From 41db8c4733b34d56834162c4d054823c240ffc92 Mon Sep 17 00:00:00 2001
From: "Wladimir J. van der Laan" <laanwj@gmail.com>
Date: Tue, 20 Oct 2015 11:35:10 +0200
Subject: http: Restrict maximum size of request line + headers

Prevent memory exhaustion by sending lots of data.
Also add a test to `httpbasics.py`.

Closes #6425
---
 src/httpserver.cpp | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src')

diff --git a/src/httpserver.cpp b/src/httpserver.cpp
index 0a7f903e9f..8698abb900 100644
--- a/src/httpserver.cpp
+++ b/src/httpserver.cpp
@@ -38,6 +38,9 @@
 #include <boost/foreach.hpp>
 #include <boost/scoped_ptr.hpp>
 
+/** Maximum size of http request (request line + headers) */
+static const size_t MAX_HEADERS_SIZE = 8192;
+
 /** HTTP request work item */
 class HTTPWorkItem : public HTTPClosure
 {
@@ -414,6 +417,7 @@ bool InitHTTPServer()
     }
 
     evhttp_set_timeout(http, GetArg("-rpcservertimeout", DEFAULT_HTTP_SERVER_TIMEOUT));
+    evhttp_set_max_headers_size(http, MAX_HEADERS_SIZE);
     evhttp_set_max_body_size(http, MAX_SIZE);
     evhttp_set_gencb(http, http_request_cb, NULL);
 
-- 
cgit v1.2.3