From ed3e7b0d85276f0e8fc70416e286fe0e50f6c962 Mon Sep 17 00:00:00 2001
From: Daniel Canter <dcanter@microsoft.com>
Date: Fri, 13 May 2022 11:06:26 -0700
Subject: [PATCH 1/2] Fix nil deref if no shim options were specified

This fixes a nil deref possible if no shim options for the runtime
specified were supplied. For example:

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process.options]

vs.

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process.options]
    SandboxIsolation = 0

Signed-off-by: Daniel Canter <dcanter@microsoft.com>
---
 cmd/containerd-shim-runhcs-v1/service_internal.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/containerd-shim-runhcs-v1/service_internal.go b/cmd/containerd-shim-runhcs-v1/service_internal.go
index d216bb626c..7b609c34e3 100644
--- a/cmd/containerd-shim-runhcs-v1/service_internal.go
+++ b/cmd/containerd-shim-runhcs-v1/service_internal.go
@@ -107,7 +107,7 @@ func (s *service) createInternal(ctx context.Context, req *task.CreateTaskReques
 	// If sandbox isolation is set to hypervisor, make sure the HyperV option
 	// is filled in. This lessens the burden on Containerd to parse our shims
 	// options if we can set this ourselves.
-	if shimOpts.SandboxIsolation == runhcsopts.Options_HYPERVISOR {
+	if shimOpts != nil && shimOpts.SandboxIsolation == runhcsopts.Options_HYPERVISOR {
 		if spec.Windows == nil {
 			spec.Windows = &specs.Windows{}
 		}

From 4b0be661ea8c4aa6b0bbbb0b14baa35715a1ca81 Mon Sep 17 00:00:00 2001
From: Daniel Canter <dcanter@microsoft.com>
Date: Tue, 17 May 2022 06:09:43 -0700
Subject: [PATCH 2/2] pr feedback

Change initialization of shim options so we don't need to check nil

Signed-off-by: Daniel Canter <dcanter@microsoft.com>
---
 cmd/containerd-shim-runhcs-v1/service_internal.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/containerd-shim-runhcs-v1/service_internal.go b/cmd/containerd-shim-runhcs-v1/service_internal.go
index 7b609c34e3..09bbf8cea5 100644
--- a/cmd/containerd-shim-runhcs-v1/service_internal.go
+++ b/cmd/containerd-shim-runhcs-v1/service_internal.go
@@ -75,7 +75,7 @@ func (s *service) stateInternal(ctx context.Context, req *task.StateRequest) (*t
 func (s *service) createInternal(ctx context.Context, req *task.CreateTaskRequest) (*task.CreateTaskResponse, error) {
 	setupDebuggerEvent()
 
-	var shimOpts *runhcsopts.Options
+	shimOpts := &runhcsopts.Options{}
 	if req.Options != nil {
 		v, err := typeurl.UnmarshalAny(req.Options)
 		if err != nil {
@@ -107,7 +107,7 @@ func (s *service) createInternal(ctx context.Context, req *task.CreateTaskReques
 	// If sandbox isolation is set to hypervisor, make sure the HyperV option
 	// is filled in. This lessens the burden on Containerd to parse our shims
 	// options if we can set this ourselves.
-	if shimOpts != nil && shimOpts.SandboxIsolation == runhcsopts.Options_HYPERVISOR {
+	if shimOpts.SandboxIsolation == runhcsopts.Options_HYPERVISOR {
 		if spec.Windows == nil {
 			spec.Windows = &specs.Windows{}
 		}