Reject non-canonically-encoded sizes

Tranz5 · Aug 21, 2014 · 70ecab0 · 70ecab0
1 parent 7924048
commit 70ecab0
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/src/main.cpp b/src/main.cpp
@@ -3497,20 +3497,13 @@ bool static ProcessMessage(CNode* pfrom, string strCommand, CDataStream& vRecv)
     {
         vector<uint256> vWorkQueue;
         vector<uint256> vEraseQueue;
-        CDataStream vMsg(vRecv);
         CTxDB txdb("r");
         CTransaction tx;
         vRecv >> tx;
 
         CInv inv(MSG_TX, tx.GetHash());
         pfrom->AddInventoryKnown(inv);
 
-        // Truncate messages to the size of the tx in them
-        unsigned int nSize = ::GetSerializeSize(tx,SER_NETWORK, PROTOCOL_VERSION);
-        if (nSize < vMsg.size()){
-             vMsg.resize(nSize);
-        }
-
         bool fMissingInputs = false;
         if (tx.AcceptToMemoryPool(txdb, true, &fMissingInputs))
         {

diff --git a/src/serialize.h b/src/serialize.h
@@ -225,18 +225,24 @@ uint64 ReadCompactSize(Stream& is)
         unsigned short xSize;
         READDATA(is, xSize);
         nSizeRet = xSize;
+        if (nSizeRet < 253)
+            THROW_WITH_STACKTRACE(std::ios_base::failure("non-canonical ReadCompactSize()"));
     }
     else if (chSize == 254)
     {
         unsigned int xSize;
         READDATA(is, xSize);
         nSizeRet = xSize;
+        if (nSizeRet < 0x10000u)
+            THROW_WITH_STACKTRACE(std::ios_base::failure("non-canonical ReadCompactSize()"));
     }
     else
     {
         uint64 xSize;
         READDATA(is, xSize);
         nSizeRet = xSize;
+        if (nSizeRet < 0x100000000LLu)
+            THROW_WITH_STACKTRACE(std::ios_base::failure("non-canonical ReadCompactSize()"));
     }
     if (nSizeRet > (uint64)MAX_SIZE)
         THROW_WITH_STACKTRACE(std::ios_base::failure("ReadCompactSize() : size too large"));