From 0bb094e6442daef86a8b014cdfa853435438e728 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= <tobias@wolfssl.com>
Date: Thu, 5 Mar 2026 17:11:39 +0100
Subject: [PATCH] Send alert in case of decrypted all-zero message

---
 src/internal.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index f7f0b26d644..8edb69b0db4 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -22395,6 +22395,11 @@ static int removeMsgInnerPadding(WOLFSSL* ssl)
 
     /* Get the real content type from the end of the data. */
     ssl->curRL.type = ssl->buffers.inputBuffer.buffer[i];
+    if (ssl->curRL.type == 0) {
+        SendAlert(ssl, alert_fatal, unexpected_message);
+        WOLFSSL_ERROR(PARSE_ERROR);
+        return PARSE_ERROR;
+    }
     /* consider both contentType byte and MAC as padding */
     ssl->keys.padSz = ssl->buffers.inputBuffer.idx
         + ssl->curSize - i;