mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
libcoap: patch CVE-2025-34468
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-34468 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
@@ -0,0 +1,127 @@
|
|||||||
|
From f191ae30013c205a350cd897fe24d56dde2e593a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jon Shallow <supjps-libcoap@jpshallow.com>
|
||||||
|
Date: Fri, 12 Sep 2025 10:07:41 +0100
|
||||||
|
Subject: [PATCH] coap_address.c: Validate length of provided host name
|
||||||
|
|
||||||
|
Host names larger than 255 bytes will cause an internal buffer overflow.
|
||||||
|
|
||||||
|
Hostnames provided to coap_resolve_address_info() now have their length validated.
|
||||||
|
|
||||||
|
Discovered by SecMate (https://secmate.dev).
|
||||||
|
|
||||||
|
Sanity check host lengths when parsing a CoAP URI when using the coap_split_uri()
|
||||||
|
function.
|
||||||
|
|
||||||
|
CVE: CVE-2025-34468
|
||||||
|
Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/30db3ea]
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
examples/coap-client.c | 11 ++++++-----
|
||||||
|
src/coap_address.c | 9 +++++++--
|
||||||
|
src/coap_uri.c | 20 +++++++++++++++++++-
|
||||||
|
3 files changed, 32 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/examples/coap-client.c b/examples/coap-client.c
|
||||||
|
index 18b6777f..8512fbbd 100644
|
||||||
|
--- a/examples/coap-client.c
|
||||||
|
+++ b/examples/coap-client.c
|
||||||
|
@@ -822,6 +822,12 @@ cmdline_oscore(char *arg) {
|
||||||
|
static int
|
||||||
|
cmdline_uri(char *arg) {
|
||||||
|
|
||||||
|
+ /* Sanity check the provided (Proxy)Uri */
|
||||||
|
+ if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
|
||||||
|
+ coap_log_err("invalid CoAP URI '%s'\n", arg);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (!proxy_scheme_option && proxy.host.length) {
|
||||||
|
/* create Proxy-Uri from argument */
|
||||||
|
size_t len = strlen(arg);
|
||||||
|
@@ -836,11 +842,6 @@ cmdline_uri(char *arg) {
|
||||||
|
(unsigned char *)arg));
|
||||||
|
|
||||||
|
} else { /* split arg into Uri-* options */
|
||||||
|
- if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
|
||||||
|
- coap_log_err("invalid CoAP URI\n");
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
/* Need to special case use of reliable */
|
||||||
|
if (uri.scheme == COAP_URI_SCHEME_COAPS && reliable) {
|
||||||
|
if (!coap_tls_is_supported()) {
|
||||||
|
diff --git a/src/coap_address.c b/src/coap_address.c
|
||||||
|
index 2dabb366..6cd55ba5 100644
|
||||||
|
--- a/src/coap_address.c
|
||||||
|
+++ b/src/coap_address.c
|
||||||
|
@@ -469,10 +469,15 @@ coap_resolve_address_info(const coap_str_const_t *address,
|
||||||
|
#endif /* COAP_AF_UNIX_SUPPORT */
|
||||||
|
|
||||||
|
memset(addrstr, 0, sizeof(addrstr));
|
||||||
|
- if (address && address->length)
|
||||||
|
+ if (address && address->length) {
|
||||||
|
+ if (address->length >= sizeof(addrstr)) {
|
||||||
|
+ coap_log_warn("Host name too long (%zu > 255)\n", address->length);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
memcpy(addrstr, address->s, address->length);
|
||||||
|
- else
|
||||||
|
+ } else {
|
||||||
|
memcpy(addrstr, "localhost", 9);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
memset((char *)&hints, 0, sizeof(hints));
|
||||||
|
hints.ai_socktype = 0;
|
||||||
|
diff --git a/src/coap_uri.c b/src/coap_uri.c
|
||||||
|
index 6f658730..f2360ceb 100644
|
||||||
|
--- a/src/coap_uri.c
|
||||||
|
+++ b/src/coap_uri.c
|
||||||
|
@@ -59,6 +59,15 @@ coap_uri_info_t coap_uri_scheme[COAP_URI_SCHEME_LAST] = {
|
||||||
|
{ "coaps+ws", 443, 0, COAP_URI_SCHEME_COAPS_WS }
|
||||||
|
};
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Returns 0 All OK
|
||||||
|
+ * -1 Insufficient / Invalid parameters
|
||||||
|
+ * -2 No '://'
|
||||||
|
+ * -3 Ipv6 definition error or no host defined after scheme://
|
||||||
|
+ * -4 Invalid port value
|
||||||
|
+ * -5 Port defined for Unix domain
|
||||||
|
+ * -6 Hostname > 255 chars
|
||||||
|
+ */
|
||||||
|
static int
|
||||||
|
coap_split_uri_sub(const uint8_t *str_var,
|
||||||
|
size_t len,
|
||||||
|
@@ -165,8 +174,10 @@ coap_split_uri_sub(const uint8_t *str_var,
|
||||||
|
if (len && *p == '[') {
|
||||||
|
/* IPv6 address reference */
|
||||||
|
++p;
|
||||||
|
+ ++q;
|
||||||
|
+ --len;
|
||||||
|
|
||||||
|
- while (len && *q != ']') {
|
||||||
|
+ while (len && *q != ']' && (isxdigit(*q) || *q == ':')) {
|
||||||
|
++q;
|
||||||
|
--len;
|
||||||
|
}
|
||||||
|
@@ -197,6 +208,12 @@ coap_split_uri_sub(const uint8_t *str_var,
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if ((int)(q - p) > 255) {
|
||||||
|
+ coap_log_warn("Host name length too long (%d > 255)\n", (int)(q - p));
|
||||||
|
+ res = -6;
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
COAP_SET_STR(&uri->host, q - p, p);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -222,6 +239,7 @@ coap_split_uri_sub(const uint8_t *str_var,
|
||||||
|
|
||||||
|
/* check if port number is in allowed range */
|
||||||
|
if (uri_port > UINT16_MAX) {
|
||||||
|
+ coap_log_warn("Port number too big (%ld > 65535)\n", uri_port);
|
||||||
|
res = -4;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
@@ -12,6 +12,7 @@ SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \
|
|||||||
file://CVE-2024-0962.patch \
|
file://CVE-2024-0962.patch \
|
||||||
file://CVE-2024-31031.patch \
|
file://CVE-2024-31031.patch \
|
||||||
file://CVE-2025-59391.patch \
|
file://CVE-2025-59391.patch \
|
||||||
|
file://CVE-2025-34468.patch \
|
||||||
"
|
"
|
||||||
SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615"
|
SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user