Code review feedback

kareem-wolfssl · kareem-wolfssl · commit 74461e42509f · 2026-04-15T10:53:17.000-07:00
diff --git a/src/sniffer.c b/src/sniffer.c
@@ -4231,10 +4231,13 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
     #ifdef WOLFSSL_TLS13
         case EXT_KEY_SHARE:
         {
-            if (extLen < OPAQUE16_LEN)
+            word16 ksLen = 0;
+            if (extLen < OPAQUE16_LEN) {
+                SetError(BUFFER_ERROR_STR, error, session, FATAL_ERROR_STATE);
                 return BUFFER_ERROR;
+            }
 
-            word16 ksLen = (word16)((input[0] << 8) | input[1]);
+            ksLen = (word16)((input[0] << 8) | input[1]);
             if (ksLen + OPAQUE16_LEN > extLen) {
                 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
                 return WOLFSSL_FATAL_ERROR;
@@ -4258,8 +4261,10 @@ static int ProcessClientHello(const byte* input, int* sslBytes,
             word32 ticketAge;
             const byte *identity, *binders;
 
-            if (extLen < OPAQUE16_LEN)
+            if (extLen < OPAQUE16_LEN) {
+                SetError(BUFFER_ERROR_STR, error, session, FATAL_ERROR_STATE);
                 return BUFFER_ERROR;
+            }
 
             idsLen = (word16)((input[idx] << 8) | input[idx+1]);
             if ((word32)idsLen + OPAQUE16_LEN + idx > (word32)extLen) {
diff --git a/src/tls.c b/src/tls.c
@@ -3615,7 +3615,9 @@ int ProcessChainOCSPRequest(WOLFSSL* ssl)
     if (chain && chain->buffer) {
         while (ret == 0 && pos + OPAQUE24_LEN < chain->length) {
             if (i >= MAX_CERT_EXTENSIONS) {
-                WOLFSSL_MSG("OCSP request cert chain exceeds maximum length.");
+                WOLFSSL_ERROR_MSG_EX(
+                    "OCSP request cert chain exceeds maximum length: "
+                    "i=%d, MAX_CERT_EXTENSIONS=%d", i, MAX_CERT_EXTENSIONS);
                 ret = MAX_CERT_EXTENSIONS_ERR;
                 break;
             }
diff --git a/src/tls13.c b/src/tls13.c
@@ -9151,7 +9151,7 @@ static int SendTls13Certificate(WOLFSSL* ssl)
             if (ret != 0)
                 return ret;
 
-            if ((word16)(1 + ssl->buffers.certChainCnt) > MAX_CERT_EXTENSIONS)
+            if ((1 + ssl->buffers.certChainCnt) > MAX_CERT_EXTENSIONS)
                 ret = MAX_CERT_EXTENSIONS_ERR;
             if (ret == 0)
                 ret = WriteCSRToBuffer(ssl, &ssl->buffers.certExts[0], &extSz[0],
