Limit the maximum WebSocket fragments capacity (#644)

* Limit the maximum fragments capacity
* Bump `parity-ws` to 0.11.1
* Limit the total size of fragmented websocket payloads

Author: koute

ws/Cargo.toml

@@ -16,7 +16,7 @@ jsonrpc-server-utils = { version = "18.0.0", path = "../server-utils" }
 log = "0.4"
 parking_lot = "0.11.0"
 slab = "0.4"
-parity-ws = "0.11"
+parity-ws = "0.11.1"
 
 [badges]
 travis-ci = { repository = "paritytech/jsonrpc", branch = "master"}

ws/src/server.rs

@@ -70,11 +70,16 @@ impl Server {
 			config.max_connections = max_connections;
 			// don't accept super large requests
 			config.max_fragment_size = max_payload_bytes;
+			config.max_total_fragments_size = max_payload_bytes;
 			config.in_buffer_capacity_hard_limit = max_in_buffer_capacity;
 			config.out_buffer_capacity_hard_limit = max_out_buffer_capacity;
 			// don't grow non-final fragments (to prevent DOS)
 			config.fragments_grow = false;
 			config.fragments_capacity = cmp::max(1, max_payload_bytes / config.fragment_size);
+			if config.fragments_capacity > 4096 {
+				config.fragments_capacity = 4096;
+				config.fragments_grow = true;
+			}
 			// accept only handshakes beginning with GET
 			config.method_strict = true;
 			// require masking