ethapi: reject oversize storage keys before hex decode (#32750)

MatusKysel · lightclient · web-flow · commit 2e2fece0bb43 · 2025-09-26T07:12:28.000-06:00
Bail out of decodeHash when the raw hex string is longer than 32 byte before actually decoding.
---------

Co-authored-by: lightclient &lt;lightclient@protonmail.com&gt;
diff --git a/internal/ethapi/api.go b/internal/ethapi/api.go
@@ -449,13 +449,13 @@ func decodeHash(s string) (h common.Hash, inputLength int, err error) {
 	if (len(s) & 1) > 0 {
 		s = "0" + s
 	}
+	if len(s) > 64 {
+		return common.Hash{}, len(s) / 2, errors.New("hex string too long, want at most 32 bytes")
+	}
 	b, err := hex.DecodeString(s)
 	if err != nil {
 		return common.Hash{}, 0, errors.New("hex string invalid")
 	}
-	if len(b) > 32 {
-		return common.Hash{}, len(b), errors.New("hex string too long, want at most 32 bytes")
-	}
 	return common.BytesToHash(b), len(b), nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -449,13 +449,13 @@ func decodeHash(s string) (h common.Hash, inputLength int, err error) {`
`449`	`449`	`if (len(s) & 1) > 0 {`
`450`	`450`	`s = "0" + s`
`451`	`451`	`}`
	`452`	`+ if len(s) > 64 {`
	`453`	`+ return common.Hash{}, len(s) / 2, errors.New("hex string too long, want at most 32 bytes")`
	`454`	`+ }`
`452`	`455`	`b, err := hex.DecodeString(s)`
`453`	`456`	`if err != nil {`
`454`	`457`	`return common.Hash{}, 0, errors.New("hex string invalid")`
`455`	`458`	`}`
`456`		`- if len(b) > 32 {`
`457`		`- return common.Hash{}, len(b), errors.New("hex string too long, want at most 32 bytes")`
`458`		`- }`
`459`	`459`	`return common.BytesToHash(b), len(b), nil`
`460`	`460`	`}`
`461`	`461`