From 10325b458770056cb96af1bcf493323629a48f4d Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Mon, 23 Feb 2026 15:03:50 +0000 Subject: [PATCH] Fix integer underflow in ECH innerClientHelloLen parsing Add bounds check before subtracting WC_AES_BLOCK_SIZE from the attacker-controlled innerClientHelloLen field in TLSX_ECH_Parse(). Values 0-15 caused a word16 underflow to ~65K, leading to a heap buffer overflow write via XMEMSET and heap buffer over-read via wc_AesGcmDecrypt. Return BAD_FUNC_ARG if the field is too small. --- src/tls.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/tls.c b/src/tls.c index 207c873b46..a4f83e0867 100644 --- a/src/tls.c +++ b/src/tls.c @@ -13605,6 +13605,9 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size, } /* read hello inner len */ ato16(readBuf_p, &ech->innerClientHelloLen); + if (ech->innerClientHelloLen < WC_AES_BLOCK_SIZE) { + return BAD_FUNC_ARG; + } ech->innerClientHelloLen -= WC_AES_BLOCK_SIZE; readBuf_p += 2; ech->outerClientPayload = readBuf_p;