Limit OCSP answers to 1MB.

fixes #56
go-acme · Dec 18, 2015 · 7789bd2 · 7789bd2
1 parent 3715351
commit 7789bd2
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/acme/crypto.go b/acme/crypto.go
@@ -14,6 +14,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"math/big"
 	"net/http"
@@ -67,7 +68,7 @@ func GetOCSPForCert(bundle []byte) ([]byte, int, error) {
 		}
 		defer resp.Body.Close()
 
-		issuerBytes, err := ioutil.ReadAll(resp.Body)
+		issuerBytes, err := ioutil.ReadAll(limitReader(resp.Body, 1024*1024))
 		if err != nil {
 			return nil, OCSPUnknown, err
 		}
@@ -100,8 +101,8 @@ func GetOCSPForCert(bundle []byte) ([]byte, int, error) {
 		return nil, OCSPUnknown, err
 	}
 	defer req.Body.Close()
-
-	ocspResBytes, err := ioutil.ReadAll(req.Body)
+	
+	ocspResBytes, err := ioutil.ReadAll(limitReader(req.Body, 1024*1024))
 	ocspRes, err := ocsp.ParseResponse(ocspResBytes, issuerCert)
 	if err != nil {
 		return nil, OCSPUnknown, err
@@ -312,3 +313,7 @@ func generateDerCert(privKey *rsa.PrivateKey, expiration time.Time, domain strin
 
 	return x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
 }
+
+func limitReader(rd io.ReadCloser, numBytes int64) io.ReadCloser {
+	return http.MaxBytesReader(nil, rd, numBytes)
+}