fix(cchain): check length of publickey after unmarshal (#2121)

This PR adds a check for the size of the public key ensuring it is the expected secp256k1.PubKeySize (33) after unmarshaling the public key. This prevents unexpected panics. issue: none
omni-network · Oct 15, 2024 · abfa2f1 · abfa2f1
1 parent 5f67c64
commit abfa2f1
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/lib/cchain/types.go b/lib/cchain/types.go
@@ -8,6 +8,7 @@ import (
 	"github.com/omni-network/omni/lib/umath"
 
 	cmtcrypto "github.com/cometbft/cometbft/crypto"
+	k1 "github.com/cometbft/cometbft/crypto/secp256k1"
 
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
@@ -101,6 +102,10 @@ func (v SDKValidator) ConsensusCmtAddr() (cmtcrypto.Address, error) {
 		return nil, errors.Wrap(err, "unmarshal consensus pubkey")
 	}
 
+	if len(pk.Bytes()) != k1.PubKeySize {
+		return nil, errors.New("invalid public key size")
+	}
+
 	return pk.Address(), nil
 }
 
@@ -112,6 +117,10 @@ func (v SDKValidator) ConsensusPublicKey() (*ecdsa.PublicKey, error) {
 		return nil, errors.Wrap(err, "unmarshal consensus pubkey")
 	}
 
+	if len(pk.Bytes()) != k1.PubKeySize {
+		return nil, errors.New("invalid public key size")
+	}
+
 	pubkey, err := crypto.DecompressPubkey(pk.Bytes())
 	if err != nil {
 		return nil, errors.Wrap(err, "decompress pubkey")