diff --git a/containerd.spec b/containerd.spec index cf7379fe6086e8ed0c9f1d94cf138d13bb75fc76..7ba149138859a12f833ef91b12c1c0efe8615879 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 215 +Release: 216 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -44,6 +44,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr %{_bindir}/ctr %changelog +* Tue Feb 06 2024 zhongjiawei - 1.2.0-216 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:update vendored golang.org/x/net + * Tue Jan 30 2024 zhongjiawei - 1.2.0-215 - Type:CVE - ID:NA diff --git a/patch/0110-containerd-update-vendored-golang.org-x-net.patch b/patch/0110-containerd-update-vendored-golang.org-x-net.patch new file mode 100644 index 0000000000000000000000000000000000000000..dc90be3ace3d9a380caa34f428c6f814b631641e --- /dev/null +++ b/patch/0110-containerd-update-vendored-golang.org-x-net.patch @@ -0,0 +1,135 @@ +From 7ab94524b9c4f0d9ab767cc6c22afc9e451e67dc Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Tue, 6 Feb 2024 15:43:40 +0800 +Subject: [PATCH] containerd: update vendored golang.org/x/net + +--- + vendor/golang.org/x/net/http2/hpack/hpack.go | 79 ++++++++++++-------- + 1 file changed, 49 insertions(+), 30 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go +index 176644a..f56067e 100644 +--- a/vendor/golang.org/x/net/http2/hpack/hpack.go ++++ b/vendor/golang.org/x/net/http2/hpack/hpack.go +@@ -351,6 +351,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + + var hf HeaderField + wantStr := d.emitEnabled || it.indexed() ++ var undecodedName undecodedString + if nameIdx > 0 { + ihf, ok := d.at(nameIdx) + if !ok { +@@ -358,15 +359,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + } + hf.Name = ihf.Name + } else { +- hf.Name, buf, err = d.readString(buf, wantStr) ++ undecodedName, buf, err = d.readString(buf) + if err != nil { + return err + } + } +- hf.Value, buf, err = d.readString(buf, wantStr) ++ undecodedValue, buf, err := d.readString(buf) + if err != nil { + return err + } ++ if wantStr { ++ if nameIdx <= 0 { ++ hf.Name, err = d.decodeString(undecodedName) ++ if err != nil { ++ return err ++ } ++ } ++ hf.Value, err = d.decodeString(undecodedValue) ++ if err != nil { ++ return err ++ } ++ } + d.buf = buf + if it.indexed() { + d.dynTab.add(hf) +@@ -445,46 +458,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) { + return 0, origP, errNeedMore + } + +-// readString decodes an hpack string from p. ++// readString reads an hpack string from p. + // +-// wantStr is whether s will be used. If false, decompression and +-// []byte->string garbage are skipped if s will be ignored +-// anyway. This does mean that huffman decoding errors for non-indexed +-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server +-// is returning an error anyway, and because they're not indexed, the error +-// won't affect the decoding state. +-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) { ++// It returns a reference to the encoded string data to permit deferring decode costs ++// until after the caller verifies all data is present. ++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) { + if len(p) == 0 { +- return "", p, errNeedMore ++ return u, p, errNeedMore + } + isHuff := p[0]&128 != 0 + strLen, p, err := readVarInt(7, p) + if err != nil { +- return "", p, err ++ return u, p, err + } + if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) { +- return "", nil, ErrStringLength ++ // Returning an error here means Huffman decoding errors ++ // for non-indexed strings past the maximum string length ++ // are ignored, but the server is returning an error anyway ++ // and because the string is not indexed the error will not ++ // affect the decoding state. ++ return u, nil, ErrStringLength + } + if uint64(len(p)) < strLen { +- return "", p, errNeedMore +- } +- if !isHuff { +- if wantStr { +- s = string(p[:strLen]) +- } +- return s, p[strLen:], nil ++ return u, p, errNeedMore + } ++ u.isHuff = isHuff ++ u.b = p[:strLen] ++ return u, p[strLen:], nil ++} + +- if wantStr { +- buf := bufPool.Get().(*bytes.Buffer) +- buf.Reset() // don't trust others +- defer bufPool.Put(buf) +- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil { +- buf.Reset() +- return "", nil, err +- } ++type undecodedString struct { ++ isHuff bool ++ b []byte ++} ++ ++func (d *Decoder) decodeString(u undecodedString) (string, error) { ++ if !u.isHuff { ++ return string(u.b), nil ++ } ++ buf := bufPool.Get().(*bytes.Buffer) ++ buf.Reset() // don't trust others ++ var s string ++ err := huffmanDecode(buf, d.maxStrLen, u.b) ++ if err == nil { + s = buf.String() +- buf.Reset() // be nice to GC + } +- return s, p[strLen:], nil ++ buf.Reset() // be nice to GC ++ bufPool.Put(buf) ++ return s, err + } +-- +2.33.0 + diff --git a/series.conf b/series.conf index 946b70579c3f11c0f0c359a8f5cc9d894d9160e3..94530dd99bd6a441c58d4f858e5c602c1ac59474 100644 --- a/series.conf +++ b/series.conf @@ -111,3 +111,4 @@ patch/0106-containerd-Bump-ttrpc.patch patch/0107-containerd-Fix-missing-closed-fifo.patch patch/0108-containerd-Update-TTRPC-and-Protobuild-dependencies.patch patch/0109-containerd-Backport-net-http-regenerate-h2_bundle.go.patch +patch/0110-containerd-update-vendored-golang.org-x-net.patch