Confirm sessIdSz's size in DoTls13ServerHello before it is used.

kareem-wolfssl · kareem-wolfssl · commit d7437d765ce6 · 2026-04-21T15:23:58.000-07:00
Thanks to Zou Dikai for the report.
diff --git a/src/tls13.c b/src/tls13.c
@@ -5353,7 +5353,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
     /* Session id */
     args->sessIdSz = input[args->idx++];
-    if ((args->idx - args->begin) + args->sessIdSz > helloSz)
+    if (args->sessIdSz > ID_LEN || args->sessIdSz > RAN_LEN ||
+        ((args->idx - args->begin) + args->sessIdSz > helloSz))
         return BUFFER_ERROR;
     args->sessId = input + args->idx;
     args->idx += args->sessIdSz;
