Fix ECH error code: use BUFFER_ERROR for malformed peer input

Change innerClientHelloLen underflow guard in TLSX_ECH_Parse from
BAD_FUNC_ARG to BUFFER_ERROR to match the convention used throughout
tls.c for wire-protocol length/bounds validation.
This commit is contained in:
Andrew Hutchings
2026-02-26 14:09:01 +00:00
parent 599eec673e
commit 110f5cb442
+1 -1
View File
@@ -13606,7 +13606,7 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
/* read hello inner len */
ato16(readBuf_p, &ech->innerClientHelloLen);
if (ech->innerClientHelloLen < WC_AES_BLOCK_SIZE) {
return BAD_FUNC_ARG;
return BUFFER_ERROR;
}
ech->innerClientHelloLen -= WC_AES_BLOCK_SIZE;
readBuf_p += 2;