From ca94898a67c846f17090232baea5055174c8bf1d Mon Sep 17 00:00:00 2001
From: Emma Stensland <emma.stensland@wolfssl.com>
Date: Thu, 28 May 2026 16:39:14 -0600
Subject: [PATCH] F-4985 signed int overflow prevention

---
 src/tools/clu_http.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/tools/clu_http.c b/src/tools/clu_http.c
index cfa86d00..0b624f75 100644
--- a/src/tools/clu_http.c
+++ b/src/tools/clu_http.c
@@ -257,6 +257,11 @@ SOCKET_T wolfCLU_ServerAccept(SOCKET_T serverfd)
  * @param buffer buffer to store request
  * @param bufferSz size of buffer
  * @return number of bytes received, or negative on error
+ *
+ * @note If Content-Length is larger than receive buffer,
+ * contentLen is clamped to available space. Callers must
+ * re-validate the body length against the advertised
+ * Content-Length (see wolfCLU_HttpServerParseRequest).
  */
 int wolfCLU_HttpServerRecv(SOCKET_T clientfd, byte* buffer, int bufferSz)
 {
@@ -285,11 +290,14 @@ int wolfCLU_HttpServerRecv(SOCKET_T clientfd, byte* buffer, int bufferSz)
                     contentLen = XATOI(cl + 15);
                     if (contentLen < 0)
                         contentLen = 0;
+                    /* Clamp to the space the buffer can hold */
+                    if (contentLen > bufferSz - 1 - headerSz)
+                        contentLen = bufferSz - 1 - headerSz;
                 }
             }
         }
-        /* Check if we have the full body */
-        if (headerSz > 0 && totalLen >= headerSz + contentLen)
+        /* Check for the full body. */
+        if (headerSz > 0 && totalLen - headerSz >= contentLen)
             break;
     }
     return totalLen;