From e5f8ed757948c4525b49778f89446c0a034862b4 Mon Sep 17 00:00:00 2001
From: Keith Winstein <keithw@mit.edu>
Date: Tue, 22 May 2012 22:48:52 -0400
Subject: [PATCH] Cap state queue used by receiver, even if sender is malicious

---
 src/network/networktransport.cc | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/network/networktransport.cc b/src/network/networktransport.cc
index 3cef6d1..d3f1225 100644
--- a/src/network/networktransport.cc
+++ b/src/network/networktransport.cc
@@ -92,6 +92,21 @@ void Transport<MyState, RemoteState>::recv( void )
       return; /* this is security-sensitive and part of how we enforce idempotency */
     }
     
+    /* Do not accept state if our queue is full */
+    /* This is better than dropping states from the middle of the
+       queue (as sender does), because we don't want to ACK a state
+       and then discard it later. */
+
+    process_throwaway_until( inst.throwaway_num() );
+
+    if ( received_states.size() > 1024 ) { /* limit on state queue */
+      if ( verbose ) {
+	fprintf( stderr, "[%u] Receiver queue full, discarding %d (malicious sender or long-unidirectional connectivity?)\n",
+		 (unsigned int)(timestamp() % 100000), (int)inst.new_num() );
+      }
+      return;
+    }
+
     /* apply diff to reference state */
     TimestampedState<RemoteState> new_state = *reference_state;
     new_state.timestamp = timestamp();
@@ -101,8 +116,6 @@ void Transport<MyState, RemoteState>::recv( void )
       new_state.state.apply_string( inst.diff() );
     }
 
-    process_throwaway_until( inst.throwaway_num() );
-
     /* Insert new state in sorted place */
     for ( typename list< TimestampedState<RemoteState> >::iterator i = received_states.begin();
 	  i != received_states.end();