From f90f14d0c1a02f7d51b5d5b1baa958e1f68a8ed3 Mon Sep 17 00:00:00 2001
From: ToniRamirezM <toni@iden3.com>
Date: Thu, 5 Nov 2020 12:15:47 +0100
Subject: [PATCH] Check feeAmount overflow in API

---
 api/txspool.go      |  5 +++++
 api/txspool_test.go | 13 +++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/api/txspool.go b/api/txspool.go
index 8a43ee3..ba17fa2 100644
--- a/api/txspool.go
+++ b/api/txspool.go
@@ -163,6 +163,11 @@ func verifyPoolL2TxWrite(txw *l2db.PoolL2TxWrite) error {
 	if err != nil {
 		return err
 	}
+	// Validate feeAmount
+	_, err = common.CalcFeeAmount(poolTx.Amount, poolTx.Fee)
+	if err != nil {
+		return err
+	}
 	// Check signature
 	if !poolTx.VerifySignature(account.PublicKey) {
 		return errors.New("wrong signature")
diff --git a/api/txspool_test.go b/api/txspool_test.go
index 826bd90..4adb937 100644
--- a/api/txspool_test.go
+++ b/api/txspool_test.go
@@ -205,14 +205,23 @@ func TestPoolTxs(t *testing.T) {
 		assert.Equal(t, tx.TxID, fetchedTxID)
 	}
 	// 400
-	// Wrong signature
+	// Wrong fee
 	badTx := tc.poolTxsToSend[0]
-	badTx.FromIdx = "hez:foo:1000"
+	badTx.Amount = "99999999999999999999999"
+	badTx.Fee = 255
 	jsonTxBytes, err := json.Marshal(badTx)
 	assert.NoError(t, err)
 	jsonTxReader := bytes.NewReader(jsonTxBytes)
 	err = doBadReq("POST", endpoint, jsonTxReader, 400)
 	assert.NoError(t, err)
+	// Wrong signature
+	badTx = tc.poolTxsToSend[0]
+	badTx.FromIdx = "hez:foo:1000"
+	jsonTxBytes, err = json.Marshal(badTx)
+	assert.NoError(t, err)
+	jsonTxReader = bytes.NewReader(jsonTxBytes)
+	err = doBadReq("POST", endpoint, jsonTxReader, 400)
+	assert.NoError(t, err)
 	// Wrong to
 	badTx = tc.poolTxsToSend[0]
 	ethAddr := "hez:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"