From ddc177b669cff9d3c7e1b51751f9df73062b872a Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Mon, 16 Mar 2026 15:34:18 -0700
Subject: [PATCH] Check raw pubkey length in wc_ecc_import_x963 before copying
 to it for KCAPI case.

---
 wolfcrypt/src/ecc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index 1376cff2a03..33c020d7f77 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -10735,7 +10735,10 @@ int wc_ecc_import_x963_ex2(const byte* in, word32 inLen, ecc_key* key,
             XMEMCPY(key->pubkey_raw, (byte*)in, inLen);
     }
 #elif defined(WOLFSSL_KCAPI_ECC)
-    XMEMCPY(key->pubkey_raw, (byte*)in, inLen);
+    if (inLen <= (word32)sizeof(key->pubkey_raw))
+        XMEMCPY(key->pubkey_raw, (byte*)in, inLen);
+    else
+        err = BAD_FUNC_ARG;
 #endif
 
     if (err == MP_OKAY) {