limit %dM", con[1], fileMaxSize/1024/1024)
|
|
}
|
|
f, err := ioutil.ReadFile(con[1])
|
|
if err != nil {
|
|
--
|
|
2.17.1
|
|
|