1 files changed, 54 insertions, 39 deletions

diff --git a/src/lib/merchant_api_get_products.c b/src/lib/merchant_api_get_products.c
index 21657cbd..c33e24c9 100644
--- a/src/lib/merchant_api_get_products.c
+++ b/src/lib/merchant_api_get_products.c
@@ -32,6 +32,12 @@
 
 
 /**
+ * Maximum number of products we return.
+ */
+#define MAX_PRODUCTS 1024
+
+
+/**
  * Handle for a GET /products operation.
  */
 struct TALER_MERCHANT_ProductsGetHandle
@@ -78,48 +84,57 @@ parse_products (const json_t *json,
                 struct TALER_MERCHANT_ProductsGetHandle *pgh)
 {
   unsigned int ies_len = json_array_size (ia);
-  struct TALER_MERCHANT_InventoryEntry ies[GNUNET_NZL (ies_len)];
-  size_t index;
-  json_t *value;
-  enum GNUNET_GenericReturnValue ret;
-
-  ret = GNUNET_OK;
-  json_array_foreach (ia, index, value) {
-    struct TALER_MERCHANT_InventoryEntry *ie = &ies[index];
-    struct GNUNET_JSON_Specification spec[] = {
-      GNUNET_JSON_spec_string ("product_id",
-                               &ie->product_id),
-      GNUNET_JSON_spec_uint64 ("product_serial",
-                               &ie->product_serial),
-      GNUNET_JSON_spec_end ()
-    };
-
-    if (GNUNET_OK !=
-        GNUNET_JSON_parse (value,
-                           spec,
-                           NULL, NULL))
-    {
-      GNUNET_break_op (0);
-      ret = GNUNET_SYSERR;
-      continue;
-    }
-    if (GNUNET_SYSERR == ret)
-      break;
+
+  if ( (json_array_size (ia) != (size_t)  ies_len) ||
+       (ies_len > MAX_PRODUCTS) )
+  {
+    GNUNET_break (0);
+    return GNUNET_SYSERR;
   }
-  if (GNUNET_OK == ret)
   {
-    struct TALER_MERCHANT_GetProductsResponse gpr = {
-      .hr.http_status = MHD_HTTP_OK,
-      .hr.reply = json,
-      .details.ok.products_length = ies_len,
-      .details.ok.products = ies
-    };
-
-    pgh->cb (pgh->cb_cls,
-             &gpr);
-    pgh->cb = NULL; /* just to be sure */
+    struct TALER_MERCHANT_InventoryEntry ies[GNUNET_NZL (ies_len)];
+    size_t index;
+    json_t *value;
+    enum GNUNET_GenericReturnValue ret;
+
+    ret = GNUNET_OK;
+    json_array_foreach (ia, index, value) {
+      struct TALER_MERCHANT_InventoryEntry *ie = &ies[index];
+      struct GNUNET_JSON_Specification spec[] = {
+        GNUNET_JSON_spec_string ("product_id",
+                                 &ie->product_id),
+        GNUNET_JSON_spec_uint64 ("product_serial",
+                                 &ie->product_serial),
+        GNUNET_JSON_spec_end ()
+      };
+
+      if (GNUNET_OK !=
+          GNUNET_JSON_parse (value,
+                             spec,
+                             NULL, NULL))
+      {
+        GNUNET_break_op (0);
+        ret = GNUNET_SYSERR;
+        continue;
+      }
+      if (GNUNET_SYSERR == ret)
+        break;
+    }
+    if (GNUNET_OK == ret)
+    {
+      struct TALER_MERCHANT_GetProductsResponse gpr = {
+        .hr.http_status = MHD_HTTP_OK,
+        .hr.reply = json,
+        .details.ok.products_length = ies_len,
+        .details.ok.products = ies
+      };
+
+      pgh->cb (pgh->cb_cls,
+               &gpr);
+      pgh->cb = NULL; /* just to be sure */
+    }
+    return ret;
   }
-  return ret;
 }