From 2277df2a1eb685f85040ef98fa21d41aa4cdd389 Mon Sep 17 00:00:00 2001
From: Erik Johnston <erik@matrix.org>
Date: Wed, 26 Mar 2025 16:38:15 +0000
Subject: Fix GHSA-v56r-hwv5-mxg6 — Federation denial
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6

Federation denial of service via malformed events.
---
 synapse/api/constants.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'synapse/api/constants.py')

diff --git a/synapse/api/constants.py b/synapse/api/constants.py
index 9806e2b0fe..c564a8635a 100644
--- a/synapse/api/constants.py
+++ b/synapse/api/constants.py
@@ -29,8 +29,13 @@ from typing import Final
 # the max size of a (canonical-json-encoded) event
 MAX_PDU_SIZE = 65536
 
-# the "depth" field on events is limited to 2**63 - 1
-MAX_DEPTH = 2**63 - 1
+# Max/min size of ints in canonical JSON
+CANONICALJSON_MAX_INT = (2**53) - 1
+CANONICALJSON_MIN_INT = -CANONICALJSON_MAX_INT
+
+# the "depth" field on events is limited to the same as what
+# canonicaljson accepts
+MAX_DEPTH = CANONICALJSON_MAX_INT
 
 # the maximum length for a room alias is 255 characters
 MAX_ALIAS_LENGTH = 255
-- 
cgit 1.5.1