Fix GHSA-v56r-hwv5-mxg6 — Federation denial

Fixes https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6 Federation denial of service via malformed events.
author: Erik Johnston <erik@matrix.org> 2025-03-26 16:38:15 +0000
committer: Andrew Morgan <andrew@amorgan.xyz> 2025-03-26 18:44:45 +0000
commit: 2277df2a1eb685f85040ef98fa21d41aa4cdd389 (patch)
tree: d973b5c4f11eaaeaf9c5c1545c210769ed0d13bd /synapse/api/constants.py
parent: 1.127.0 (diff)
download: synapse-2277df2a1eb685f85040ef98fa21d41aa4cdd389.tar.xz
1 files changed, 7 insertions, 2 deletions
diff --git a/synapse/api/constants.py b/synapse/api/constants.py
index 9806e2b0fe..c564a8635a 100644
--- a/synapse/api/constants.py
+++ b/synapse/api/constants.py
@@ -29,8 +29,13 @@ from typing import Final
 # the max size of a (canonical-json-encoded) event
 MAX_PDU_SIZE = 65536
 
-# the "depth" field on events is limited to 2**63 - 1
-MAX_DEPTH = 2**63 - 1
+# Max/min size of ints in canonical JSON
+CANONICALJSON_MAX_INT = (2**53) - 1
+CANONICALJSON_MIN_INT = -CANONICALJSON_MAX_INT
+
+# the "depth" field on events is limited to the same as what
+# canonicaljson accepts
+MAX_DEPTH = CANONICALJSON_MAX_INT
 
 # the maximum length for a room alias is 255 characters
 MAX_ALIAS_LENGTH = 255
author	Erik Johnston <erik@matrix.org>	2025-03-26 16:38:15 +0000
committer	Andrew Morgan <andrew@amorgan.xyz>	2025-03-26 18:44:45 +0000
commit	2277df2a1eb685f85040ef98fa21d41aa4cdd389 (patch)
tree	d973b5c4f11eaaeaf9c5c1545c210769ed0d13bd /synapse/api/constants.py
parent	1.127.0 (diff)
download	synapse-2277df2a1eb685f85040ef98fa21d41aa4cdd389.tar.xz