From 3c8181ade6f092e7fe0f4a39e54828186d66df30 Mon Sep 17 00:00:00 2001
From: Xuewei Niu <justxuewei@apache.org>
Date: Sat, 28 Oct 2023 16:40:28 +0800
Subject: [PATCH] fix(jsonrpc): Limit header size to avoid unexpected OOM

This patch limits the max size of header to 8Mib to avoid OOM issues.

Signed-off-by: Xuewei Niu <justxuewei@apache.org>
---
 protocol/jsonrpc/server.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/protocol/jsonrpc/server.go b/protocol/jsonrpc/server.go
index 4470cb277a..2b3e9a7699 100644
--- a/protocol/jsonrpc/server.go
+++ b/protocol/jsonrpc/server.go
@@ -57,6 +57,8 @@ const (
 	DefaultHTTPRspBufferSize = 1024
 	// PathPrefix ...
 	PathPrefix = byte('/')
+	// Max HTTP header size in Mib
+	MaxHeaderSize = 8 * 1024 * 1024
 )
 
 // Server is JSON RPC server wrapper
@@ -121,7 +123,7 @@ func (s *Server) handlePkg(conn net.Conn) {
 	}
 
 	for {
-		bufReader := bufio.NewReader(conn)
+		bufReader := bufio.NewReader(io.LimitReader(conn, MaxHeaderSize))
 		r, err := http.ReadRequest(bufReader)
 		if err != nil {
 			logger.Warnf("[ReadRequest] error: %v", err)