forked from microsoft/azurelinux
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2026-39882.patch
More file actions
61 lines (56 loc) · 2.85 KB
/
CVE-2026-39882.patch
File metadata and controls
61 lines (56 loc) · 2.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
From e20101e55c266784ee85ae43bb03f11aa4aca33f Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Mon, 20 Apr 2026 06:05:54 +0000
Subject: [PATCH] vendor(otel): limit response body size for OTLP HTTP exporter
(backport of #8108)
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://raw.githubusercontent.com/microsoft/azurelinux/refs/heads/3.0-dev/SPECS/moby-engine/CVE-2026-39882.patch
---
.../otlp/otlptrace/otlptracehttp/client.go | 21 +++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
index 3b5f383..08f7331 100644
--- a/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
+++ b/vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp/client.go
@@ -41,6 +41,14 @@ import (
const contentTypeProto = "application/x-protobuf"
+// maxResponseBodySize is the maximum number of bytes to read from a response
+// body. It is set to 4 MiB per the OTLP specification recommendation to
+// mitigate excessive memory usage caused by a misconfigured or malicious
+// server. If exceeded, the response is treated as a not-retryable error.
+// This is a variable to allow tests to override it.
+var maxResponseBodySize int64 = 4 * 1024 * 1024
+
+
var gzPool = sync.Pool{
New: func() interface{} {
w := gzip.NewWriter(io.Discard)
@@ -174,7 +182,11 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc
// Success, do not retry.
// Read the partial success message, if any.
var respData bytes.Buffer
- if _, err := io.Copy(&respData, resp.Body); err != nil {
+ if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil {
+ var maxBytesErr *http.MaxBytesError
+ if errors.As(err, &maxBytesErr) {
+ return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit)
+ }
return err
}
if respData.Len() == 0 {
@@ -203,7 +215,12 @@ func (d *client) UploadTraces(ctx context.Context, protoSpans []*tracepb.Resourc
sc == http.StatusServiceUnavailable,
sc == http.StatusGatewayTimeout:
// Retry-able failures. Drain the body to reuse the connection.
- if _, err := io.Copy(io.Discard, resp.Body); err != nil {
+ var respData bytes.Buffer
+ if _, err := io.Copy(&respData, http.MaxBytesReader(nil, resp.Body, maxResponseBodySize)); err != nil {
+ var maxBytesErr *http.MaxBytesError
+ if errors.As(err, &maxBytesErr) {
+ return fmt.Errorf("response body too large: exceeded %d bytes", maxBytesErr.Limit)
+ }
otel.Handle(err)
}
return newResponseError(resp.Header)
--
2.45.4