From f8327baf73193693e0f7fb6cdea169841d2f6ff0 Mon Sep 17 00:00:00 2001
From: Kagami Hiiragi <kagami@genshiken.org>
Date: Sat, 7 Feb 2015 14:14:53 +0300
Subject: [PATCH] Check max message payload length

Relates: Bitmessage/PyBitmessage#767
---
 README.md      |  2 +-
 lib/structs.js |  6 ++++--
 tests/unit.js  | 10 ++++++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index cbd5896..cd3ce7a 100644
--- a/README.md
+++ b/README.md
@@ -85,7 +85,7 @@ console.log("Deterministic Bitmessage address:", addr2.encode());
 
 bitmessage - JavaScript Bitmessage library
 
-Written in 2014 by Kagami Hiiragi <kagami@genshiken.org>
+Written in 2014-2015 by Kagami Hiiragi <kagami@genshiken.org>
 
 To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.
 
diff --git a/lib/structs.js b/lib/structs.js
index 6c9eb96..7e10a4c 100644
--- a/lib/structs.js
+++ b/lib/structs.js
@@ -118,7 +118,7 @@ var message = exports.message = {
     // Payload length.
     var payloadLength = buf.readUInt32BE(16, true);
     var msgLength = 24 + payloadLength;
-    // See also: <https://github.com/Bitmessage/PyBitmessage/issues/767>.
+    // See: <https://github.com/Bitmessage/PyBitmessage/issues/767>.
     if (payloadLength > 1600003) {
       res.error = new Error("Message is too large, skipping it");
       if (buf.length > msgLength) {
@@ -193,6 +193,7 @@ var message = exports.message = {
     // than default "utf-8" encoding.
     command = command.slice(0, firstNonNull).toString("ascii");
     var payloadLength = buf.readUInt32BE(16, true);
+    assert(payloadLength <= 1600003, "Message payload is too big");
     var length = 24 + payloadLength;
     assert(buf.length >= length, "Truncated payload");
     var checksum = buf.slice(20, 24);
@@ -217,6 +218,7 @@ var message = exports.message = {
     if (!payload) {
       payload = new Buffer(0);
     }
+    assert(payload.length <= 1600003, "Message payload is too big");
     var buf = new Buffer(24 + payload.length);
     buf.fill(0);
     buf.writeUInt32BE(message.MAGIC, 0, true);
@@ -558,7 +560,7 @@ function inet_pton(str) {
   var buf = new Buffer(16);
   buf.fill(0);
   // IPv4-mapped IPv6.
-  if (str.indexOf("::ffff:") === 0) {
+  if (str.slice(0, 7) === "::ffff:") {
     str = str.slice(7);
   }
   // IPv4.
diff --git a/tests/unit.js b/tests/unit.js
index b8880f2..695d062 100644
--- a/tests/unit.js
+++ b/tests/unit.js
@@ -173,6 +173,16 @@ describe("Common structures", function() {
       expect(res.rest.readUInt32BE(0)).to.equal(message.MAGIC);
       expect(res).to.not.have.property("message");
     });
+
+    it("should check for max payload length", function() {
+      var fn = message.encode.bind(null, "test", Buffer(2000000));
+      expect(fn).to.throw(/payload is too big/i);
+
+      var bigmsg = message.encode("test");
+      bigmsg.writeUInt32BE(2000000, 16);
+      fn = message.decode.bind(null, bigmsg);
+      expect(fn).to.throw(/payload is too big/i);
+    });
   });
 
   describe("object", function() {