Permalink
Browse files

Truncate oversize 'tx' messages before relaying/storing.

Fixes a memory exhaustion attack on low-memory peers.
  • Loading branch information...
petertodd authored and gavinandresen committed Jun 25, 2013
1 parent 2e01ec3 commit c40a5aaaf484855a4350fd702e8e72fd21a68155
Showing with 10 additions and 0 deletions.
  1. +10 −0 src/main.cpp
View
@@ -3567,6 +3567,16 @@ bool static ProcessMessage(CNode* pfrom, string strCommand, CDataStream& vRecv)
CInv inv(MSG_TX, tx.GetHash());
pfrom->AddInventoryKnown(inv);
+ // Truncate messages to the size of the tx in them
+ unsigned int nSize = ::GetSerializeSize(tx, SER_NETWORK, PROTOCOL_VERSION);
+ unsigned int oldSize = vMsg.size();
+ if (nSize < oldSize) {
+ vMsg.resize(nSize);
+ printf("truncating oversized TX %s (%u -> %u)\n",
+ tx.GetHash().ToString().c_str(),
+ oldSize, nSize);
+ }
+
bool fMissingInputs = false;
CValidationState state;
if (mempool.accept(state, tx, true, &fMissingInputs))

0 comments on commit c40a5aa

Please sign in to comment.