From e0421828ffaa790889f0f11962539777abbaf399 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Wed, 25 Mar 2026 14:47:17 -0400 Subject: [PATCH] Fix TLS 1.3 PQC key share over heap read (ZD 21413) Validate that the received key share data length (keLen) is at least as large as the expected ciphertext size (ctSz) before passing it to wc_KyberKey_Decapsulate. A malicious TLS 1.3 server could send a short ML-KEM key share. --- src/tls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/tls.c b/src/tls.c index 09e6c92174..93984ac4ba 100644 --- a/src/tls.c +++ b/src/tls.c @@ -9950,6 +9950,10 @@ static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl, } #endif + if (ret == 0 && keyShareEntry->keLen < ctSz) { + WOLFSSL_MSG("PQC key share data too short for ciphertext."); + ret = BUFFER_E; + } if (ret == 0) { ret = wc_KyberKey_Decapsulate(kem, ssOutput, keyShareEntry->ke, ctSz);