Don't exceed the RFC limit of 50 sets

flowerysong · Oct 7, 2024 · 2d45099 · 2d45099
1 parent a071684
commit 2d45099
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/libopenarc/arc.c b/libopenarc/arc.c
@@ -2920,6 +2920,19 @@ arc_eoh(ARC_MESSAGE *msg)
 
 	msg->arc_nsets = nsets;
 
+	if (nsets > 50) {
+		/* RFC 8617 5.2 Validator Actions
+		 * The maximum number of ARC Sets that can be attached to a
+		 * message is 50. If more than the maximum number exist, the
+		 * Chain Validation Status is "fail", and the algorithm stops
+		 * here.
+		 */
+		arc_error(msg, "Too many ARC sets: %u", nsets);
+		msg->arc_cstate = ARC_CHAIN_FAIL;
+		msg->arc_infail = TRUE;
+		return ARC_STAT_SYNTAX;
+	}
+
 	/* build up the array of ARC sets, for use later */
 	if (nsets > 0)
 	{
@@ -3241,6 +3254,12 @@ arc_getseal(ARC_MESSAGE *msg, ARC_HDRFIELD **seal, char *authservid,
 		return ARC_STAT_OK;
 	}
 
+	/* If there are already 50 sets we can't add anything */
+	if (msg->arc_nsets >= 50) {
+		*seal = NULL;
+		return ARC_STAT_OK;
+	}
+
 	/* copy required stuff */
 	msg->arc_domain = domain;
 	msg->arc_selector = selector;