tlv: fix panic with large length

This commit fixes a panic where a large length in a record could cause the DVarBytes function to fail to allocate a byte slice.
satindergrewal · Aug 21, 2019 · dfd1b38 · dfd1b38
1 parent c4ba557
commit dfd1b38
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/tlv/stream.go b/tlv/stream.go
@@ -6,12 +6,18 @@ import (
 	"io"
 	"io/ioutil"
 	"math"
+
+	"github.com/lightningnetwork/lnd/lnwire"
 )
 
 // ErrStreamNotCanonical signals that a decoded stream does not contain records
 // sorting by monotonically-increasing type.
 var ErrStreamNotCanonical = errors.New("tlv stream is not canonical")
 
+// ErrRecordTooLarge signals that a decoded record has a length that is too
+// long to parse.
+var ErrRecordTooLarge = errors.New("record is too large")
+
 // ErrUnknownRequiredType is an error returned when decoding an unknown and even
 // type from a Stream.
 type ErrUnknownRequiredType Type
@@ -183,6 +189,10 @@ func (s *Stream) Decode(r io.Reader) error {
 			return err
 		}
 
+		if length > lnwire.MaxMessagePayload {
+			return ErrRecordTooLarge
+		}
+
 		// Search the records known to the stream for this type. We'll
 		// begin the search and recordIdx and walk forward until we find
 		// it or the next record's type is larger.