Ensure the SNI extension has at least OPAQUE16_LEN bytes in TLSX_SNI_GetFromBuffer.

kareem-wolfssl · kareem-wolfssl · commit 36931c8b9887 · 2026-04-15T10:53:16.000-07:00
Thanks to Zou Dikai for the report.
diff --git a/src/tls.c b/src/tls.c
@@ -2800,6 +2800,9 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
         } else {
             word16 listLen;
 
+            if (extLen < OPAQUE16_LEN)
+                return BUFFER_ERROR;
+
             ato16(clientHello + offset, &listLen);
             offset += OPAQUE16_LEN;
 
