client: Limit reads.

jholdstock · jholdstock · commit 94abc92c07c1 · 2026-04-23T09:29:45.000+08:00
An honest vspd should never return responses greater than 4MB.
diff --git a/client/client.go b/client/client.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022-2025 The Decred developers
+// Copyright (c) 2022-2026 The Decred developers
 // Use of this source code is governed by an ISC
 // license that can be found in the LICENSE file.
 
@@ -210,7 +210,7 @@ func (c *Client) do(ctx context.Context, method, path string, addr stdaddr.Addre
 		}
 	}
 
-	respBody, err := io.ReadAll(reply.Body)
+	respBody, err := io.ReadAll(io.LimitReader(reply.Body, 1<<22)) // 4 MiB limit
 	if err != nil {
 		return fmt.Errorf("read response body: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Copyright (c) 2022-2025 The Decred developers`
	`1`	`+// Copyright (c) 2022-2026 The Decred developers`
`2`	`2`	`// Use of this source code is governed by an ISC`
`3`	`3`	`// license that can be found in the LICENSE file.`
`4`	`4`
`@@ -210,7 +210,7 @@ func (c *Client) do(ctx context.Context, method, path string, addr stdaddr.Addre`
`210`	`210`	`}`
`211`	`211`	`}`
`212`	`212`
`213`		`- respBody, err := io.ReadAll(reply.Body)`
	`213`	`+ respBody, err := io.ReadAll(io.LimitReader(reply.Body, 1<<22)) // 4 MiB limit`
`214`	`214`	`if err != nil {`
`215`	`215`	`return fmt.Errorf("read response body: %w", err)`
`216`	`216`	`}`