The server/client application communicate with each other using XML formatted data, using a TCP connection. This is awesome, since I don't have to worry to serialize/deserialize complex data.
To allow the XML data receiving, I prepend the XML document length (in bytes) to the data sent over the network socket; in this way the receiving application knowns how much data read before it can deserialize XML formatted data.
Now I'm trying to imagine possible security holes on a client/server application which uses this kind of messaging structure.
Apart problems essentially related with the transported data, I think that the XML formatted data protects the server from malicious messages. Isn't it? If the answer is true, the only question remaining is what happens if a malicious client send me messages declaring a huge message size (by altering the integer inserted at the beginning of the message).
The result would be a DOS, since the ingenuous server process very very large (legal) message...
It is possible to avoid the 'message size' information? How can I prevent a DOS attack?