From c89f5f3f3f93ca3c671ce1a61ea55b5563226136 Mon Sep 17 00:00:00 2001
From: Max Lv <max.c.lv@gmail.com>
Date: Mon, 30 Jan 2017 19:03:41 +0800
Subject: [PATCH] Limit the max payload length to 0x3FFF

---
 src/aead.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/aead.c b/src/aead.c
index cbdea5a4..36735631 100644
--- a/src/aead.c
+++ b/src/aead.c
@@ -54,6 +54,7 @@
 #endif
 
 #define CHUNK_SIZE_LEN          2
+#define CHUNK_SIZE_MASK         0X3FFF
 
 /*
  * This is SIP004 proposed by @Mygod, the design of TCP chunk is from @breakwa11 and
@@ -499,10 +500,12 @@ static int
 aead_chunk_encrypt(cipher_ctx_t *ctx, uint8_t *p, uint8_t *c, uint8_t *n,
                    uint16_t plen, size_t nlen, size_t tlen)
 {
+    assert(plen + tlen < CHUNK_SIZE_MASK);
+
     int err;
     size_t clen;
     uint8_t len_buf[CHUNK_SIZE_LEN];
-    uint16_t t = ntohs(plen + tlen);
+    uint16_t t = ntohs((plen + tlen) & CHUNK_SIZE_MASK);
     memcpy(len_buf, &t, CHUNK_SIZE_LEN);
 
     clen = CHUNK_SIZE_LEN + tlen;
@@ -597,6 +600,7 @@ aead_chunk_decrypt(cipher_ctx_t *ctx, uint8_t *p, uint8_t *c, uint8_t *n,
     assert(*plen == CHUNK_SIZE_LEN);
 
     mlen = htons(*(uint16_t *)len_buf);
+    mlen = mlen & CHUNK_SIZE_MASK;
 
     size_t chunk_len = tlen + CHUNK_SIZE_LEN + mlen;