F-4867: reject trailing bytes in TLS 1.3 EncryptedExtensions

DoTls13EncryptedExtensions only bounds-checked the extensions length against
the message size, silently ignoring any trailing bytes. RFC 8446 Section 4.3.1
defines the message as solely the extensions block, so enforce length equality
and return BUFFER_ERROR (decode_error) on a mismatch.
This commit is contained in:
Juliusz Sosinowicz
2026-06-03 00:24:25 +02:00
parent c18784a11c
commit e4007a8956
+1 -1
View File
@@ -6030,7 +6030,7 @@ static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
i += OPAQUE16_LEN;
/* Extension data. */
if (i - begin + totalExtSz > totalSz)
if (i - begin + totalExtSz != totalSz)
return BUFFER_ERROR;
if ((ret = TLSX_Parse(ssl, input + i, totalExtSz, encrypted_extensions,
NULL))) {