From 341024e484e40dc2182f8e9cbccd8b0c3c9b7829 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 2 Mar 2026 21:20:34 +0100 Subject: [PATCH] Adjust SendClientKeyExchange to use exact cipher overhead for DTLS MTU checks --- src/internal.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 423fd1ef7b..9b5b6f0866 100644 --- a/src/internal.c +++ b/src/internal.c @@ -34118,7 +34118,15 @@ int SendClientKeyExchange(WOLFSSL* ssl) #endif if (IsEncryptionOn(ssl, 1)) { - args->sendSz += MAX_MSG_EXTRA; + #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_MTU) + /* Use exact cipher overhead for the MTU pre-flight check. + * MAX_MSG_EXTRA is an upper bound that can exceed a small MTU, + * while the actual message fits within it. */ + if (ssl->options.dtls) + args->sendSz += cipherExtraData(ssl); + else + #endif + args->sendSz += MAX_MSG_EXTRA; } /* check for available size */