From 251d0364f8154ef8e5e5cd3c14a22be96fa24261 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Mon, 30 Nov 2015 17:16:47 -0800
Subject: [PATCH] check DTLS sequence number against window a little earlier

---
 src/internal.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index a51ba9528..a9b98507c 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -3374,6 +3374,11 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 #endif
     }
 
+#ifdef WOLFSSL_DTLS
+    if (ssl->options.dtls && !DtlsCheckWindow(&ssl->keys.dtls_state))
+        return SEQUENCE_ERROR;
+#endif
+
     /* catch version mismatch */
     if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor){
         if (ssl->options.side == WOLFSSL_SERVER_END &&
@@ -3395,13 +3400,6 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         }
     }
 
-#ifdef WOLFSSL_DTLS
-    if (ssl->options.dtls) {
-        if (DtlsCheckWindow(&ssl->keys.dtls_state) != 1)
-            return SEQUENCE_ERROR;
-    }
-#endif
-
     /* record layer length check */
 #ifdef HAVE_MAX_FRAGMENT
     if (*size > (ssl->max_fragment + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) {