From ec84bf91f21ad173803dff1119c316f57314a832 Mon Sep 17 00:00:00 2001
From: Craig Tiller <ctiller@google.com>
Date: Fri, 2 Aug 2024 20:27:50 -0700
Subject: [PATCH] x

---
 BUILD                                   | 1 +
 src/core/tsi/fake_transport_security.cc | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/BUILD b/BUILD
index 9e4a4c70b87..a47ff800037 100644
--- a/BUILD
+++ b/BUILD
@@ -4037,6 +4037,7 @@ grpc_cc_library(
         "tsi_base",
         "//src/core:slice",
         "//src/core:useful",
+        "//src/core:dump_args",
     ],
 )
 
diff --git a/src/core/tsi/fake_transport_security.cc b/src/core/tsi/fake_transport_security.cc
index d32faac9e27..7d80dc5e3f6 100644
--- a/src/core/tsi/fake_transport_security.cc
+++ b/src/core/tsi/fake_transport_security.cc
@@ -28,6 +28,7 @@
 #include <grpc/support/port_platform.h>
 
 #include "src/core/lib/gprpp/crash.h"
+#include "src/core/lib/gprpp/dump_args.h"
 #include "src/core/lib/gprpp/memory.h"
 #include "src/core/lib/slice/slice_internal.h"
 #include "src/core/tsi/transport_security_grpc.h"
@@ -210,6 +211,8 @@ static tsi_result tsi_fake_frame_decode(const unsigned char* incoming_bytes,
     frame->offset += to_read_size;
     available_size -= to_read_size;
     frame->size = load32_little_endian(frame->data);
+    if (frame->size < 4) return TSI_DATA_CORRUPTED;
+    if (frame->size > 16 * 1024 * 1024) return TSI_DATA_CORRUPTED;
     tsi_fake_frame_ensure_size(frame);
   }