From 88f0e89350a054ff3d664e1ee9553b2d7923e48d Mon Sep 17 00:00:00 2001
From: Luke Parker <lukeparker5132@gmail.com>
Date: Tue, 9 May 2023 23:45:05 -0400
Subject: [PATCH] Ensure Tributary commits are minimal

---
 coordinator/tributary/src/lib.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/coordinator/tributary/src/lib.rs b/coordinator/tributary/src/lib.rs
index 9a82aa4f..49a0c034 100644
--- a/coordinator/tributary/src/lib.rs
+++ b/coordinator/tributary/src/lib.rs
@@ -191,10 +191,17 @@ impl<D: Db, T: Transaction, P: P2p> Tributary<D, T, P> {
     }
 
     let block = TendermintBlock(block.serialize());
-    let Ok(commit) = Commit::<Arc<Validators>>::decode(&mut commit.as_ref()) else {
+    let mut commit_ref = commit.as_ref();
+    let Ok(commit) = Commit::<Arc<Validators>>::decode(&mut commit_ref) else {
       log::error!("sent an invalidly serialized commit");
       return false;
     };
+    // Storage DoS vector. We *could* truncate to solely the relevant portion, trying to save this,
+    // yet then we'd have to test the truncation was performed correctly.
+    if !commit_ref.is_empty() {
+      log::error!("sent an commit with additional data after it");
+      return false;
+    }
     if !self.network.verify_commit(block.id(), &commit) {
       log::error!("sent an invalid commit");
       return false;