Defer SNI insertion and validate decrypt input size

julek-wolfssl · julek-wolfssl · commit 6ab8cd260634 · 2026-04-02T20:14:55.000+02:00
- Move SNI arg insertion to after option parsing so -noservername
  works regardless of argument order relative to -connect
- Validate input file is large enough for salt+IV before computing
  lastLoopFlag to prevent negative values on truncated files
diff --git a/src/client/clu_client_setup.c b/src/client/clu_client_setup.c
@@ -198,14 +198,6 @@ int wolfCLU_Client(int argc, char** argv)
                     }
                 }
 
-                /* Set SNI hostname so modern servers accept the connection.
-                 * Matches openssl s_client default; use -noservername to disable. */
-                if (ret == WOLFCLU_SUCCESS && host != NULL && !noservername) {
-                    ret = _addClientArg(clientArgv, sniFlag, &clientArgc);
-                    if (ret == WOLFCLU_SUCCESS) {
-                        ret = _addClientArg(clientArgv, host, &clientArgc);
-                    }
-                }
                 break;
 
             case WOLFCLU_STARTTLS:
@@ -256,6 +248,17 @@ int wolfCLU_Client(int argc, char** argv)
         }
     }
 
+    /* Set SNI hostname so modern servers accept the connection.
+     * Matches openssl s_client default; use -noservername to disable.
+     * Deferred until after option parsing so -noservername works
+     * regardless of argument order. */
+    if (ret == WOLFCLU_SUCCESS && host != NULL && !noservername) {
+        ret = _addClientArg(clientArgv, sniFlag, &clientArgc);
+        if (ret == WOLFCLU_SUCCESS) {
+            ret = _addClientArg(clientArgv, host, &clientArgc);
+        }
+    }
+
     if (ret == WOLFCLU_SUCCESS && !verify) {
         ret = _addClientArg(clientArgv, noVerifyFlag, &clientArgc);
 
diff --git a/src/crypto/clu_decrypt.c b/src/crypto/clu_decrypt.c
@@ -77,6 +77,13 @@ int wolfCLU_decrypt(int alg, char* mode, byte* pwdKey, byte* key, int size,
     length = (int)XFTELL(inFile);
     XFSEEK(inFile, 0, SEEK_SET);
 
+    /* Validate file is large enough for salt + IV header */
+    if (length < saltAndIvSize) {
+        wolfCLU_LogError("Input file too small (missing salt/IV).");
+        XFCLOSE(inFile);
+        return DECRYPT_ERROR;
+    }
+
     /* Compute loop count from the encrypted payload size (excluding the
      * salt and IV that are read separately before the loop). */
     if ((length - saltAndIvSize) % MAX_LEN > 0) {
