diff options
| author | Ankur Tyagi <ankur.tyagi85@gmail.com> | 2026-01-09 22:28:35 +1300 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-01-12 07:51:58 +0530 |
| commit | b45ac4e0ef9426dd173f5df1522b6e22e8f066d1 (patch) | |
| tree | 96690f7a3f16aa3fa2a32d9c8db1336a43d4839e /meta-networking | |
| parent | c0c54373e9edaa50d13b742c60e0eb18bca0c752 (diff) | |
| download | meta-openembedded-b45ac4e0ef9426dd173f5df1522b6e22e8f066d1.tar.gz | |
libcoap: patch CVE-2025-34468
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-34468
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking')
| -rw-r--r-- | meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch | 127 | ||||
| -rw-r--r-- | meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb | 1 |
2 files changed, 128 insertions, 0 deletions
diff --git a/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch new file mode 100644 index 0000000000..9aee64c3c2 --- /dev/null +++ b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch | |||
| @@ -0,0 +1,127 @@ | |||
| 1 | From f191ae30013c205a350cd897fe24d56dde2e593a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jon Shallow <supjps-libcoap@jpshallow.com> | ||
| 3 | Date: Fri, 12 Sep 2025 10:07:41 +0100 | ||
| 4 | Subject: [PATCH] coap_address.c: Validate length of provided host name | ||
| 5 | |||
| 6 | Host names larger than 255 bytes will cause an internal buffer overflow. | ||
| 7 | |||
| 8 | Hostnames provided to coap_resolve_address_info() now have their length validated. | ||
| 9 | |||
| 10 | Discovered by SecMate (https://secmate.dev). | ||
| 11 | |||
| 12 | Sanity check host lengths when parsing a CoAP URI when using the coap_split_uri() | ||
| 13 | function. | ||
| 14 | |||
| 15 | CVE: CVE-2025-34468 | ||
| 16 | Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/30db3ea] | ||
| 17 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 18 | --- | ||
| 19 | examples/coap-client.c | 11 ++++++----- | ||
| 20 | src/coap_address.c | 9 +++++++-- | ||
| 21 | src/coap_uri.c | 20 +++++++++++++++++++- | ||
| 22 | 3 files changed, 32 insertions(+), 8 deletions(-) | ||
| 23 | |||
| 24 | diff --git a/examples/coap-client.c b/examples/coap-client.c | ||
| 25 | index 18b6777f..8512fbbd 100644 | ||
| 26 | --- a/examples/coap-client.c | ||
| 27 | +++ b/examples/coap-client.c | ||
| 28 | @@ -822,6 +822,12 @@ cmdline_oscore(char *arg) { | ||
| 29 | static int | ||
| 30 | cmdline_uri(char *arg) { | ||
| 31 | |||
| 32 | + /* Sanity check the provided (Proxy)Uri */ | ||
| 33 | + if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) { | ||
| 34 | + coap_log_err("invalid CoAP URI '%s'\n", arg); | ||
| 35 | + return -1; | ||
| 36 | + } | ||
| 37 | + | ||
| 38 | if (!proxy_scheme_option && proxy.host.length) { | ||
| 39 | /* create Proxy-Uri from argument */ | ||
| 40 | size_t len = strlen(arg); | ||
| 41 | @@ -836,11 +842,6 @@ cmdline_uri(char *arg) { | ||
| 42 | (unsigned char *)arg)); | ||
| 43 | |||
| 44 | } else { /* split arg into Uri-* options */ | ||
| 45 | - if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) { | ||
| 46 | - coap_log_err("invalid CoAP URI\n"); | ||
| 47 | - return -1; | ||
| 48 | - } | ||
| 49 | - | ||
| 50 | /* Need to special case use of reliable */ | ||
| 51 | if (uri.scheme == COAP_URI_SCHEME_COAPS && reliable) { | ||
| 52 | if (!coap_tls_is_supported()) { | ||
| 53 | diff --git a/src/coap_address.c b/src/coap_address.c | ||
| 54 | index 2dabb366..6cd55ba5 100644 | ||
