add check to prevent integer underflow

This commit is contained in:
Ruby Martin
2026-03-25 16:35:34 -06:00
parent a696d11519
commit a963c5fc47
+2 -1
View File
@@ -21240,7 +21240,8 @@ static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz)
if (ssl->specs.cipher_type == block) {
#ifdef HAVE_ENCRYPT_THEN_MAC
if (ssl->options.startedETMRead) {
if ((encryptSz - MacSize(ssl)) % ssl->specs.block_size) {
if (encryptSz < minLength ||
(encryptSz - MacSize(ssl)) % ssl->specs.block_size) {
WOLFSSL_MSG("Block ciphertext not block size");
WOLFSSL_ERROR_VERBOSE(SANITY_CIPHER_E);
return SANITY_CIPHER_E;