summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorAnkur Tyagi <ankur.tyagi85@gmail.com>2026-01-09 22:28:35 +1300
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-01-12 07:51:58 +0530
commitb45ac4e0ef9426dd173f5df1522b6e22e8f066d1 (patch)
tree96690f7a3f16aa3fa2a32d9c8db1336a43d4839e /meta-networking
parentc0c54373e9edaa50d13b742c60e0eb18bca0c752 (diff)
downloadmeta-openembedded-b45ac4e0ef9426dd173f5df1522b6e22e8f066d1.tar.gz
libcoap: patch CVE-2025-34468
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-34468 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch127
-rw-r--r--meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb1
2 files changed, 128 insertions, 0 deletions
diff --git a/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch
new file mode 100644
index 0000000000..9aee64c3c2
--- /dev/null
+++ b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch
@@ -0,0 +1,127 @@
1From f191ae30013c205a350cd897fe24d56dde2e593a Mon Sep 17 00:00:00 2001
2From: Jon Shallow <supjps-libcoap@jpshallow.com>
3Date: Fri, 12 Sep 2025 10:07:41 +0100
4Subject: [PATCH] coap_address.c: Validate length of provided host name
5
6Host names larger than 255 bytes will cause an internal buffer overflow.
7
8Hostnames provided to coap_resolve_address_info() now have their length validated.
9
10Discovered by SecMate (https://secmate.dev).
11
12Sanity check host lengths when parsing a CoAP URI when using the coap_split_uri()
13function.
14
15CVE: CVE-2025-34468
16Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/30db3ea]
17Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
18---
19 examples/coap-client.c | 11 ++++++-----
20 src/coap_address.c | 9 +++++++--
21 src/coap_uri.c | 20 +++++++++++++++++++-
22 3 files changed, 32 insertions(+), 8 deletions(-)
23
24diff --git a/examples/coap-client.c b/examples/coap-client.c
25index 18b6777f..8512fbbd 100644
26--- a/examples/coap-client.c
27+++ b/examples/coap-client.c
28@@ -822,6 +822,12 @@ cmdline_oscore(char *arg) {
29 static int
30 cmdline_uri(char *arg) {
31
32+ /* Sanity check the provided (Proxy)Uri */
33+ if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
34+ coap_log_err("invalid CoAP URI '%s'\n", arg);
35+ return -1;
36+ }
37+
38 if (!proxy_scheme_option && proxy.host.length) {
39 /* create Proxy-Uri from argument */
40 size_t len = strlen(arg);
41@@ -836,11 +842,6 @@ cmdline_uri(char *arg) {
42 (unsigned char *)arg));
43
44 } else { /* split arg into Uri-* options */
45- if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
46- coap_log_err("invalid CoAP URI\n");
47- return -1;
48- }
49-
50 /* Need to special case use of reliable */
51 if (uri.scheme == COAP_URI_SCHEME_COAPS && reliable) {
52 if (!coap_tls_is_supported()) {
53diff --git a/src/coap_address.c b/src/coap_address.c
54index 2dabb366..6cd55ba5 100644
55--- a/src/coap_address.c
56+++ b/src/coap_address.c
57@@ -469,10 +469,15 @@ coap_resolve_address_info(const coap_str_const_t *address,
58 #endif /* COAP_AF_UNIX_SUPPORT */
59
60 memset(addrstr, 0, sizeof(addrstr));
61- if (address && address->length)
62+ if (address && address->length) {
63+ if (address->length >= sizeof(addrstr)) {
64+ coap_log_warn("Host name too long (%zu > 255)\n", address->length);
65+ return NULL;
66+ }
67 memcpy(addrstr, address->s, address->length);
68- else
69+ } else {
70 memcpy(addrstr, "localhost", 9);
71+ }
72
73 memset((char *)&hints, 0, sizeof(hints));
74 hints.ai_socktype = 0;
75diff --git a/src/coap_uri.c b/src/coap_uri.c
76index 6f658730..f2360ceb 100644
77--- a/src/coap_uri.c
78+++ b/src/coap_uri.c
79@@ -59,6 +59,15 @@ coap_uri_info_t coap_uri_scheme[COAP_URI_SCHEME_LAST] = {
80 { "coaps+ws", 443, 0, COAP_URI_SCHEME_COAPS_WS }
81 };
82
83+/*
84+ * Returns 0 All OK
85+ * -1 Insufficient / Invalid parameters
86+ * -2 No '://'
87+ * -3 Ipv6 definition error or no host defined after scheme://
88+ * -4 Invalid port value
89+ * -5 Port defined for Unix domain
90+ * -6 Hostname > 255 chars
91+ */
92 static int
93 coap_split_uri_sub(const uint8_t *str_var,
94 size_t len,
95@@ -165,8 +174,10 @@ coap_split_uri_sub(const uint8_t *str_var,
96 if (len && *p == '[') {
97 /* IPv6 address reference */
98 ++p;
99+ ++q;
100+ --len;
101
102- while (len && *q != ']') {
103+ while (len && *q != ']' && (isxdigit(*q) || *q == ':')) {
104 ++q;
105 --len;
106 }
107@@ -197,6 +208,12 @@ coap_split_uri_sub(const uint8_t *str_var,
108 goto error;
109 }
110
111+ if ((int)(q - p) > 255) {
112+ coap_log_warn("Host name length too long (%d > 255)\n", (int)(q - p));
113+ res = -6;
114+ goto error;
115+ }
116+
117 COAP_SET_STR(&uri->host, q - p, p);
118 }
119
120@@ -222,6 +239,7 @@ coap_split_uri_sub(const uint8_t *str_var,
121
122 /* check if port number is in allowed range */
123 if (uri_port > UINT16_MAX) {
124+ coap_log_warn("Port number too big (%ld > 65535)\n", uri_port);
125 res = -4;
126 goto error;
127 }
diff --git a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
index da0cf50f92..efea6d24f8 100644
--- a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
+++ b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
@@ -12,6 +12,7 @@ SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \
12 file://CVE-2024-0962.patch \ 12 file://CVE-2024-0962.patch \
13 file://CVE-2024-31031.patch \ 13 file://CVE-2024-31031.patch \
14 file://CVE-2025-59391.patch \ 14 file://CVE-2025-59391.patch \
15 file://CVE-2025-34468.patch \
15 " 16 "
16SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615" 17SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615"
17 18