Why this matters
The bug. Rust's += panics on overflow in debug builds but *silently wraps* in release builds. An attacker who can send many small chunks summing to 2^32 makes total look like ~0 — your if total > limit guard waves them through.
The fix. Use saturating_add (clamps to u32::MAX) or checked_add (returns None, lets you reject the input). The compiler can't choose for you — saturating_add is right for 'cap the total', checked_add for 'reject overflow'.
Why this bug ships. Tests run in debug, where the panic catches it. CI in release mode plus property-based tests with large inputs would catch this; most projects don't.
Review heuristic
Any arithmetic on a number that came from input, including a length, a count, or a timestamp, should be reviewed for what happens at the type's max value. A 32-bit byte counter overflows after 4 GB.
External reference: CWE-190: Integer Overflow or Wraparound.
↳ CWE-190; classic Rust release-mode footgun.