Skip to content

cli/context/store: limit decompressed size of TLS files on zip import#7105

Open
UditDewan wants to merge 1 commit into
docker:masterfrom
UditDewan:fix-context-import-zip-tls-limit
Open

cli/context/store: limit decompressed size of TLS files on zip import#7105
UditDewan wants to merge 1 commit into
docker:masterfrom
UditDewan:fix-context-import-zip-tls-limit

Conversation

@UditDewan

Copy link
Copy Markdown

- What I did

Fixed a memory exhaustion issue in docker context import with zip archives (fixes #6917).

The meta.json entry of an imported zip archive is read through limitedReader (10MB cap), but tls/ entries were read with a bare io.ReadAll. Only the compressed archive size was capped, so a small crafted zip containing a highly compressible TLS entry could decompress to gigabytes and OOM the CLI.

- How I did it

  • Read TLS entries in importZip through the same limitedReader already used for meta.json.
  • Removed the l.N == 0 early-EOF branch from limitedReader.Read. Without this, content exceeding the limit was silently truncated (instead of rejected) whenever a read landed exactly on the remaining budget — which is deterministic for zip imports, since flate delivers 32KiB chunks that divide the 10MB cap evenly. True end-of-data still returns a clean io.EOF via the underlying reader.

- How to verify it

go test ./cli/context/store/

New regression tests:

  • TestImportZipTLSDataTooLarge — imports a zip whose TLS entry inflates past the cap while the archive itself stays well under it, and asserts the import errors.
  • an added TestLimitReaderReadAll case using iotest.OneByteReader that lands a read exactly on the limit with data remaining, and asserts the limit error is returned.

- Human readable description for the release notes

Fix `docker context import` allocating unbounded memory for TLS files contained in zip archives

The meta.json entry of an imported zip archive was read through
limitedReader, but TLS entries were read with a bare io.ReadAll. Only
the compressed archive size was capped, so a crafted zip entry could
decompress to many times the allowed import size and exhaust memory.

Apply the same size cap to TLS entries, and make limitedReader return
its limit error instead of a clean EOF when a read lands exactly on
the limit while more data remains, so oversized content fails instead
of being silently truncated.

Fixes docker#6917

Signed-off-by: uditDewan <udit.dewan21@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

docker context import TLS Entry Handling results in OOM

1 participant