Unconditionally validate TLS 1.2 ciphertext size in ProcessReply F-1476

julek-wolfssl · julek-wolfssl · commit f2b9e3d65494 · 2026-04-03T10:34:55.000+02:00
diff --git a/src/internal.c b/src/internal.c
@@ -23005,9 +23005,7 @@ static int DoProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
             }
 
             if (IsEncryptionOn(ssl, 0)) {
-#if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)
                 int tooLong = 0;
-#endif
 
 #ifdef WOLFSSL_TLS13
                 if (IsAtLeastTLSv1_3(ssl->version)) {
@@ -23017,18 +23015,16 @@ static int DoProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
                                                              MAX_TLS13_PLAIN_SZ;
                     }
                 }
+                else
 #endif
-#ifdef WOLFSSL_EXTRA_ALERTS
-                if (!IsAtLeastTLSv1_3(ssl->version))
+                {
                     tooLong = ssl->curSize > MAX_TLS_CIPHER_SZ;
-#endif
-#if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)
+                }
                 if (tooLong) {
                     WOLFSSL_MSG("Encrypted data too long");
                     SendAlert(ssl, alert_fatal, record_overflow);
                     return BUFFER_ERROR;
                 }
-#endif
             }
             ssl->keys.padSz = 0;
 

Original file line number	Diff line number	Diff line change
`@@ -23005,9 +23005,7 @@ static int DoProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)`
`23005`	`23005`	`}`
`23006`	`23006`
`23007`	`23007`	`if (IsEncryptionOn(ssl, 0)) {`
`23008`		`-#if defined(WOLFSSL_TLS13) \|\| defined(WOLFSSL_EXTRA_ALERTS)`
`23009`	`23008`	`int tooLong = 0;`
`23010`		`-#endif`
`23011`	`23009`
`23012`	`23010`	`#ifdef WOLFSSL_TLS13`
`23013`	`23011`	`if (IsAtLeastTLSv1_3(ssl->version)) {`
`@@ -23017,18 +23015,16 @@ static int DoProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)`
`23017`	`23015`	`MAX_TLS13_PLAIN_SZ;`
`23018`	`23016`	`}`
`23019`	`23017`	`}`
	`23018`	`+ else`
`23020`	`23019`	`#endif`
`23021`		`-#ifdef WOLFSSL_EXTRA_ALERTS`
`23022`		`- if (!IsAtLeastTLSv1_3(ssl->version))`
	`23020`	`+ {`
`23023`	`23021`	`tooLong = ssl->curSize > MAX_TLS_CIPHER_SZ;`
`23024`		`-#endif`
`23025`		`-#if defined(WOLFSSL_TLS13) \|\| defined(WOLFSSL_EXTRA_ALERTS)`
	`23022`	`+ }`
`23026`	`23023`	`if (tooLong) {`
`23027`	`23024`	`WOLFSSL_MSG("Encrypted data too long");`
`23028`	`23025`	`SendAlert(ssl, alert_fatal, record_overflow);`
`23029`	`23026`	`return BUFFER_ERROR;`
`23030`	`23027`	`}`
`23031`		`-#endif`
`23032`	`23028`	`}`
`23033`	`23029`	`ssl->keys.padSz = 0;`
`23034`	`23030`