From e4007a8956a571c5e32a1bba3ef3f44f573e1cef Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 3 Jun 2026 00:24:25 +0200 Subject: [PATCH] F-4867: reject trailing bytes in TLS 1.3 EncryptedExtensions DoTls13EncryptedExtensions only bounds-checked the extensions length against the message size, silently ignoring any trailing bytes. RFC 8446 Section 4.3.1 defines the message as solely the extensions block, so enforce length equality and return BUFFER_ERROR (decode_error) on a mismatch. --- src/tls13.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls13.c b/src/tls13.c index 5e377f40ef..4bc22f1cb1 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -6030,7 +6030,7 @@ static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input, i += OPAQUE16_LEN; /* Extension data. */ - if (i - begin + totalExtSz > totalSz) + if (i - begin + totalExtSz != totalSz) return BUFFER_ERROR; if ((ret = TLSX_Parse(ssl, input + i, totalExtSz, encrypted_extensions, NULL))) {