From 612e9f7c679dc9c132159945014e84d706ce5f68 Mon Sep 17 00:00:00 2001
From: Achim Kraus <achim.kraus@cloudcoap.net>
Date: Sat, 14 Mar 2026 08:53:31 +0100
Subject: [PATCH] dtls.c: fix length check in check_server_certificate.

Fixes potential out-of-bounds read.

Signed-off-by: Achim Kraus <achim.kraus@cloudcoap.net>
---
 dtls.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/dtls.c b/dtls.c
index 47590c27..5a22c9ca 100644
--- a/dtls.c
+++ b/dtls.c
@@ -3436,6 +3436,11 @@ check_server_certificate(dtls_context_t *ctx,
 
   data += DTLS_HS_LENGTH;
 
+  if (data_length < DTLS_HS_LENGTH + DTLS_EC_SUBJECTPUBLICKEY_SIZE + sizeof(uint24)) {
+    dtls_alert("the packet length does not match the expected\n");
+    return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR);
+  }
+
   if (dtls_uint24_to_int(data) != DTLS_EC_SUBJECTPUBLICKEY_SIZE) {
     dtls_alert("expect length of %zu bytes for certificate\n",
 	       DTLS_EC_SUBJECTPUBLICKEY_SIZE);