[oe][meta-networking][scarthgap][PATCH 05/12] libcoap: patch CVE-2025-34468

Fri, 09 Jan 2026 01:29:10 -0800 

From: Ankur Tyagi <[email protected]>

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-34468

Signed-off-by: Ankur Tyagi <[email protected]>
---
 .../libcoap/libcoap/CVE-2025-34468.patch      | 127 ++++++++++++++++++
 .../recipes-devtools/libcoap/libcoap_4.3.4.bb |   1 +
 2 files changed, 128 insertions(+)
 create mode 100644 
meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch

diff --git 
a/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch 
b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch
new file mode 100644
index 0000000000..9aee64c3c2
--- /dev/null
+++ b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch
@@ -0,0 +1,127 @@
+From f191ae30013c205a350cd897fe24d56dde2e593a Mon Sep 17 00:00:00 2001
+From: Jon Shallow <[email protected]>
+Date: Fri, 12 Sep 2025 10:07:41 +0100
+Subject: [PATCH] coap_address.c: Validate length of provided host name
+
+Host names larger than 255 bytes will cause an internal buffer overflow.
+
+Hostnames provided to coap_resolve_address_info() now have their length 
validated.
+
+Discovered by SecMate (https://secmate.dev).
+
+Sanity check host lengths when parsing a CoAP URI when using the 
coap_split_uri()
+function.
+
+CVE: CVE-2025-34468
+Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/30db3ea]
+Signed-off-by: Ankur Tyagi <[email protected]>
+---
+ examples/coap-client.c | 11 ++++++-----
+ src/coap_address.c     |  9 +++++++--
+ src/coap_uri.c         | 20 +++++++++++++++++++-
+ 3 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/examples/coap-client.c b/examples/coap-client.c
+index 18b6777f..8512fbbd 100644
+--- a/examples/coap-client.c
++++ b/examples/coap-client.c
+@@ -822,6 +822,12 @@ cmdline_oscore(char *arg) {
+ static int
+ cmdline_uri(char *arg) {
+ 
++  /* Sanity check the provided (Proxy)Uri */
++  if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
++    coap_log_err("invalid CoAP URI '%s'\n", arg);
++    return -1;
++  }
++
+   if (!proxy_scheme_option && proxy.host.length) {
+     /* create Proxy-Uri from argument */
+     size_t len = strlen(arg);
+@@ -836,11 +842,6 @@ cmdline_uri(char *arg) {
+                                          (unsigned char *)arg));
+ 
+   } else {      /* split arg into Uri-* options */
+-    if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
+-      coap_log_err("invalid CoAP URI\n");
+-      return -1;
+-    }
+-
+     /* Need to special case use of reliable */
+     if (uri.scheme == COAP_URI_SCHEME_COAPS && reliable) {
+       if (!coap_tls_is_supported()) {
+diff --git a/src/coap_address.c b/src/coap_address.c
+index 2dabb366..6cd55ba5 100644
+--- a/src/coap_address.c
++++ b/src/coap_address.c
+@@ -469,10 +469,15 @@ coap_resolve_address_info(const coap_str_const_t 
*address,
+ #endif /* COAP_AF_UNIX_SUPPORT */
+ 
+   memset(addrstr, 0, sizeof(addrstr));
+-  if (address && address->length)
++  if (address && address->length) {
++    if (address->length >= sizeof(addrstr)) {
++      coap_log_warn("Host name too long (%zu > 255)\n", address->length);
++      return NULL;
++    }
+     memcpy(addrstr, address->s, address->length);
+-  else
++  } else {
+     memcpy(addrstr, "localhost", 9);
++  }
+ 
+   memset((char *)&hints, 0, sizeof(hints));
+   hints.ai_socktype = 0;
+diff --git a/src/coap_uri.c b/src/coap_uri.c
+index 6f658730..f2360ceb 100644
+--- a/src/coap_uri.c
++++ b/src/coap_uri.c
+@@ -59,6 +59,15 @@ coap_uri_info_t coap_uri_scheme[COAP_URI_SCHEME_LAST] = {
+   { "coaps+ws",    443,               0, COAP_URI_SCHEME_COAPS_WS }
+ };
+ 
++/*
++ * Returns  0 All OK
++ *         -1 Insufficient / Invalid parameters
++ *         -2 No '://'
++ *         -3 Ipv6 definition error or no host defined after scheme://
++ *         -4 Invalid port value
++ *         -5 Port defined for Unix domain
++ *         -6 Hostname > 255 chars
++ */
+ static int
+ coap_split_uri_sub(const uint8_t *str_var,
+                    size_t len,
+@@ -165,8 +174,10 @@ coap_split_uri_sub(const uint8_t *str_var,
+   if (len && *p == '[') {
+     /* IPv6 address reference */
+     ++p;
++    ++q;
++    --len;
+ 
+-    while (len && *q != ']') {
++    while (len && *q != ']' && (isxdigit(*q) || *q == ':')) {
+       ++q;
+       --len;
+     }
+@@ -197,6 +208,12 @@ coap_split_uri_sub(const uint8_t *str_var,
+       goto error;
+     }
+ 
++    if ((int)(q - p) > 255) {
++      coap_log_warn("Host name length too long (%d > 255)\n", (int)(q - p));
++      res = -6;
++      goto error;
++    }
++
+     COAP_SET_STR(&uri->host, q - p, p);
+   }
+ 
+@@ -222,6 +239,7 @@ coap_split_uri_sub(const uint8_t *str_var,
+ 
+       /* check if port number is in allowed range */
+       if (uri_port > UINT16_MAX) {
++        coap_log_warn("Port number too big (%ld > 65535)\n", uri_port);
+         res = -4;
+         goto error;
+       }
diff --git a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb 
b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
index da0cf50f92..efea6d24f8 100644
--- a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
+++ b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
@@ -12,6 +12,7 @@ SRC_URI = 
"git://github.com/obgm/libcoap.git;branch=main;protocol=https \
            file://CVE-2024-0962.patch \
            file://CVE-2024-31031.patch \
            file://CVE-2025-59391.patch \
+           file://CVE-2025-34468.patch \
            "
 SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615"
 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123283): 
https://lists.openembedded.org/g/openembedded-devel/message/123283
Mute This Topic: https://lists.openembedded.org/mt/117172368/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to