From aba95cf5245875c6d60388b0553d052a353aa4b2 Mon Sep 17 00:00:00 2001
From: Paul Adelsbach <paul.adelsbach@wolfssl.com>
Date: Fri, 29 May 2026 14:57:09 -0700
Subject: [PATCH] Update len check in wh_Client_CertReadTrustedResponse

---
 src/wh_client_cert.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/wh_client_cert.c b/src/wh_client_cert.c
index 0b1e3abe9..5abc8c687 100644
--- a/src/wh_client_cert.c
+++ b/src/wh_client_cert.c
@@ -327,17 +327,21 @@ int wh_Client_CertReadTrustedResponse(whClientContext* c, uint8_t* cert,
             }
 
             if (resp->rc == WH_ERROR_OK) {
-                /* Copy certificate data if buffer is large enough */
-                if (*cert_len >= resp->cert_len) {
-                    memcpy(cert, payload, resp->cert_len);
-                    *cert_len = resp->cert_len;
+                /* Check that cert_len does not exceed the received data size */
+                if (resp->cert_len > size - sizeof(*resp)) {
+                    rc = WH_ERROR_ABORTED;
                 }
-                else {
+                /* Check that caller buffer is large enough for the cert */
+                else if (*cert_len < resp->cert_len) {
                     *cert_len = resp->cert_len;
                     if (out_rc != NULL) {
                         *out_rc = WH_ERROR_BUFFER_SIZE;
                     }
                 }
+                else {
+                    memcpy(cert, payload, resp->cert_len);
+                    *cert_len = resp->cert_len;
+                }
             }
         }
     }