Reject DTLS application data messages in epoch 0 as out of order.

2025-07-30 18:57:27 +02:00 · 2020-08-14 16:27:39 -07:00
parent ef5271dd9f
commit 3be7f3ea3a
1 changed files with 4 additions and 1 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -8337,10 +8337,13 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
    }

 #ifdef WOLFSSL_DTLS
-    if (IsDtlsNotSctpMode(ssl) && !DtlsCheckWindow(ssl)) {
+    if (IsDtlsNotSctpMode(ssl)) {
+        if (!DtlsCheckWindow(ssl) ||
+                (ssl->keys.curEpoch == 0 && rh->type == application_data)) {
            WOLFSSL_LEAVE("GetRecordHeader()", SEQUENCE_ERROR);
            return SEQUENCE_ERROR;
        }
+    }
 #endif

    /* catch version mismatch */