Fix integer underflow in ECH innerClientHelloLen parsing

LinuxJedi · LinuxJedi · commit 10325b458770 · 2026-02-23T16:52:52.000Z
Add bounds check before subtracting WC_AES_BLOCK_SIZE from the
attacker-controlled innerClientHelloLen field in TLSX_ECH_Parse().
Values 0-15 caused a word16 underflow to ~65K, leading to a heap
buffer overflow write via XMEMSET and heap buffer over-read via
wc_AesGcmDecrypt. Return BAD_FUNC_ARG if the field is too small.
diff --git a/src/tls.c b/src/tls.c
@@ -13605,6 +13605,9 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
         }
         /* read hello inner len */
         ato16(readBuf_p, &ech->innerClientHelloLen);
+        if (ech->innerClientHelloLen < WC_AES_BLOCK_SIZE) {
+            return BAD_FUNC_ARG;
+        }
         ech->innerClientHelloLen -= WC_AES_BLOCK_SIZE;
         readBuf_p += 2;
         ech->outerClientPayload = readBuf_p;
