Merge pull request from GHSA-2qjp-425j-52j9

CRI stream server: Fix goroutine leak in Exec
2022-12-07 13:50:26 -08:00 · 2022-12-07 13:50:26 -08:00 · 241563be06
commit 241563be06
parent 5f845588a5 f012617edf
1 changed files with 12 additions and 3 deletions
--- a/pkg/cri/streaming/remotecommand/httpstream.go
+++ b/pkg/cri/streaming/remotecommand/httpstream.go
@ -33,6 +33,7 @@ limitations under the License.
 package remotecommand

 import (
+	gocontext "context"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -132,7 +133,7 @@ func createStreams(req *http.Request, w http.ResponseWriter, opts *Options, supp

 	if ctx.resizeStream != nil {
 		ctx.resizeChan = make(chan remotecommand.TerminalSize)
-		go handleResizeEvents(ctx.resizeStream, ctx.resizeChan)
+		go handleResizeEvents(req.Context(), ctx.resizeStream, ctx.resizeChan)
 	}

 	return ctx, true
@ -425,7 +426,7 @@ WaitForStreams:
 // supportsTerminalResizing returns false because v1ProtocolHandler doesn't support it.
 func (*v1ProtocolHandler) supportsTerminalResizing() bool { return false }

-func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalSize) {
+func handleResizeEvents(ctx gocontext.Context, stream io.Reader, channel chan<- remotecommand.TerminalSize) {
 	defer runtime.HandleCrash()
 	defer close(channel)

@ -435,7 +436,15 @@ func handleResizeEvents(stream io.Reader, channel chan<- remotecommand.TerminalS
 		if err := decoder.Decode(&size); err != nil {
 			break
 		}
-		channel <- size
+
+		select {
+		case channel <- size:
+		case <-ctx.Done():
+			// To avoid leaking this routine, exit if the http request finishes. This path
+			// would generally be hit if starting the process fails and nothing is started to
+			// ingest these resize events.
+			return
+		}
 	}
 }