From 1e770e1a0fc527927eb10a9622e6ebefbfcb8140 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 4 Feb 2026 15:40:30 -0700 Subject: [PATCH] Send decode_error alert rather than illegal_parameter when receiving an empty/malformed keyshare extension. Fixes #9640. --- src/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 7d7dcea86c..843d16f461 100644 --- a/src/tls.c +++ b/src/tls.c @@ -9894,7 +9894,7 @@ static int TLSX_KeyShareEntry_Parse(const WOLFSSL* ssl, const byte* input, ato16(&input[offset], &keLen); offset += OPAQUE16_LEN; if (keLen == 0) - return INVALID_PARAMETER; + return BUFFER_ERROR; if (keLen > length - offset) return BUFFER_ERROR;