From 7cc960f8f57e7fe90ee7aa0ccd3e3c6c89ec5a25 Mon Sep 17 00:00:00 2001
From: Peter Todd <pete@petertodd.org>
Date: Tue, 25 Jun 2013 09:57:59 -0400
Subject: Truncate oversize 'tx' messages before relaying/storing.

Fixes a memory exhaustion attack on low-memory peers.
---
 src/main.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/main.cpp b/src/main.cpp
index b7efac53b1..226d32295d 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -3508,6 +3508,16 @@ bool static ProcessMessage(CNode* pfrom, string strCommand, CDataStream& vRecv)
         CInv inv(MSG_TX, tx.GetHash());
         pfrom->AddInventoryKnown(inv);
 
+        // Truncate messages to the size of the tx in them
+        unsigned int nSize = ::GetSerializeSize(tx, SER_NETWORK, PROTOCOL_VERSION);
+        unsigned int oldSize = vMsg.size();
+        if (nSize < oldSize) {
+            vMsg.resize(nSize);
+            printf("truncating oversized TX %s (%u -> %u)\n",
+                   tx.GetHash().ToString().c_str(),
+                   oldSize, nSize);
+        }
+
         bool fMissingInputs = false;
         CValidationState state;
         if (tx.AcceptToMemoryPool(state, true, true, &fMissingInputs))
-- 
cgit v1.2.3