From 7789bd2ffc787970f7a6c9588b08f621463a7f27 Mon Sep 17 00:00:00 2001
From: xenolf <xenolf@users.noreply.github.com>
Date: Fri, 18 Dec 2015 22:33:30 +0100
Subject: [PATCH] Limit OCSP answers to 1MB.

fixes #56
---
 acme/crypto.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/acme/crypto.go b/acme/crypto.go
index 385a1119..16911f27 100644
--- a/acme/crypto.go
+++ b/acme/crypto.go
@@ -14,6 +14,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"math/big"
 	"net/http"
@@ -67,7 +68,7 @@ func GetOCSPForCert(bundle []byte) ([]byte, int, error) {
 		}
 		defer resp.Body.Close()
 
-		issuerBytes, err := ioutil.ReadAll(resp.Body)
+		issuerBytes, err := ioutil.ReadAll(limitReader(resp.Body, 1024*1024))
 		if err != nil {
 			return nil, OCSPUnknown, err
 		}
@@ -100,8 +101,8 @@ func GetOCSPForCert(bundle []byte) ([]byte, int, error) {
 		return nil, OCSPUnknown, err
 	}
 	defer req.Body.Close()
-
-	ocspResBytes, err := ioutil.ReadAll(req.Body)
+	
+	ocspResBytes, err := ioutil.ReadAll(limitReader(req.Body, 1024*1024))
 	ocspRes, err := ocsp.ParseResponse(ocspResBytes, issuerCert)
 	if err != nil {
 		return nil, OCSPUnknown, err
@@ -312,3 +313,7 @@ func generateDerCert(privKey *rsa.PrivateKey, expiration time.Time, domain strin
 
 	return x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey)
 }
+
+func limitReader(rd io.ReadCloser, numBytes int64) io.ReadCloser {
+	return http.MaxBytesReader(nil, rd, numBytes)
+}