From 8a8a10b7f2864827730225328a61278183c093a5 Mon Sep 17 00:00:00 2001

From: Valentin Rothberg <rothberg@redhat.com>

Date: Mon, 2 Mar 2020 15:45:54 +0100

Subject: [PATCH] pull: don't continue when exceeding max size

When hitting an error that we exceeded the maximum allowed size, do not

continue to the next pull endpoint and let the error bubble up the stack

to the client.  This way, we correctly report the error and do not hide

it in the logs.

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

---

 distribution/errors.go | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/distribution/errors.go b/distribution/errors.go

index b8cf9fb9e803..b0dccd01b079 100644

--- a/distribution/errors.go

+++ b/distribution/errors.go

@@ -113,6 +113,12 @@ func continueOnError(err error) bool {

 	case ImageConfigPullError:

 		return false

 	case error:

+		if strings.Contains(err.Error(), "exceeded maximum allowed size of ") {

+			// This error comes from c/image and protects against CVE-2020-1702.

+			// We should not continue on this error and let it bubble up to the

+			// client.

+			return false

+		}

 		return !strings.Contains(err.Error(), strings.ToLower(syscall.ENOSPC.Error()))

 	}

 	// let's be nice and fallback if the error is a completely