Cap state queue used by receiver, even if sender is malicious

2012-05-22 22:48:52 -04:00
parent 1cf12f9e9b
commit e5f8ed7579
1 changed files with 15 additions and 2 deletions
@@ -92,6 +92,21 @@ void Transport<MyState, RemoteState>::recv( void )
      return; /* this is security-sensitive and part of how we enforce idempotency */
    }
    
+    /* Do not accept state if our queue is full */
+    /* This is better than dropping states from the middle of the
+       queue (as sender does), because we don't want to ACK a state
+       and then discard it later. */
+
+    process_throwaway_until( inst.throwaway_num() );
+
+    if ( received_states.size() > 1024 ) { /* limit on state queue */
+      if ( verbose ) {
+	fprintf( stderr, "[%u] Receiver queue full, discarding %d (malicious sender or long-unidirectional connectivity?)\n",
+		 (unsigned int)(timestamp() % 100000), (int)inst.new_num() );
+      }
+      return;
+    }
+
    /* apply diff to reference state */
    TimestampedState<RemoteState> new_state = *reference_state;
    new_state.timestamp = timestamp();
@@ -101,8 +116,6 @@ void Transport<MyState, RemoteState>::recv( void )
      new_state.state.apply_string( inst.diff() );
    }

-    process_throwaway_until( inst.throwaway_num() );
-
    /* Insert new state in sorted place */
    for ( typename list< TimestampedState<RemoteState> >::iterator i = received_states.begin();
 	  i != received_states.end();