From 22f41a8dbb97a0b35720b29c263de5d47aca306d Mon Sep 17 00:00:00 2001
From: Marco Oliverio <marco@wolfssl.com>
Date: Thu, 15 May 2025 19:31:02 +0200
Subject: [PATCH] Drop DTLS packets with bogus minor version number

---
 src/internal.c        |  4 ++++
 tests/api.c           |  1 +
 tests/api/test_dtls.c | 49 +++++++++++++++++++++++++++++++++++++++++++
 tests/api/test_dtls.h |  1 +
 4 files changed, 55 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 93c5b00c2..aa64178d4 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -11788,6 +11788,10 @@ static int GetDtlsRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
     *inOutIdx += ENUM_LEN + VERSION_SZ;
     ato16(ssl->buffers.inputBuffer.buffer + *inOutIdx, &ssl->keys.curEpoch);
 
+    if (rh->pvMajor == DTLS_MAJOR && rh->pvMinor == DTLS_BOGUS_MINOR) {
+        return SEQUENCE_ERROR;
+    }
+
 #ifdef WOLFSSL_DTLS_CID
     if (rh->type == dtls12_cid && (cidSz = DtlsGetCidRxSize(ssl)) == 0)
         return DTLS_CID_ERROR;
diff --git a/tests/api.c b/tests/api.c
index 60db1b4fb..60f005f24 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -68023,6 +68023,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_dtls_cid_parse),
     TEST_DECL(test_dtls13_epochs),
     TEST_DECL(test_dtls13_ack_order),
+    TEST_DECL(test_dtls_version_checking),
     TEST_DECL(test_ocsp_status_callback),
     TEST_DECL(test_ocsp_basic_verify),
     TEST_DECL(test_ocsp_response_parsing),
diff --git a/tests/api/test_dtls.c b/tests/api/test_dtls.c
index 69269eb3d..16a2b6856 100644
--- a/tests/api/test_dtls.c
+++ b/tests/api/test_dtls.c
@@ -727,3 +727,52 @@ int test_dtls13_ack_order(void)
 #endif
     return EXPECT_RESULT();
 }
+
+int test_dtls_version_checking(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS)
+    WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
+    WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
+
+    XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+
+    ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+                    wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method),
+        0);
+
+    /* CH */
+    ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_FATAL_ERROR);
+    ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
+        WOLFSSL_ERROR_WANT_READ);
+
+    /* modify CH DTLS header to have version 1.1 (0xfe, 0xfe) */
+    ExpectIntGE(test_ctx.s_len, 3);
+    if (EXPECT_SUCCESS()) {
+        test_ctx.s_buff[1] = 0xfe;
+        test_ctx.s_buff[2] = 0xfe;
+    }
+
+    ExpectIntEQ(wolfSSL_accept(ssl_s), WOLFSSL_FATAL_ERROR);
+    ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
+        WOLFSSL_ERROR_WANT_READ);
+    /* server should drop the message */
+    ExpectIntEQ(test_ctx.c_len, 0);
+
+    wolfSSL_free(ssl_c);
+    ssl_c = wolfSSL_new(ctx_c);
+    ExpectNotNull(ssl_c);
+    wolfSSL_SetIOWriteCtx(ssl_c, &test_ctx);
+    wolfSSL_SetIOReadCtx(ssl_c, &test_ctx);
+
+    /* try again */
+    ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+
+    wolfSSL_free(ssl_c);
+    wolfSSL_CTX_free(ctx_c);
+    wolfSSL_free(ssl_s);
+    wolfSSL_CTX_free(ctx_s);
+#endif /* HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_DTLS */
+    return EXPECT_RESULT();
+}
diff --git a/tests/api/test_dtls.h b/tests/api/test_dtls.h
index bf82a2035..25f9ab263 100644
--- a/tests/api/test_dtls.h
+++ b/tests/api/test_dtls.h
@@ -27,5 +27,6 @@ int test_dtls13_basic_connection_id(void);
 int test_wolfSSL_dtls_cid_parse(void);
 int test_dtls13_epochs(void);
 int test_dtls13_ack_order(void);
+int test_dtls_version_checking(void);
 
 #endif /* TESTS_API_DTLS_H */