From 916e370575014f634e9ff8a27144a84c8827d20a Mon Sep 17 00:00:00 2001
From: Bruce Riley <bruce@wormholelabs.xyz>
Date: Tue, 21 Jan 2025 09:44:29 -0600
Subject: [PATCH] Limit TxID to 255 bytes and add test for it

---
 node/pkg/common/chainlock.go      |  6 +++---
 node/pkg/common/chainlock_test.go | 22 ++++++++++++++++++++++
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/node/pkg/common/chainlock.go b/node/pkg/common/chainlock.go
index 33b8c891f2..68ce3fa9e5 100644
--- a/node/pkg/common/chainlock.go
+++ b/node/pkg/common/chainlock.go
@@ -51,10 +51,10 @@ const minMsgLength = 88 // Marshalled length with empty payload
 func (msg *MessagePublication) Marshal() ([]byte, error) {
 	buf := new(bytes.Buffer)
 
-	if len(msg.TxID) > math.MaxUint32 {
+	if len(msg.TxID) > math.MaxUint8 {
 		return nil, fmt.Errorf("TxID too long")
 	}
-	vaa.MustWrite(buf, binary.BigEndian, uint32(len(msg.TxID)))
+	vaa.MustWrite(buf, binary.BigEndian, uint8(len(msg.TxID)))
 	buf.Write(msg.TxID)
 
 	vaa.MustWrite(buf, binary.BigEndian, uint32(msg.Timestamp.Unix()))
@@ -138,7 +138,7 @@ func UnmarshalMessagePublication(data []byte) (*MessagePublication, error) {
 
 	reader := bytes.NewReader(data[:])
 
-	txIdLen := uint32(0)
+	txIdLen := uint8(0)
 	if err := binary.Read(reader, binary.BigEndian, &txIdLen); err != nil {
 		return nil, fmt.Errorf("failed to read TxID len: %w", err)
 	}
diff --git a/node/pkg/common/chainlock_test.go b/node/pkg/common/chainlock_test.go
index b3ea0d6dcf..add2a03a03 100644
--- a/node/pkg/common/chainlock_test.go
+++ b/node/pkg/common/chainlock_test.go
@@ -164,6 +164,28 @@ func TestSerializeAndDeserializeOfMessagePublicationWithArbitraryTxID(t *testing
 	assert.Equal(t, payload1, payload2)
 }
 
+func TestTxIDStringTooLongShouldFail(t *testing.T) {
+	tokenBridgeAddress, err := vaa.StringToAddress("0x707f9118e33a9b8998bea41dd0d46f38bb963fc8")
+	require.NoError(t, err)
+
+	// This is limited to 255. Make it 256 and the marshal should fail.
+	txID := []byte("0123456789012345678901234567890123456789012345678901234567890123012345678901234567890123456789012345678901234567890123456789012301234567890123456789012345678901234567890123456789012345678901230123456789012345678901234567890123456789012345678901234567890123")
+
+	msg := &MessagePublication{
+		TxID:             txID,
+		Timestamp:        time.Unix(int64(1654516425), 0),
+		Nonce:            123456,
+		Sequence:         789101112131415,
+		EmitterChain:     vaa.ChainIDEthereum,
+		EmitterAddress:   tokenBridgeAddress,
+		Payload:          []byte("Hello, World!"),
+		ConsistencyLevel: 32,
+	}
+
+	_, err = msg.Marshal()
+	assert.ErrorContains(t, err, "TxID too long")
+}
+
 func TestSerializeAndDeserializeOfMessagePublicationWithBigPayload(t *testing.T) {
 	tokenBridgeAddress, err := vaa.StringToAddress("0x707f9118e33a9b8998bea41dd0d46f38bb963fc8")
 	require.NoError(t, err)