From 845e2f752cf399cd0a3d4ba5144fa2f315b33209 Mon Sep 17 00:00:00 2001
From: gasbytes <reda.chouk.01@gmail.com>
Date: Tue, 11 Jun 2024 22:10:18 +0200
Subject: [PATCH 1/2] added check if the buf is at least RECORD_HEADER_SZ when
 adding the record headers through quic

---
 src/quic.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/quic.c b/src/quic.c
index ef77d2e543..dc2063a9c5 100644
--- a/src/quic.c
+++ b/src/quic.c
@@ -197,6 +197,12 @@ static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
     if (len <= 0) {
         return 0;
     }
+
+    /* We check if the buf is at least RECORD_HEADER_SZ */
+    if (sz < RECORD_HEADER_SZ) {
+        return -1;
+    }
+
     if (qr->rec_hdr_remain == 0) {
         /* start a new TLS record */
         rlen = (qr->len <= (word32)MAX_RECORD_SIZE) ?
@@ -774,6 +780,11 @@ int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
         n = 0;
         if (ssl->quic.input_head) {
             n = quic_record_transfer(ssl->quic.input_head, buf, sz);
+
+            /* record too small to be fit into a RecordLayerHeader struct. */
+            if (n == -1) {
+                return -1;
+            }
             if (quic_record_done(ssl->quic.input_head)) {
                 QuicRecord* qr = ssl->quic.input_head;
                 ssl->quic.input_head = qr->next;

From 88527a3d6ec62feddfb34f8b11c63e77561eb87e Mon Sep 17 00:00:00 2001
From: gasbytes <reda.chouk.01@gmail.com>
Date: Thu, 13 Jun 2024 13:44:50 +0200
Subject: [PATCH 2/2] word32 -> sword32

---
 src/quic.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/quic.c b/src/quic.c
index dc2063a9c5..117bb4373d 100644
--- a/src/quic.c
+++ b/src/quic.c
@@ -188,7 +188,7 @@ static word32 add_rec_header(byte* output, word32 length, byte type)
     return RECORD_HEADER_SZ;
 }
 
-static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
+static sword32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
 {
     word32 len = qr->end - qr->start;
     word32 offset = 0;
@@ -224,7 +224,7 @@ static word32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
         qr->start += len;
         qr->rec_hdr_remain -= len;
     }
-    return len + offset;
+    return (sword32)(len + offset);
 }
 
 
@@ -772,7 +772,7 @@ int wolfSSL_provide_quic_data(WOLFSSL* ssl, WOLFSSL_ENCRYPTION_LEVEL level,
 /* Called internally when SSL wants a certain amount of input. */
 int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
 {
-    word32 n = 0;
+    sword32 n = 0;
     int transferred = 0;
 
     WOLFSSL_ENTER("wolfSSL_quic_receive");
@@ -802,7 +802,7 @@ int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz)
             ssl->error = transferred = WANT_READ;
             goto cleanup;
         }
-        sz -= n;
+        sz -= (word32)n;
         buf += n;
         transferred += (int)n;
     }