eth/gasprice: add query limit for FeeHistory to defend DDOS attack (e…

…thereum#29644) * eth/gasprice: add query limit for FeeHistory to defend DDOS attack * fix return values after cherry-pick --------- Co-authored-by: Eric <45141191+zlacfzy@users.noreply.github.com>
iotaledger · Jun 17, 2024 · 573c19b · 573c19b
1 parent 5934c0b
commit 573c19b
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/eth/gasprice/feehistory.go b/eth/gasprice/feehistory.go
@@ -44,6 +44,7 @@ const (
 	// maxBlockFetchers is the max number of goroutines to spin up to pull blocks
 	// for the fee history calculation (mostly relevant for LES).
 	maxBlockFetchers = 4
+	maxQueryLimit    = 100
 )
 
 // blockFees represents a single block for processing
@@ -240,6 +241,9 @@ func (oracle *Oracle) FeeHistory(ctx context.Context, blocks uint64, unresolvedL
 	if len(rewardPercentiles) != 0 {
 		maxFeeHistory = oracle.maxBlockHistory
 	}
+	if len(rewardPercentiles) > maxQueryLimit {
+		return common.Big0, nil, nil, nil, nil, nil, fmt.Errorf("%w: over the query limit %d", errInvalidPercentile, maxQueryLimit)
+	}
 	if blocks > maxFeeHistory {
 		log.Warn("Sanitizing fee history length", "requested", blocks, "truncated", maxFeeHistory)
 		blocks = maxFeeHistory