Enforce proxy protocol size limit earlier.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 4b8604d2d6a7f04d978852c1463bc01633649ce0..d42bf4d227ce3335da3fc2f6f01653e421e554a8 100644 (file)
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -275,14 +275,18 @@ void TCPNameserver::doConnection(int fd, Logr::log_t slog)
       for (;;) {
         used = isProxyHeaderComplete(proxyData);
         if (used < 0) {
-          ssize_t origsize = proxyData.size();
-          proxyData.resize(origsize + -used);
+          size_t origsize = proxyData.size();
+          auto extra = static_cast<size_t>(-used);
+          if (origsize + extra > g_proxyProtocolMaximumSize) {
+            throw NetworkError("Error reading PROXYv2 header from TCP client "+remote.toString()+": PROXYv2 header too big");
+          }
+          proxyData.resize(origsize + extra);
           if (maxConnectionDurationReached(d_maxConnectionDuration, start, remainingTime)) {
             throw NetworkError("Error reading PROXYv2 header from TCP client "+remote.toString()+": maximum TCP connection duration exceeded");
           }
 
           try {
-            readnWithTimeout(fd, &proxyData[origsize], -used, d_idleTimeout, true, remainingTime);
+            readnWithTimeout(fd, &proxyData[origsize], extra, d_idleTimeout, true, remainingTime);
           }
           catch(NetworkError& ae) {
             throw NetworkError("Error reading PROXYv2 header from TCP client "+remote.toString()+": "+ae.what());