Merge pull request #260 from hermeznetwork/feature/api-fee-check

Check feeAmount overflow in API

api/txspool.go

@@ -163,6 +163,11 @@ func verifyPoolL2TxWrite(txw *l2db.PoolL2TxWrite) error {
 	if err != nil {
 		return err
 	}
+	// Validate feeAmount
+	_, err = common.CalcFeeAmount(poolTx.Amount, poolTx.Fee)
+	if err != nil {
+		return err
+	}
 	// Check signature
 	if !poolTx.VerifySignature(account.PublicKey) {
 		return errors.New("wrong signature")

api/txspool_test.go

@@ -205,14 +205,23 @@ func TestPoolTxs(t *testing.T) {
 		assert.Equal(t, tx.TxID, fetchedTxID)
 	}
 	// 400
-	// Wrong signature
+	// Wrong fee
 	badTx := tc.poolTxsToSend[0]
-	badTx.FromIdx = "hez:foo:1000"
+	badTx.Amount = "99999999999999999999999"
+	badTx.Fee = 255
 	jsonTxBytes, err := json.Marshal(badTx)
 	assert.NoError(t, err)
 	jsonTxReader := bytes.NewReader(jsonTxBytes)
 	err = doBadReq("POST", endpoint, jsonTxReader, 400)
 	assert.NoError(t, err)
+	// Wrong signature
+	badTx = tc.poolTxsToSend[0]
+	badTx.FromIdx = "hez:foo:1000"
+	jsonTxBytes, err = json.Marshal(badTx)
+	assert.NoError(t, err)
+	jsonTxReader = bytes.NewReader(jsonTxBytes)
+	err = doBadReq("POST", endpoint, jsonTxReader, 400)
+	assert.NoError(t, err)
 	// Wrong to
 	badTx = tc.poolTxsToSend[0]
 	ethAddr := "hez:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"