From e0c987f45a4b8e52799732177e5824032c4198c8 Mon Sep 17 00:00:00 2001
From: Wanwiset Peerapatanapokin <wanwiset25@gmail.com>
Date: Thu, 16 Oct 2025 12:16:14 +0400
Subject: [PATCH] impose size limit for DecodeBytesExtraFields (#1637)

---
 consensus/XDPoS/utils/utils.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/consensus/XDPoS/utils/utils.go b/consensus/XDPoS/utils/utils.go
index b7e80874b3..f620e0dae1 100644
--- a/consensus/XDPoS/utils/utils.go
+++ b/consensus/XDPoS/utils/utils.go
@@ -81,6 +81,11 @@ func DecodeBytesExtraFields(b []byte, val interface{}) error {
 	if len(b) == 0 {
 		return errors.New("extra field is 0 length")
 	}
+	// Prevent payload attack, limit the size of extra field to 20k bytes. Normal Extrafield payload is less than 7k bytes.
+	if len(b) > 20000 {
+		return errors.New("extra field is too long")
+	}
+
 	switch b[0] {
 	case 2:
 		return rlp.DecodeBytes(b[1:], val)