Fix: Add nil checks for all Linux spec dereferences #398
Conversation
Signed-off-by: Yashika0724 <[email protected]>
✅ Deploy Preview for urunc canceled.
|
✅ Deploy Preview for urunc ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Hi @cmainas , this PR adds minimal nil checks to prevent a panic when the OCI spec omits the linux field. |
|
Hello @Yashika0724 , these changes are in the same context as #396. Therefore, please merge them under one PR. For more information take a look in the contribution guide. |
|
This PR addresses #409. SummaryThe OCI runtime-spec defines Changes
These are defensive checks that improve robustness without changing behavior for existing |
cmainas
left a comment
cmainas
left a comment
There was a problem hiding this comment.
Hello @Yashika0724 ,
I think you forgot the checks from #396
Signed-off-by: Yashika0724 <[email protected]>
|
Thanks for the catch! |
cmainas
left a comment
cmainas
left a comment
There was a problem hiding this comment.
Hello @Yashika0724 ,
thank you for this fix.
Looking it a bit closer, we can make it much simpler. Urunc does not support any other platforms than Linux and hence instead of repeatedly checking if the field is not nil, we can check it once when we read the container's configuration and if it is not present fail the execution, reporting the respective error message.
|
Hi @Yashika0724, just checking in — are you still working on this update following the suggestion to validate the Linux spec early? |
|
Thanks for the feedback, that makes sense. |
Signed-off-by: Yashika0724 <[email protected]>
|
Thanks for the suggestion! Please let me know if this aligns with what you had in mind. |
cmainas
left a comment
cmainas
left a comment
There was a problem hiding this comment.
Hello @Yashika0724 ,
thank you for the changes, I have left one comment and we also need to add the check in the Get function https://github.com/urunc-dev/urunc/blob/main/pkg/unikontainers/unikontainers.go#L125
| // We just want to check if a mount namespace was defined in the list. | ||
| // Therefore, if there was no error and the mount namespace was found | ||
| // we can pivot. | ||
| _, err = findNS(u.Spec.Linux.Namespaces, specs.MountNamespace) |
There was a problem hiding this comment.
Please do not change the line for the function call, The comment was deliberately under the function.
3 participants
Summary
This PR fixes a nil pointer dereference that can occur during container creation when the OCI spec
does not include the linux section, which is valid per the OCI runtime specification.
Several code paths assume Spec.Linux is always present, including FormatNsenterInfo() which is
executed during CREATE. When the field is missing, urunc panics before reaching Exec().
This change adds defensive checks to safely handle optional OCI fields while preserving existing
behavior for valid specs.
Root Cause
The OCI spec defines linux as optional, but the runtime dereferenced Spec.Linux without nil
checks in namespace setup and execution paths, leading to a panic when the field is absent.
Fix Applied
Defensive nil checks were added before dereferencing Spec.Linux in:
• FormatNsenterInfo()
• relevant paths in Exec()
• joinSandboxNetNs()
Valid OCI specs continue to follow the same execution flow.
Impact
• Prevents runtime panics during CREATE
• Improves stability for malformed or incomplete OCI specs
• No change to intended runtime behavior