libwebsockets: fix CVE-2025-11677

Backport a fix from Debian:
https://sources.debian.org/patches/libwebsockets/4.3.5-1+deb13u1/CVE-2025-11677.patch
Upstream commit:
https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a

Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-oe/recipes-connectivity/libwebsockets/libwebsockets/CVE-2025-11677.patch

@@ -0,0 +1,161 @@
+From c01cb06d99c08579ab33bef066fca8a5338b7c7b Mon Sep 17 00:00:00 2001
+From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Date: Tue, 18 Nov 2025 16:59:22 +0100
+Subject: [PATCH] NN-2025-0102: UAF depending on upgrade allowed
+
+This document contains sensitive information collected during our
+security research activities related with the Libwebsockets library
+maintained by Andy Green (warmcat).
+
++-------------------------------------------------------------------------------------------------------+
+| Report information                                                                                    |
++:===================================:+:===============================================================:+
+| Vendor                              | warmcat                                                         |
++-------------------------------------+-----------------------------------------------------------------+
+| Vendor URL                          | https://libwebsockets.org/git/libwebsockets                     |
++-------------------------------------+-----------------------------------------------------------------+
+| Affected component                  | libwebsockets                                                   |
++-------------------------------------+-----------------------------------------------------------------+
+| Affected version                    | 4.4                                                             |
++-------------------------------------+-----------------------------------------------------------------+
+| Vulnerability                       | CWE-416: Use After Free                                         |
++-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Base Score       | 6.0                                                             |
++-------------------------------------+-----------------------------------------------------------------+
+| Proposed CVSS v3.1 Vector           | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
++-------------------------------------+-----------------------------------------------------------------+
+
++-----------------------------------------------------------------------------+
+| Security Researcher(s)                                                      |
++:===================================:+:=====================================:+
+| Name                                | **Email address**                     |
++-------------------------------------+---------------------------------------+
+| Raffaele Bova                       | labs-advisory@nozominetworks.com      |
++-------------------------------------+---------------------------------------+
+
+Libwebsockes is a C library that provides client and server
+implementation for various protocols (e.g., HTTP, websockets, MQTT) and
+more.
+
+Nozomi Networks Lab discovered a "CWE-416: Use After Free" in the latest
+software version of libwebsockets, specifically in the WebSocket server
+implementation.
+
+Depending on the use of the API, the vulnerability may allow an attacker
+to read or write data, that could cause a loss of integrity or
+availability.
+
+The issue is caused by the `lws_handshake_protocol` function, specifically
+when the upgrade header is not valid, the function calls
+`lws_http_transaction_completed`, which frees some of the data in the wsi
+structure, then it calls `user_callback_handle_rxflow` passing the up
+pointer and uses it on following strcasecmp calls.
+
+From our understanding, for this vulnerability to have a meaningful
+impact, a user that implements the Websocket server, must provide a user
+callback function which is going to handle
+`LWS_CALLBACK_HTTP_CONFIRM_UPGRADE`, while ignoring the length and doing
+operations on the up pointer.
+
+It is possible to compile the minimal websocket server using address
+sanitizer, to quickly verify the use after free.
+
+From our understanding of the code, if the upgrade header does not match
+the intended contents, then the code after the if statement when
+`lws_http_transaction_completed` is called, should not be executed, thus
+simply enclosing all that code in the else branch solves the issue.
+
+CVE: CVE-2025-11677
+Upstream-Status: Backport [https://github.com/warmcat/libwebsockets/commit/2f082ec31261f556969160143ba94875d783971a]
+
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ lib/roles/http/server/server.c | 58 +++++++++++++++++-----------------
+ 1 file changed, 29 insertions(+), 29 deletions(-)
+
+diff --git a/lib/roles/http/server/server.c b/lib/roles/http/server/server.c
+index 6b132a42..e6d714e3 100644
+--- a/lib/roles/http/server/server.c
++++ b/lib/roles/http/server/server.c
+@@ -2375,49 +2375,49 @@ raw_transition:
+ 						HTTP_STATUS_FORBIDDEN, NULL) ||
+ 				    lws_http_transaction_completed(wsi))
+ 					goto bail_nuke_ah;
+-			}
+-
+-			n = user_callback_handle_rxflow(wsi->a.protocol->callback,
+-					wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
+-					wsi->user_space, (char *)up, 0);
++			} else {
++				n = user_callback_handle_rxflow(wsi->a.protocol->callback,
++						wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
++						wsi->user_space, (char *)up, 0);
+ 
+-			/* just hang up? */
++				/* just hang up? */
+ 
+-			if (n < 0)
+-				goto bail_nuke_ah;
++				if (n < 0)
++					goto bail_nuke_ah;
+ 
+-			/* callback returned headers already, do t_c? */
++				/* callback returned headers already, do t_c? */
+ 
+-			if (n > 0) {
+-				if (lws_http_transaction_completed(wsi))
++				if (n > 0) {
++				    if (lws_http_transaction_completed(wsi))
+ 					goto bail_nuke_ah;
+ 
+-				/* continue on */
++				    /* continue on */
+ 
+-				return 0;
+-			}
++				    return 0;
++				}
+ 
+-			/* callback said 0, it was allowed */
++				/* callback said 0, it was allowed */
+ 
+-			if (wsi->a.vhost->options &
+-			    LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
+-			    lws_confirm_host_header(wsi))
+-				goto bail_nuke_ah;
++				if (wsi->a.vhost->options &
++					LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
++					lws_confirm_host_header(wsi))
++				    goto bail_nuke_ah;
+ 
+-			if (!strcasecmp(up, "websocket")) {
++				if (!strcasecmp(up, "websocket")) {
+ #if defined(LWS_ROLE_WS)
+-				lws_metrics_tag_wsi_add(wsi, "upg", "ws");
+-				lwsl_info("Upgrade to ws\n");
+-				goto upgrade_ws;
++					lws_metrics_tag_wsi_add(wsi, "upg", "ws");
++					lwsl_info("Upgrade to ws\n");
++					goto upgrade_ws;
+ #endif
+-			}
++				}
+ #if defined(LWS_WITH_HTTP2)
+-			if (!strcasecmp(up, "h2c")) {
+-				lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
+-				lwsl_info("Upgrade to h2c\n");
+-				goto upgrade_h2c;
+-			}
++				if (!strcasecmp(up, "h2c")) {
++				    lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
++				    lwsl_info("Upgrade to h2c\n");
++				    goto upgrade_h2c;
++				}
+ #endif
++			}
+ 		}
+ 
+ 		/* no upgrade ack... he remained as HTTP */
+-- 
+2.43.0
+

meta-oe/recipes-connectivity/libwebsockets/libwebsockets_4.3.3.bb

@@ -8,7 +8,9 @@ DEPENDS:append:class-native = " libcap-native"
 
 S = "${WORKDIR}/git"
 SRCREV = "4415e84c095857629863804e941b9e1c2e9347ef"
-SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable"
+SRC_URI = "git://github.com/warmcat/libwebsockets.git;protocol=https;branch=v4.3-stable \
+          file://CVE-2025-11677.patch \
+          "
 
 UPSTREAM_CHECK_URI = "https://github.com/warmcat/${BPN}/releases"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"