From 17e732c74118db46810f7fd8c30248e36189941b Mon Sep 17 00:00:00 2001
From: tbjump <103955289+tbjump@users.noreply.github.com>
Date: Mon, 28 Nov 2022 10:42:39 -0600
Subject: [PATCH] node/p2p: enforce ObservationRequest signature payload >= 34
 bytes (#1992)

Co-authored-by: tbjump <>
---
 node/pkg/p2p/p2p.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/node/pkg/p2p/p2p.go b/node/pkg/p2p/p2p.go
index 691d05b08..92da1c284 100644
--- a/node/pkg/p2p/p2p.go
+++ b/node/pkg/p2p/p2p.go
@@ -484,6 +484,11 @@ func processSignedObservationRequest(s *gossipv1.SignedObservationRequest, gs *n
 		pk = gs.Keys[idx]
 	}
 
+	// SECURITY: see whitepapers/0009_guardian_key.md
+	if len(signedObservationRequestPrefix)+len(s.ObservationRequest) < 34 {
+		return nil, fmt.Errorf("invalid observation request: too short")
+	}
+
 	digest := signedObservationRequestDigest(s.ObservationRequest)
 
 	pubKey, err := ethcrypto.Ecrecover(digest.Bytes(), s.Signature)