From a963c5fc472318457da8dec1c27e818e17f4ada6 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Wed, 25 Mar 2026 16:35:34 -0600 Subject: [PATCH] add check to prevent integer underflow --- src/internal.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 3555a96eb5..4280153719 100644 --- a/src/internal.c +++ b/src/internal.c @@ -21240,7 +21240,8 @@ static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz) if (ssl->specs.cipher_type == block) { #ifdef HAVE_ENCRYPT_THEN_MAC if (ssl->options.startedETMRead) { - if ((encryptSz - MacSize(ssl)) % ssl->specs.block_size) { + if (encryptSz < minLength || + (encryptSz - MacSize(ssl)) % ssl->specs.block_size) { WOLFSSL_MSG("Block ciphertext not block size"); WOLFSSL_ERROR_VERBOSE(SANITY_CIPHER_E); return SANITY_CIPHER_E;