From 3fed0c54fae53a919f9218a8ea3d92b2c50d16e6 Mon Sep 17 00:00:00 2001
From: terence tsao <terence@prysmaticlabs.com>
Date: Tue, 20 Oct 2020 12:04:44 -0700
Subject: [PATCH 1/2] Check length

---
 beacon-chain/rpc/beacon/validators.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/beacon-chain/rpc/beacon/validators.go b/beacon-chain/rpc/beacon/validators.go
index 3ea251ff7a0..5641e972c09 100644
--- a/beacon-chain/rpc/beacon/validators.go
+++ b/beacon-chain/rpc/beacon/validators.go
@@ -162,6 +162,10 @@ func (bs *Server) ListValidatorBalances(
 		}, nil
 	}
 
+	if end > len(res) || end < start {
+		return nil, status.Error(codes.OutOfRange, "Request exceeds response length")
+	}
+
 	return &ethpb.ValidatorBalances{
 		Epoch:         requestedEpoch,
 		Balances:      res[start:end],

From ac635fbc846725d271bb5359bcbea545183e369e Mon Sep 17 00:00:00 2001
From: terence tsao <terence@prysmaticlabs.com>
Date: Tue, 20 Oct 2020 13:05:00 -0700
Subject: [PATCH 2/2] Add regression test

---
 beacon-chain/rpc/beacon/validators_test.go | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/beacon-chain/rpc/beacon/validators_test.go b/beacon-chain/rpc/beacon/validators_test.go
index 393b85514d5..300d812ccc6 100644
--- a/beacon-chain/rpc/beacon/validators_test.go
+++ b/beacon-chain/rpc/beacon/validators_test.go
@@ -372,6 +372,33 @@ func TestServer_ListValidatorBalances_Pagination_CustomPageSizes(t *testing.T) {
 	}
 }
 
+func TestServer_ListValidatorBalances_ResponseOutOfBound(t *testing.T) {
+	db, sc := dbTest.SetupDB(t)
+	ctx := context.Background()
+
+	count := 10
+	setupValidators(t, db, count)
+	headState, err := db.HeadState(context.Background())
+	require.NoError(t, err)
+	b := testutil.NewBeaconBlock()
+	gRoot, err := b.Block.HashTreeRoot()
+	require.NoError(t, err)
+	require.NoError(t, db.SaveGenesisBlockRoot(ctx, gRoot))
+	require.NoError(t, db.SaveState(ctx, headState, gRoot))
+
+	bs := &Server{
+		GenesisTimeFetcher: &mock.ChainService{},
+		StateGen:           stategen.New(db, sc),
+		HeadFetcher: &mock.ChainService{
+			State: headState,
+		},
+	}
+
+	req := &ethpb.ListValidatorBalancesRequest{PageSize: 250, QueryFilter: &ethpb.ListValidatorBalancesRequest_Epoch{Epoch: 0}, PublicKeys: [][]byte{{'a'}}}
+	_, err = bs.ListValidatorBalances(context.Background(), req)
+	require.ErrorContains(t, "Request exceeds response length", err)
+}
+
 func TestServer_ListValidatorBalances_OutOfRange(t *testing.T) {
 	db, sc := dbTest.SetupDB(t)