Labels are consistently validated across services

* The combined size of a key/value pair cannot exceed 4096 bytes

Signed-off-by: Jess Valarezo <valarezo.jessica@gmail.com>

metadata/content.go

@@ -10,6 +10,7 @@ import (
 	"github.com/containerd/containerd/content"
 	"github.com/containerd/containerd/errdefs"
 	"github.com/containerd/containerd/filters"
+	"github.com/containerd/containerd/labels"
 	"github.com/containerd/containerd/metadata/boltutil"
 	"github.com/containerd/containerd/namespaces"
 	digest "github.com/opencontainers/go-digest"
@@ -94,6 +95,9 @@ func (cs *contentStore) Update(ctx context.Context, info content.Info, fieldpath
 			// Set mutable fields
 			updated.Labels = info.Labels
 		}
+		if err := validateInfo(&updated); err != nil {
+			return err
+		}
 
 		updated.UpdatedAt = time.Now().UTC()
 		return writeInfo(&updated, bkt)
@@ -371,6 +375,10 @@ func (nw *namespacedWriter) commit(ctx context.Context, tx *bolt.Tx, size int64,
 			return err
 		}
 	}
+	if err := validateInfo(&base); err != nil {
+		return err
+	}
+
 	status, err := nw.Writer.Status()
 	if err != nil {
 		return err
@@ -446,6 +454,16 @@ func (cs *contentStore) checkAccess(ctx context.Context, dgst digest.Digest) err
 	})
 }
 
+func validateInfo(info *content.Info) error {
+	for k, v := range info.Labels {
+		if err := labels.Validate(k, v); err == nil {
+			return errors.Wrapf(err, "info.Labels")
+		}
+	}
+
+	return nil
+}
+
 func readInfo(info *content.Info, bkt *bolt.Bucket) error {
 	if err := boltutil.ReadTimestamps(bkt, &info.CreatedAt, &info.UpdatedAt); err != nil {
 		return err