extra overflow clamp

sebastian-carpenter · sebastian-carpenter · commit 9a161a69f224 · 2026-04-15T09:31:22.000-06:00
diff --git a/src/tls.c b/src/tls.c
@@ -14091,6 +14091,9 @@ static int TLSX_ECH_ExpandOuterExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech,
 
     newInnerChLen = innerChLen - echOuterExtLen + extraSize - sessionIdLen +
                         ssl->session->sessionIDSz;
+    if (newInnerChLen > 0xFFFF) {
+        return BUFFER_E;
+    }
 
     if (!foundEchOuter && sessionIdLen == ssl->session->sessionIDSz) {
         /* no extensions + no sessionID to copy */
