node/p2p: enforce ObservationRequest signature payload >= 34 bytes (#1992)

Co-authored-by: tbjump <>
2022-11-28 10:42:39 -06:00 · 2022-11-28 10:42:39 -06:00 · 17e732c741
parent 200fee61a8
commit 17e732c741
1 changed files with 5 additions and 0 deletions
--- a/node/pkg/p2p/p2p.go
+++ b/node/pkg/p2p/p2p.go
@ -484,6 +484,11 @@ func processSignedObservationRequest(s *gossipv1.SignedObservationRequest, gs *n
 		pk = gs.Keys[idx]
 	}

+	// SECURITY: see whitepapers/0009_guardian_key.md
+	if len(signedObservationRequestPrefix)+len(s.ObservationRequest) < 34 {
+		return nil, fmt.Errorf("invalid observation request: too short")
+	}
+
 	digest := signedObservationRequestDigest(s.ObservationRequest)

 	pubKey, err := ethcrypto.Ecrecover(digest.Bytes(), s.Signature)