From c79da7df7157a30235d61ba0217edf5ceaea5f53 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 11 Sep 2022 13:50:41 +0000
Subject: Ensure there is no trailing data for a CCS received by the TLSv1.3
 stack.

ok tb@
---
 src/lib/libssl/tls13_record_layer.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index ac5b83bd34..423b405cbd 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.70 2022/07/24 14:28:16 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.71 2022/09/11 13:50:41 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -850,6 +850,8 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl)
 			return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
 		if (ccs != 1)
 			return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER);
+		if (CBS_len(&cbs) != 0)
+			return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR);
 		rl->ccs_seen++;
 		tls13_record_layer_rrec_free(rl);
 		return TLS13_IO_WANT_RETRY;
-- 
cgit v1.2.3-55-g6feb