image: add import test for CVE-2017-14992

To ensure that we don't revert CVE-2017-14992, add a test that is quite similar to that upstream tar-split test (create an empty archive with lots of junk and make sure the daemon doesn't crash). Signed-off-by: Aleksa Sarai <asarai@suse.de>
2022-11-09 12:21:53 -05:00 · 2017-11-08 03:30:47 +11:00 · 2017-11-08 03:30:47 +11:00 · 0a13f827a1
commit 0a13f827a1
parent 2f8d3e1c33
1 changed files with 36 additions and 0 deletions
--- a/integration/image/import_test.go
+++ b/integration/image/import_test.go
@ -0,0 +1,36 @@
+package image
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"io"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/integration/util/request"
+	"github.com/docker/docker/internal/testutil"
+)
+
+// Ensure we don't regress on CVE-2017-14992.
+func TestImportExtremelyLargeImageWorks(t *testing.T) {
+	client := request.NewAPIClient(t)
+
+	// Construct an empty tar archive with about 8GB of junk padding at the
+	// end. This should not cause any crashes (the padding should be mostly
+	// ignored).
+	var tarBuffer bytes.Buffer
+	tw := tar.NewWriter(&tarBuffer)
+	if err := tw.Close(); err != nil {
+		t.Fatal(err)
+	}
+	imageRdr := io.MultiReader(&tarBuffer, io.LimitReader(testutil.DevZero, 8*1024*1024*1024))
+
+	_, err := client.ImageImport(context.Background(),
+		types.ImageImportSource{Source: imageRdr, SourceName: "-"},
+		"test1234:v42",
+		types.ImageImportOptions{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}