From f06ac9965c5105b9b767b4e894b52a816ec1a2f6 Mon Sep 17 00:00:00 2001
From: Marco Oliverio <marco@wolfssl.com>
Date: Tue, 10 May 2022 12:49:18 +0200
Subject: [PATCH] internal.c: fix: plaintext check account for the current
 record only

---
 src/internal.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 4b637bd33..d368ea9c0 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -17398,10 +17398,9 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
 
        #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
             if (IsEncryptionOn(ssl, 0) && ssl->options.startedETMRead) {
-                if ((ssl->buffers.inputBuffer.length -
+                if ((ssl->curSize -
                         ssl->keys.padSz -
-                        MacSize(ssl) -
-                        ssl->buffers.inputBuffer.idx > MAX_PLAINTEXT_SZ)
+                        MacSize(ssl) > MAX_PLAINTEXT_SZ)
 #ifdef WOLFSSL_ASYNC_CRYPT
                         && ssl->buffers.inputBuffer.length !=
                                 ssl->buffers.inputBuffer.idx
@@ -17418,9 +17417,7 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
        #endif
                 /* TLS13 plaintext limit is checked earlier before decryption */
                 if (!IsAtLeastTLSv1_3(ssl->version)
-                    && ssl->buffers.inputBuffer.length -
-                    ssl->keys.padSz -
-                    ssl->buffers.inputBuffer.idx > MAX_PLAINTEXT_SZ
+                        && ssl->curSize - ssl->keys.padSz > MAX_PLAINTEXT_SZ
 #ifdef WOLFSSL_ASYNC_CRYPT
                         && ssl->buffers.inputBuffer.length !=
                                 ssl->buffers.inputBuffer.idx