rpcserver: add missing length checks

Author: jharveyb

rpcserver.go

@@ -4638,16 +4638,28 @@ func UnmarshalUniID(rpcID *unirpc.ID) (universe.Identifier, error) {
 	}
 	switch {
 	case rpcID.GetAssetId() != nil:
+		rpcAssetID := rpcID.GetAssetId()
+		if len(rpcAssetID) != sha256.Size {
+			return universe.Identifier{}, fmt.Errorf("asset ID " +
+				"must be 32 bytes")
+		}
+
 		var assetID asset.ID
-		copy(assetID[:], rpcID.GetAssetId())
+		copy(assetID[:], rpcAssetID)
 
 		return universe.Identifier{
 			AssetID:   assetID,
 			ProofType: proofType,
 		}, nil
 
 	case rpcID.GetAssetIdStr() != "":
-		assetIDBytes, err := hex.DecodeString(rpcID.GetAssetIdStr())
+		rpcAssetIDStr := rpcID.GetAssetIdStr()
+		if len(rpcAssetIDStr) != sha256.Size*2 {
+			return universe.Identifier{}, fmt.Errorf("asset ID string " +
+				"must be 64 bytes")
+		}
+
+		assetIDBytes, err := hex.DecodeString(rpcAssetIDStr)
 		if err != nil {
 			return universe.Identifier{}, err
 		}