wolfSSL
diff --git a/‎src/internal.c‎
Lines changed: 1 addition & 1 deletion b/‎src/internal.c‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/ssl_sess.c‎
Lines changed: 32 additions & 0 deletions b/‎src/ssl_sess.c‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎src/tls.c‎
Lines changed: 4 additions & 0 deletions b/‎src/tls.c‎
Lines changed: 4 additions & 0 deletions
@@ -9834,7 +9834,7 @@ int DtlsMsgSet(DtlsMsg* msg, word32 seq, word16 epoch, const byte* data, byte ty
                 done = 1;
                 break;
             }
-            else if (fragOffset <= curEnd) {
+            else if (fragOffset <= curEnd && fragOffsetEnd >= cur->m.m.offset) {
                 /* found place to store fragment */
                 break;
             }
 
@@ -522,6 +522,22 @@ int wolfSSL_memrestore_session_cache(const void* mem, int sz)
     #endif
 
         XMEMCPY(&SessionCache[i], row++, SIZEOF_SESSION_ROW);
+    #ifndef SESSION_CACHE_DYNAMIC_MEM
+        /* Reset pointers to safe values after raw copy */
+        {
+            int j;
+            for (j = 0; j < SESSIONS_PER_ROW; j++) {
+                WOLFSSL_SESSION* s = &SessionCache[i].Sessions[j];
+    #ifdef HAVE_SESSION_TICKET
+                s->ticket = s->staticTicket;
+                s->ticketLenAlloc = 0;
+    #endif
+    #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
+                s->peer = NULL;
+    #endif
+            }
+        }
+    #endif
     #ifdef ENABLE_SESSION_CACHE_ROW_LOCK
         SESSION_ROW_UNLOCK(&SessionCache[i]);
     #endif
@@ -681,6 +697,22 @@ int wolfSSL_restore_session_cache(const char *fname)
     #endif
 
         ret = (int)XFREAD(&SessionCache[i], SIZEOF_SESSION_ROW, 1, file);
+    #ifndef SESSION_CACHE_DYNAMIC_MEM
+        /* Reset pointers to safe values after raw copy */
+        {
+            int j;
+            for (j = 0; j < SESSIONS_PER_ROW; j++) {
+                WOLFSSL_SESSION* s = &SessionCache[i].Sessions[j];
+    #ifdef HAVE_SESSION_TICKET
+                s->ticket = s->staticTicket;
+                s->ticketLenAlloc = 0;
+    #endif
+    #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
+                s->peer = NULL;
+    #endif
+            }
+        }
+    #endif
     #ifdef ENABLE_SESSION_CACHE_ROW_LOCK
         SESSION_ROW_UNLOCK(&SessionCache[i]);
     #endif
 
@@ -9937,6 +9937,10 @@ static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl,
     }
 #endif
 
+    if (ret == 0 && keyShareEntry->keLen < ctSz) {
+        WOLFSSL_MSG("PQC key share data too short for ciphertext.");
+        ret = BUFFER_E;
+    }
     if (ret == 0) {
         ret = wc_KyberKey_Decapsulate(kem, ssOutput,
                                       keyShareEntry->ke, ctSz);
Original file line number	Diff line number	Diff line change
`@@ -9834,7 +9834,7 @@ int DtlsMsgSet(DtlsMsg* msg, word32 seq, word16 epoch, const byte* data, byte ty`
`9834`	`9834`	`done = 1;`
`9835`	`9835`	`break;`
`9836`	`9836`	`}`
`9837`		`- else if (fragOffset <= curEnd) {`
	`9837`	`+ else if (fragOffset <= curEnd && fragOffsetEnd >= cur->m.m.offset) {`
`9838`	`9838`	`/* found place to store fragment */`
`9839`	`9839`	`break;`
`9840`	`9840`	`}`