CVE-2022-23471 安全更新：containerd 1.6.12之前版本、1.5.16之前版本中存在资源管理错误漏洞.

debian/changelog

@@ -1,3 +1,9 @@
+containerd (1.5.9-ok3) yangtze; urgency=medium
+
+  * xie_shang CVE-2022-23471 安全更新：containerd 1.6.12之前版本、1.5.16之前版本中存在资源管理错误漏洞. 
+
+ -- hjf <xieshang@bupt.edu.cn>  Mon, 27 Feb 2023 17:06:57 +0800
+
 containerd (1.5.9-ok2) yangtze; urgency=medium
 
   * Update version info. 

pkg/cri/streaming/remotecommand/httpstream.go

@@ -33,6 +33,7 @@ limitations under the License.
 package remotecommand
 
 import (
+	gocontext "context"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -132,7 +133,7 @@ func createStreams(req *http.Request, w http.ResponseWriter, opts *Options, supp
 
 	if ctx.resizeStream != nil {
 		ctx.resizeChan = make(chan remotecommand.TerminalSize)
-		go handleResizeEvents(ctx.resizeStream, ctx.resizeChan)
+		go handleResizeEvents(req.Context(), ctx.resizeStream, ctx.resizeChan)
 	}
 
 	return ctx, true
@@ -425,7 +426,7 @@ WaitForStreams:
 // supportsTerminalResizing returns false because v1ProtocolHandler doesn't support it.
 func (*v1ProtocolHandler) supportsTerminalResizing() bool { return false }
 
-func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalSize) {
+func handleResizeEvents(ctx gocontext.Context, stream io.Reader, channel chan<- remotecommand.TerminalSize) {
 	defer runtime.HandleCrash()
 	defer close(channel)
 
@@ -435,7 +436,15 @@ func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalS
 		if err := decoder.Decode(&size); err != nil {
 			break
 		}
-		channel <- size
+
+		select {
+		case channel <- size:
+		case <-ctx.Done():
+			// To avoid leaking this routine, exit if the http request finishes. This path
+			// would generally be hit if starting the process fails and nothing is started to
+			// ingest these resize events.
+			return
+		}
 	}
 }