From 404e1a3a6c60203f237bb66718cc8a8e72cb7217 Mon Sep 17 00:00:00 2001
From: adityapk00 <adityapk@gmail.com>
Date: Sun, 3 Feb 2019 12:53:25 -0800
Subject: [PATCH] Enforce message limits

---
 src/websockets.cpp | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/websockets.cpp b/src/websockets.cpp
index cb410b9..6964e82 100644
--- a/src/websockets.cpp
+++ b/src/websockets.cpp
@@ -240,6 +240,12 @@ QString AppDataServer::decryptMessage(QJsonDocument msg, QString secretHex, bool
     QString noncehex = msg.object().value("nonce").toString();
     QString encryptedhex = msg.object().value("payload").toString();
 
+    // Enforce limits on the size of the message
+    if (noncehex.length() > crypto_secretbox_NONCEBYTES * 2 ||
+        encryptedhex.length() > 2 * 50 * 1024 /*50kb*/) {
+        return "error";
+    }
+
     // Check to make sure that the nonce is greater than the last known remote nonce
     QString lastRemoteHex = getNonceHex(NonceType::REMOTE);
     unsigned char* lastRemoteBin = new unsigned char[crypto_secretbox_NONCEBYTES];
@@ -443,9 +449,8 @@ void AppDataServer::processSendTx(QJsonObject sendTx, MainWindow* mainwindow, QW
 
     // And send the Tx
     mainwindow->getRPC()->executeTransaction(tx,
-        [=] (QString opid) {
-
-        }, 
+        [=] (QString opid) {}, 
+        // Submitted Tx successfully
         [=] (QString opid, QString txid) {
             auto r = QJsonDocument(QJsonObject{
                {"version", 1.0},
@@ -455,6 +460,7 @@ void AppDataServer::processSendTx(QJsonObject sendTx, MainWindow* mainwindow, QW
             if (pClient->isValid())
                 pClient->sendTextMessage(encryptOutgoing(r));
         },
+        // Errored while submitting Tx
         [=] (QString opid, QString errStr) {
             auto r = QJsonDocument(QJsonObject{
                {"version", 1.0},