Fix TLS 1.3 PQC key share over heap read (ZD 21413)

Validate that the received key share data length (keLen) is at least
as large as the expected ciphertext size (ctSz) before passing it to
wc_KyberKey_Decapsulate. A malicious TLS 1.3 server could send a
short ML-KEM key share.
This commit is contained in:
Anthony Hu
2026-03-25 14:47:17 -04:00
committed by JacobBarthelmeh
parent 7aac9e5766
commit e0421828ff
+4
View File
@@ -9950,6 +9950,10 @@ static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl,
}
#endif
if (ret == 0 && keyShareEntry->keLen < ctSz) {
WOLFSSL_MSG("PQC key share data too short for ciphertext.");
ret = BUFFER_E;
}
if (ret == 0) {
ret = wc_KyberKey_Decapsulate(kem, ssOutput,
keyShareEntry->ke, ctSz);