From 43780fe40c7b5a66cedf2562b13e78d308132fb4 Mon Sep 17 00:00:00 2001
From: Albin Kerouanton <albin.kerouanton@docker.com>
Date: Thu, 11 Dec 2025 11:07:42 +0100
Subject: [PATCH] daemon: disallow container port 0

Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
---
 daemon/container.go   |  2 +-
 daemon/daemon_test.go | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/daemon/container.go b/daemon/container.go
index 4660584d18..0d136e3e62 100644
--- a/daemon/container.go
+++ b/daemon/container.go
@@ -335,7 +335,7 @@ func validateHealthCheck(healthConfig *containertypes.HealthConfig) error {
 
 func validatePortBindings(ports networktypes.PortMap) error {
 	for port := range ports {
-		if !port.IsValid() {
+		if !port.IsValid() || port.Num() == 0 {
 			return errors.Errorf("invalid port specification: %q", port.String())
 		}
 
diff --git a/daemon/daemon_test.go b/daemon/daemon_test.go
index cb6d224472..84d9c2b2a4 100644
--- a/daemon/daemon_test.go
+++ b/daemon/daemon_test.go
@@ -300,6 +300,18 @@ func TestValidateContainerIsolation(t *testing.T) {
 	assert.Check(t, is.Error(err, "invalid isolation 'invalid' on "+runtime.GOOS))
 }
 
+func TestInvalidContainerPort0(t *testing.T) {
+	d := Daemon{}
+
+	hc := containertypes.HostConfig{
+		PortBindings: map[network.Port][]network.PortBinding{
+			network.MustParsePort("0/tcp"): {},
+		},
+	}
+	_, err := d.verifyContainerSettings(&configStore{}, &hc, nil, false)
+	assert.Error(t, err, `invalid port specification: "0/tcp"`)
+}
+
 func TestFindNetworkErrorType(t *testing.T) {
 	d := Daemon{}
 	_, err := d.FindNetwork("fakeNet")