From 1bed0f0ef2d2e311aec93b694f1abcb865eeb07d Mon Sep 17 00:00:00 2001
From: Achim Kraus <achim.kraus@cloudcoap.net>
Date: Sat, 27 Jun 2026 14:50:49 +0200
Subject: [PATCH] dtls.c: add missing length checks in dtls_prepare_record.

Signed-off-by: Achim Kraus <achim.kraus@cloudcoap.net>
---
 dtls.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/dtls.c b/dtls.c
index fa9d0fe..39f67df 100644
--- a/dtls.c
+++ b/dtls.c
@@ -1774,6 +1774,10 @@ dtls_prepare_record(dtls_peer_t *peer, dtls_security_parameters_t *security,
    	            } CCMNonceExample;
     */
 
+    if (*rlen < DTLS_RH_LENGTH + 8) {
+      dtls_debug("dtls_prepare_record: send buffer too small\n");
+      return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+    }
     memcpy(p, &DTLS_RECORD_HEADER(sendbuf)->epoch, 8);
     p += 8;
     res = 8;
@@ -1808,6 +1812,11 @@ dtls_prepare_record(dtls_peer_t *peer, dtls_security_parameters_t *security,
     memcpy(A_DATA + 8,  &DTLS_RECORD_HEADER(sendbuf)->content_type, 3); /* type and version */
     dtls_int_to_uint16(A_DATA + 11, res - 8); /* length */
 
+    if (*rlen < res + DTLS_RH_LENGTH + mac_len) {
+      dtls_debug("dtls_prepare_record: send buffer too small\n");
+      return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR);
+    }
+
     res = dtls_encrypt_params(&params, start + 8, res - 8, start + 8,
                dtls_kb_local_write_key(security, peer->role),
                dtls_kb_key_size(security, peer->role),