| 55 | --- a/src/coap_address.c | ||
| 56 | +++ b/src/coap_address.c | ||
| 57 | @@ -469,10 +469,15 @@ coap_resolve_address_info(const coap_str_const_t *address, | ||
| 58 | #endif /* COAP_AF_UNIX_SUPPORT */ | ||
| 59 | |||
| 60 | memset(addrstr, 0, sizeof(addrstr)); | ||
| 61 | - if (address && address->length) | ||
| 62 | + if (address && address->length) { | ||
| 63 | + if (address->length >= sizeof(addrstr)) { | ||
| 64 | + coap_log_warn("Host name too long (%zu > 255)\n", address->length); | ||
| 65 | + return NULL; | ||
| 66 | + } | ||
| 67 | memcpy(addrstr, address->s, address->length); | ||
| 68 | - else | ||
| 69 | + } else { | ||
| 70 | memcpy(addrstr, "localhost", 9); | ||
| 71 | + } | ||
| 72 | |||
| 73 | memset((char *)&hints, 0, sizeof(hints)); | ||
| 74 | hints.ai_socktype = 0; | ||
| 75 | diff --git a/src/coap_uri.c b/src/coap_uri.c | ||
| 76 | index 6f658730..f2360ceb 100644 | ||
| 77 | --- a/src/coap_uri.c | ||
| 78 | +++ b/src/coap_uri.c | ||
| 79 | @@ -59,6 +59,15 @@ coap_uri_info_t coap_uri_scheme[COAP_URI_SCHEME_LAST] = { | ||
| 80 | { "coaps+ws", 443, 0, COAP_URI_SCHEME_COAPS_WS } | ||
| 81 | }; | ||
| 82 | |||
| 83 | +/* | ||
| 84 | + * Returns 0 All OK | ||
| 85 | + * -1 Insufficient / Invalid parameters | ||
| 86 | + * -2 No '://' | ||
| 87 | + * -3 Ipv6 definition error or no host defined after scheme:// | ||
| 88 | + * -4 Invalid port value | ||
| 89 | + * -5 Port defined for Unix domain | ||
| 90 | + * -6 Hostname > 255 chars | ||
| 91 | + */ | ||
| 92 | static int | ||
| 93 | coap_split_uri_sub(const uint8_t *str_var, | ||
| 94 | size_t len, | ||
| 95 | @@ -165,8 +174,10 @@ coap_split_uri_sub(const uint8_t *str_var, | ||
| 96 | if (len && *p == '[') { | ||
| 97 | /* IPv6 address reference */ | ||
| 98 | ++p; | ||
| 99 | + ++q; | ||
| 100 | + --len; | ||
| 101 | |||
| 102 | - while (len && *q != ']') { | ||
| 103 | + while (len && *q != ']' && (isxdigit(*q) || *q == ':')) { | ||
| 104 | ++q; | ||
| 105 | --len; | ||
| 106 | } | ||
| 107 | @@ -197,6 +208,12 @@ coap_split_uri_sub(const uint8_t *str_var, | ||
| 108 | goto error; | ||
| 109 | } | ||
| 110 | |||
| 111 | + if ((int)(q - p) > 255) { | ||
| 112 | + coap_log_warn("Host name length too long (%d > 255)\n", (int)(q - p)); | ||
| 113 | + res = -6; | ||
| 114 | + goto error; | ||
| 115 | + } | ||
| 116 | + | ||
| 117 | COAP_SET_STR(&uri->host, q - p, p); | ||
| 118 | } | ||
| 119 | |||
| 120 | @@ -222,6 +239,7 @@ coap_split_uri_sub(const uint8_t *str_var, | ||
| 121 | |||
| 122 | /* check if port number is in allowed range */ | ||
| 123 | if (uri_port > UINT16_MAX) { | ||
| 124 | + coap_log_warn("Port number too big (%ld > 65535)\n", uri_port); | ||
| 125 | res = -4; | ||
| 126 | goto error; | ||
| 127 | } | ||
diff --git a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb index da0cf50f92..efea6d24f8 100644 --- a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb +++ b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb | |||
| @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \ | |||
| 12 | file://CVE-2024-0962.patch \ | 12 | file://CVE-2024-0962.patch \ |
| 13 | file://CVE-2024-31031.patch \ | 13 | file://CVE-2024-31031.patch \ |
| 14 | file://CVE-2025-59391.patch \ | 14 | file://CVE-2025-59391.patch \ |
| 15 | file://CVE-2025-34468.patch \ | ||
| 15 | " | 16 | " |
| 16 | SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615" | 17 | SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615" |
| 17 | 18 | ||
