From 200fee61a828129b4e132feadb0bb3bc05343a67 Mon Sep 17 00:00:00 2001
From: tbjump <103955289+tbjump@users.noreply.github.com>
Date: Mon, 28 Nov 2022 10:23:34 -0600
Subject: [PATCH] node/p2p: enforce minimum heartbeat message length (#1958)

Co-authored-by: tbjump
---
 node/pkg/p2p/p2p.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/node/pkg/p2p/p2p.go b/node/pkg/p2p/p2p.go
index c3e3be4c6..691d05b08 100644
--- a/node/pkg/p2p/p2p.go
+++ b/node/pkg/p2p/p2p.go
@@ -443,6 +443,11 @@ func processSignedHeartbeat(from peer.ID, s *gossipv1.SignedHeartbeat, gs *node_
 
 	digest := heartbeatDigest(s.Heartbeat)
 
+	// SECURITY: see whitepapers/0009_guardian_key.md
+	if len(heartbeatMessagePrefix)+len(s.Heartbeat) < 34 {
+		return nil, fmt.Errorf("invalid message: too short")
+	}
+
 	pubKey, err := ethcrypto.Ecrecover(digest.Bytes(), s.Signature)
 	if err != nil {
 		return nil, errors.New("failed to recover public key")