From 8e498e9e969be45ce6debef525017a733c9493c2 Mon Sep 17 00:00:00 2001
From: Mikel Cortes <45786396+cortze@users.noreply.github.com>
Date: Thu, 27 Jun 2024 11:00:36 +0200
Subject: [PATCH] Missing flood protection check for number of message IDs when
 handling `Ihave` messages  (#560)

* check msgIDs in Ihave per topic

* remove coments as suggested
---
 gossipsub.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/gossipsub.go b/gossipsub.go
index aace055..a36049f 100644
--- a/gossipsub.go
+++ b/gossipsub.go
@@ -688,7 +688,6 @@ func (gs *GossipSubRouter) handleIHave(p peer.ID, ctl *pb.ControlMessage) []*pb.
 		log.Debugf("IHAVE: peer %s has advertised too many times (%d) within this heartbeat interval; ignoring", p, gs.peerhave[p])
 		return nil
 	}
-
 	if gs.iasked[p] >= gs.params.MaxIHaveLength {
 		log.Debugf("IHAVE: peer %s has already advertised too many messages (%d); ignoring", p, gs.iasked[p])
 		return nil
@@ -706,7 +705,14 @@ func (gs *GossipSubRouter) handleIHave(p peer.ID, ctl *pb.ControlMessage) []*pb.
 			continue
 		}
 
-		for _, mid := range ihave.GetMessageIDs() {
+	checkIwantMsgsLoop:
+		for msgIdx, mid := range ihave.GetMessageIDs() {
+			// prevent remote peer from sending too many msg_ids on a single IHAVE message
+			if msgIdx >= gs.params.MaxIHaveLength {
+				log.Debugf("IHAVE: peer %s has sent IHAVE on topic %s with too many messages (%d); ignoring remaining msgs", p, topic, len(ihave.MessageIDs))
+				break checkIwantMsgsLoop
+			}
+
 			if gs.p.seenMessage(mid) {
 				continue
 			}