From 0eff57cb9075b3488c12802709c1819a73711c1c Mon Sep 17 00:00:00 2001
From: Jonathan Fung <121899091+jonfung-dydx@users.noreply.github.com>
Date: Mon, 21 Oct 2024 13:56:53 -0400
Subject: [PATCH] FNS - bounds check raw subscription payload int vals (#2523)

---
 protocol/streaming/ws/websocket_server.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/protocol/streaming/ws/websocket_server.go b/protocol/streaming/ws/websocket_server.go
index c94e84208e..ba4477d03b 100644
--- a/protocol/streaming/ws/websocket_server.go
+++ b/protocol/streaming/ws/websocket_server.go
@@ -3,6 +3,7 @@ package ws
 import (
 	"context"
 	"fmt"
+	"math"
 	"net/http"
 	"strconv"
 	"strings"
@@ -122,6 +123,10 @@ func parseSubaccountIds(r *http.Request) ([]*satypes.SubaccountId, error) {
 			return nil, fmt.Errorf("invalid subaccount number: %s, expected subaccount_id format: owner/number", parts[1])
 		}
 
+		if number < 0 || number > math.MaxInt32 {
+			return nil, fmt.Errorf("invalid subaccount number: %s", parts[1])
+		}
+
 		subaccountIds = append(subaccountIds, &satypes.SubaccountId{
 			Owner:  parts[0],
 			Number: uint32(number),
@@ -144,6 +149,9 @@ func parseClobPairIds(r *http.Request) ([]uint32, error) {
 		if err != nil {
 			return nil, fmt.Errorf("invalid clobPairId: %s", idStr)
 		}
+		if id < 0 || id > math.MaxInt32 {
+			return nil, fmt.Errorf("invalid clob pair id: %s", idStr)
+		}
 		clobPairIds = append(clobPairIds, uint32(id))
 	}