diff --git a/lua/zapret-antidpi.lua b/lua/zapret-antidpi.lua
index a84771c..e18c107 100644
--- a/lua/zapret-antidpi.lua
+++ b/lua/zapret-antidpi.lua
@@ -389,7 +389,8 @@ function syndata(ctx, desync)
 			dis.payload = blob(desync, desync.arg.blob, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
 			apply_fooling(desync, dis)
 			if desync.arg.tls_mod then
-				dis.payload = tls_mod_shim(desync, dis.payload, desync.arg.tls_mod, nil)
+				local pl = tls_mod_shim(desync, dis.payload, desync.arg.tls_mod, nil)
+				if pl then desync.payload = pl end
 			end
 			if b_debug then DLOG("syndata: "..hexdump_dlog(dis.payload)) end
 			if rawsend_dissect_ipfrag(dis, desync_opts(desync)) then
@@ -449,7 +450,8 @@ function fake(ctx, desync)
 			end
 			local fake_payload = blob(desync, desync.arg.blob)
 			if desync.reasm_data and desync.arg.tls_mod then
-				fake_payload = tls_mod_shim(desync, fake_payload, desync.arg.tls_mod, desync.reasm_data)
+				local pl = tls_mod_shim(desync, fake_payload, desync.arg.tls_mod, desync.reasm_data)
+				if pl then fake_payload = pl end
 			end
 			-- check debug to save CPU
 			if b_debug then DLOG("fake: "..hexdump_dlog(fake_payload)) end
diff --git a/nfq2/lua.c b/nfq2/lua.c
index 521e469..818b648 100644
--- a/nfq2/lua.c
+++ b/nfq2/lua.c
@@ -3350,7 +3350,6 @@ static int luacall_tls_mod(lua_State *L)
 	int argc=lua_gettop(L);
 
 	size_t fake_tls_len;
-	bool bRes;
 	const uint8_t *fake_tls = (uint8_t*)lua_reqlstring(L,1,&fake_tls_len);
 	const char *modlist = lua_reqstring(L,2);
 
@@ -3370,8 +3369,10 @@ static int luacall_tls_mod(lua_State *L)
 		uint8_t *newtls = lua_newuserdata(L, maxlen);
 
 		memcpy(newtls, fake_tls, newlen);
-		bRes = TLSMod(&mod, payload, payload_len, newtls, &newlen, maxlen);
-		lua_pushlstring(L,(char*)newtls,newlen);
+		if (TLSMod(&mod, payload, payload_len, newtls, &newlen, maxlen))
+			lua_pushlstring(L,(char*)newtls,newlen);
+		else
+			lua_pushnil(L);
 
 		lua_remove(L,-2);
 	}
@@ -3379,11 +3380,9 @@ static int luacall_tls_mod(lua_State *L)
 	{
 		// no mod. push it back
 		lua_pushlstring(L,(char*)fake_tls,fake_tls_len);
-		bRes = true;
 	}
-	lua_pushboolean(L, bRes);
 
-	LUA_STACK_GUARD_RETURN(L,2)
+	LUA_STACK_GUARD_RETURN(L,1)
 }
 
 struct userdata_zs
diff --git a/nfq2/protocol.c b/nfq2/protocol.c
index 14a4871..d2816d0 100644
--- a/nfq2/protocol.c
+++ b/nfq2/protocol.c
@@ -649,9 +649,11 @@ bool TLSAdvanceToHostInSNI(const uint8_t **ext, size_t *elen, size_t *slen)
 	// u8	data+2 - server name type. 0=host_name
 	// u16	data+3 - server name length
 	if (*elen < 5 || (*ext)[2] != 0) return false;
+	uint16_t nll = pntoh16(*ext);
 	*slen = pntoh16(*ext + 3);
+	if (nll<(*slen+3) || *slen > *elen-5) return false;
 	*ext += 5; *elen -= 5;
-	return *slen <= *elen;
+	return true;
 }
 static bool TLSExtractHostFromExt(const uint8_t *ext, size_t elen, char *host, size_t len_host)
 {