Merge pull request #9914 from julek-wolfssl/fenrir/30

douzzer · web-flow · commit 1d49f411c702 · 2026-03-06T22:30:51.000-06:00
Make sure size check doesn't underflow
diff --git a/src/internal.c b/src/internal.c
@@ -22880,8 +22880,10 @@ static int DoProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
 #ifdef WOLFSSL_TLS13
                 if (IsAtLeastTLSv1_3(ssl->version)) {
                     tooLong  = ssl->curSize > MAX_TLS13_ENC_SZ;
-                    tooLong |= ssl->curSize - ssl->specs.aead_mac_size >
+                    if (ssl->specs.aead_mac_size < ssl->curSize) {
+                        tooLong |= ssl->curSize - ssl->specs.aead_mac_size >
                                                              MAX_TLS13_PLAIN_SZ;
+                    }
                 }
 #endif
 #ifdef WOLFSSL_EXTRA_ALERTS
