From e3228ee300eeb4b6016d3fa1a22e8b4c6b0a0196 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Thu, 5 Apr 2018 13:06:45 -0600
Subject: [PATCH 1/2] return value for verify mac result

---
 src/internal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index dc91416..f6b4f49 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -4367,7 +4367,7 @@ int DoReceive(WOLFSSH* ssh)
                         }
                         if (verifyResult != WS_SUCCESS) {
                             WLOG(WS_LOG_DEBUG, "PR: VerifyMac fail");
-                            return ret;
+                            return verifyResult;
                         }
                     }
                     else {

From 7ef8b02e9031a71cc98350e690e4bed311cce232 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Thu, 5 Apr 2018 13:19:07 -0600
Subject: [PATCH 2/2] extra check on buffer size before AES-CBC encrypt/decrypt

---
 src/internal.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index f6b4f49..2bbd899 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -4038,7 +4038,7 @@ static INLINE int Encrypt(WOLFSSH* ssh, byte* cipher, const byte* input,
             break;
 
         case ID_AES128_CBC:
-            if (wc_AesCbcEncrypt(&ssh->encryptCipher.aes,
+            if (sz % AES_BLOCK_SIZE || wc_AesCbcEncrypt(&ssh->encryptCipher.aes,
                                  cipher, input, sz) < 0) {
 
                 ret = WS_ENCRYPT_E;
@@ -4070,7 +4070,7 @@ static INLINE int Decrypt(WOLFSSH* ssh, byte* plain, const byte* input,
             break;
 
         case ID_AES128_CBC:
-            if (wc_AesCbcDecrypt(&ssh->decryptCipher.aes,
+            if (sz % AES_BLOCK_SIZE || wc_AesCbcDecrypt(&ssh->decryptCipher.aes,
                                  plain, input, sz) < 0) {
 
                 ret = WS_DECRYPT_E;