From 1861b5bdbf52575353281b32975c171a8cb11071 Mon Sep 17 00:00:00 2001 From: hjf Date: Mon, 27 Feb 2023 17:08:16 +0800 Subject: [PATCH] =?UTF-8?q?CVE-2022-23471=20=E5=AE=89=E5=85=A8=E6=9B=B4?= =?UTF-8?q?=E6=96=B0=EF=BC=9Acontainerd=201.6.12=E4=B9=8B=E5=89=8D?= =?UTF-8?q?=E7=89=88=E6=9C=AC=E3=80=811.5.16=E4=B9=8B=E5=89=8D=E7=89=88?= =?UTF-8?q?=E6=9C=AC=E4=B8=AD=E5=AD=98=E5=9C=A8=E8=B5=84=E6=BA=90=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E9=94=99=E8=AF=AF=E6=BC=8F=E6=B4=9E.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- debian/changelog | 6 ++++++ pkg/cri/streaming/remotecommand/httpstream.go | 15 ++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 7f5f481..091db2d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +containerd (1.5.9-ok3) yangtze; urgency=medium + + * xie_shang CVE-2022-23471 安全更新:containerd 1.6.12之前版本、1.5.16之前版本中存在资源管理错误漏洞. + + -- hjf Mon, 27 Feb 2023 17:06:57 +0800 + containerd (1.5.9-ok2) yangtze; urgency=medium * Update version info. diff --git a/pkg/cri/streaming/remotecommand/httpstream.go b/pkg/cri/streaming/remotecommand/httpstream.go index 0417a1a..9177fa7 100644 --- a/pkg/cri/streaming/remotecommand/httpstream.go +++ b/pkg/cri/streaming/remotecommand/httpstream.go @@ -33,6 +33,7 @@ limitations under the License. package remotecommand import ( + gocontext "context" "encoding/json" "errors" "fmt" @@ -132,7 +133,7 @@ func createStreams(req *http.Request, w http.ResponseWriter, opts *Options, supp if ctx.resizeStream != nil { ctx.resizeChan = make(chan remotecommand.TerminalSize) - go handleResizeEvents(ctx.resizeStream, ctx.resizeChan) + go handleResizeEvents(req.Context(), ctx.resizeStream, ctx.resizeChan) } return ctx, true @@ -425,7 +426,7 @@ WaitForStreams: // supportsTerminalResizing returns false because v1ProtocolHandler doesn't support it. func (*v1ProtocolHandler) supportsTerminalResizing() bool { return false } -func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalSize) { +func handleResizeEvents(ctx gocontext.Context, stream io.Reader, channel chan<- remotecommand.TerminalSize) { defer runtime.HandleCrash() defer close(channel) @@ -435,7 +436,15 @@ func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalS if err := decoder.Decode(&size); err != nil { break } - channel <- size + + select { + case channel <- size: + case <-ctx.Done(): + // To avoid leaking this routine, exit if the http request finishes. This path + // would generally be hit if starting the process fails and nothing is started to + // ingest these resize events. + return + } } }