wolfSSL · anhu · Mar 25, 2026 · Mar 26, 2026 · Mar 26, 2026
diff --git a/src/internal.c b/src/internal.c
@@ -9728,8 +9728,9 @@ static DtlsFragBucket* DtlsMsgCombineFragBuckets(DtlsMsg* msg,
             newBucket->m.m.next = next;
         }
     }
-    /* Adjust size in msg */
-    msg->bytesReceived += newSz - overlapSz;
+    /* Adjust size in msg. Cap at dataSz to avoid counting gap bytes
+     * between a non-overlapping fragment and bucket as received. */
+    msg->bytesReceived += min(newSz - overlapSz, dataSz);
     newBucket->m.m.offset = newOffset;
     newBucket->m.m.sz = newSz;
     return newBucket;

diff --git a/src/ssl_sess.c b/src/ssl_sess.c
@@ -522,6 +522,22 @@ int wolfSSL_memrestore_session_cache(const void* mem, int sz)
     #endif
 
         XMEMCPY(&SessionCache[i], row++, SIZEOF_SESSION_ROW);
+    #ifndef SESSION_CACHE_DYNAMIC_MEM
+        /* Reset pointers to safe values after raw copy */
+        {
+            int j;
+            for (j = 0; j < SESSIONS_PER_ROW; j++) {
+                WOLFSSL_SESSION* s = &SessionCache[i].Sessions[j];
+    #ifdef HAVE_SESSION_TICKET
+                s->ticket = s->staticTicket;
+                s->ticketLenAlloc = 0;
+    #endif
+    #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
+                s->peer = NULL;
+    #endif
+            }
+        }
+    #endif
     #ifdef ENABLE_SESSION_CACHE_ROW_LOCK
         SESSION_ROW_UNLOCK(&SessionCache[i]);
     #endif
@@ -681,6 +697,22 @@ int wolfSSL_restore_session_cache(const char *fname)
     #endif
 
         ret = (int)XFREAD(&SessionCache[i], SIZEOF_SESSION_ROW, 1, file);
+    #ifndef SESSION_CACHE_DYNAMIC_MEM
+        /* Reset pointers to safe values after raw copy */
+        {
+            int j;
+            for (j = 0; j < SESSIONS_PER_ROW; j++) {
+                WOLFSSL_SESSION* s = &SessionCache[i].Sessions[j];
+    #ifdef HAVE_SESSION_TICKET
+                s->ticket = s->staticTicket;
+                s->ticketLenAlloc = 0;
+    #endif
+    #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
+                s->peer = NULL;
+    #endif
+            }
+        }
+    #endif
     #ifdef ENABLE_SESSION_CACHE_ROW_LOCK
         SESSION_ROW_UNLOCK(&SessionCache[i]);
     #endif

diff --git a/src/tls.c b/src/tls.c
@@ -9937,6 +9937,10 @@ static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl,
     }
 #endif
 
+    if (ret == 0 && keyShareEntry->keLen < ctSz) {
+        WOLFSSL_MSG("PQC key share data too short for ciphertext.");
+        ret = BUFFER_E;
+    }
     if (ret == 0) {
         ret = wc_KyberKey_Decapsulate(kem, ssOutput,
                                       keyShareEntry->ke, ctSz);