From 676d74e4c74ce71a38b321f4567dfa8a20f30ff7 Mon Sep 17 00:00:00 2001
From: Ronald Cron <ronald.cron@arm.com>
Date: Fri, 20 Mar 2026 17:19:10 +0100
Subject: [PATCH] dtls: Error out on invalid/unexpected record header

Error out on invalid/unexpected record header
when reading the DTLS 1.2 ClientHello.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
---
 library/ssl_msg.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 86c23d766c..65609b8ff9 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -4750,6 +4750,30 @@ static int ssl_get_next_record(mbedtls_ssl_context *ssl)
                 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
             }
 
+#if defined(MBEDTLS_SSL_SRV_C)
+            /*
+             * When retrieving the DTLS ClientHello on server side, error out
+             * when detecting an invalid or unexpected record.
+             */
+            if ((ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) &&
+                (ssl->state == MBEDTLS_SSL_CLIENT_HELLO)
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+                && (ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE)
+#endif
+                ) {
+                /*
+                 * For backward compatibility, return
+                 * MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE rather than
+                 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD.
+                 */
+                if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
+                    return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+                } else {
+                    return ret;
+                }
+            }
+#endif /* MBEDTLS_SSL_SRV_C */
+
             if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) {
 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
                 /* Reset in pointers to default state for TLS/DTLS records,