From 445c1e6cebd2fd6c8661ac9d245cb281479918a2 Mon Sep 17 00:00:00 2001
From: Marco Oliverio <marco@wolfssl.com>
Date: Tue, 10 May 2022 12:39:11 +0200
Subject: [PATCH] internal.c: don't check TLS13 plaintext limit twice

Plaintext size is checked before decryption in TLS 1.3
---
 src/internal.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index 0a74450d3..a9bddbdf6 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -17410,7 +17410,9 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
             }
             else
        #endif
-            if (ssl->buffers.inputBuffer.length -
+                /* TLS13 plaintext limit is checked earlier before decryption */
+                if (!IsAtLeastTLSv1_3(ssl->version)
+                    && ssl->buffers.inputBuffer.length -
                     ssl->keys.padSz -
                     ssl->buffers.inputBuffer.idx > MAX_PLAINTEXT_SZ
 #ifdef WOLFSSL_ASYNC_CRYPT