From f25a5492d89259e90a9a25c66f039f746efe4561 Mon Sep 17 00:00:00 2001
From: OpenAI <noreply@example.com>
Date: Wed, 3 Jun 2026 11:52:17 +0000
Subject: [PATCH] Fix TLS 1.3 PSK binder length wraparound

---
 matrixssl/tls13DecodeExt.c | 47 ++++++++++++++++++++++++++++++++++----
 1 file changed, 43 insertions(+), 4 deletions(-)

diff --git a/matrixssl/tls13DecodeExt.c b/matrixssl/tls13DecodeExt.c
index f385f6c..b0186d7 100644
--- a/matrixssl/tls13DecodeExt.c
+++ b/matrixssl/tls13DecodeExt.c
@@ -893,16 +893,50 @@ int32_t tls13VerifyBinder(ssl_t *ssl,
 
     hmacAlg = tls13GetPskHmacAlg(ssl->sec.tls13ChosenPsk);
     hmacLen = tls13GetPskHashLen(ssl->sec.tls13ChosenPsk);
+    if (hmacAlg == 0 || hmacLen <= 0 || hmacLen > MAX_TLS_1_3_HASH_SIZE)
+    {
+        psTraceErrr("Invalid TLS 1.3 PSK binder hash algorithm\n");
+        goto out_decode_error;
+    }
 
-    tls13TranscriptHashUpdate(ssl,
+    /*
+      The ClientHello transcript hash is split at the start of the
+      binders vector.  tls13BindersLen is attacker-controlled through the
+      pre_shared_key extension, while tls13CHLen is the length of the
+      buffered ClientHello.  MatrixSSL 4.x used to subtract these values
+      without checking for wraparound.  Since psSize_t is 16 bit on this
+      code base, a malformed extension could make the subtraction wrap and
+      cause hashing beyond the ClientHello buffer (CVE-2023-24609).
+    */
+    if (ssl->sec.tls13CHStart == NULL ||
+            ssl->sec.tls13BindersLen < 2 ||
+            ssl->sec.tls13BindersLen > ssl->sec.tls13CHLen)
+    {
+        psTraceErrr("Invalid TLS 1.3 PSK binder length\n");
+        goto out_decode_error;
+    }
+
+    rc = tls13TranscriptHashUpdate(ssl,
             ssl->sec.tls13CHStart,
             ssl->sec.tls13CHLen - ssl->sec.tls13BindersLen);
-    tls13TranscriptHashSnapshot(ssl,
+    if (rc < 0)
+    {
+        goto out_internal_error;
+    }
+    rc = tls13TranscriptHashSnapshot(ssl,
             ssl->sec.tls13TrHashSnapshotCHWithoutBinders);
-    tls13TranscriptHashUpdate(ssl,
+    if (rc < 0)
+    {
+        goto out_internal_error;
+    }
+    rc = tls13TranscriptHashUpdate(ssl,
             ssl->sec.tls13CHStart +
             ssl->sec.tls13CHLen - ssl->sec.tls13BindersLen,
             ssl->sec.tls13BindersLen);
+    if (rc < 0)
+    {
+        goto out_internal_error;
+    }
 
     /* Find the binder corresponding to the PSK we have chosen. */
     ix = 0;
@@ -1245,7 +1279,12 @@ int32_t tls13ParsePreSharedKey(ssl_t *ssl,
 
         if (foundPsk)
         {
-            ssl->sec.tls13BindersLen = bindersLen + 2;
+            if (bindersLen > (psSizeL_t) ((psSize_t) ~0) - 2)
+            {
+                psTraceErrr("TLS 1.3 PSK binders vector too large\n");
+                goto out_decode_error;
+            }
+            ssl->sec.tls13BindersLen = (psSize_t) bindersLen + 2;
 
             rc = tls13VerifyBinder(ssl, pb);
             if (rc < 0)