From ec9b2c0e8b5446bf5ae37c4cae1d7e50bb9bc671 Mon Sep 17 00:00:00 2001 From: Kareem Date: Tue, 21 Apr 2026 13:44:35 -0700 Subject: [PATCH] Confirm sessIdSz's size in DoTls13ServerHello before it is used. Thanks to Zou Dikai for the report. --- src/tls13.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/tls13.c b/src/tls13.c index 824ad08b69..180db43b43 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -5371,7 +5371,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* Session id */ args->sessIdSz = input[args->idx++]; - if ((args->idx - args->begin) + args->sessIdSz > helloSz) + if (args->sessIdSz > ID_LEN || args->sessIdSz > RAN_LEN || + ((args->idx - args->begin) + args->sessIdSz > helloSz)) return BUFFER_ERROR; args->sessId = input + args->idx; args->idx += args->sessIdSz;