libcoap: patch CVE-2025-34468

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-34468 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-02 02:49:12 +00:00 · 2026-01-09 22:28:35 +13:00 · 2026-01-09 22:28:35 +13:00 · b45ac4e0ef
commit b45ac4e0ef
parent c0c54373e9
2 changed files with 128 additions and 0 deletions
--- a/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch
+++ b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2025-34468.patch
@ -0,0 +1,127 @@
+From f191ae30013c205a350cd897fe24d56dde2e593a Mon Sep 17 00:00:00 2001
+From: Jon Shallow <supjps-libcoap@jpshallow.com>
+Date: Fri, 12 Sep 2025 10:07:41 +0100
+Subject: [PATCH] coap_address.c: Validate length of provided host name
+
+Host names larger than 255 bytes will cause an internal buffer overflow.
+
+Hostnames provided to coap_resolve_address_info() now have their length validated.
+
+Discovered by SecMate (https://secmate.dev).
+
+Sanity check host lengths when parsing a CoAP URI when using the coap_split_uri()
+function.
+
+CVE: CVE-2025-34468
+Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/30db3ea]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ examples/coap-client.c | 11 ++++++-----
+ src/coap_address.c     |  9 +++++++--
+ src/coap_uri.c         | 20 +++++++++++++++++++-
+ 3 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/examples/coap-client.c b/examples/coap-client.c
+index 18b6777f..8512fbbd 100644
+--- a/examples/coap-client.c
+++ b/examples/coap-client.c
+@@ -822,6 +822,12 @@ cmdline_oscore(char *arg) {
+ static int
+ cmdline_uri(char *arg) {
+ 
+  /* Sanity check the provided (Proxy)Uri */
+  if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
+    coap_log_err("invalid CoAP URI '%s'\n", arg);
+    return -1;
+  }
+
+   if (!proxy_scheme_option && proxy.host.length) {
+     /* create Proxy-Uri from argument */
+     size_t len = strlen(arg);
+@@ -836,11 +842,6 @@ cmdline_uri(char *arg) {
+                                          (unsigned char *)arg));
+ 
+   } else {      /* split arg into Uri-* options */
+-    if (coap_split_uri((unsigned char *)arg, strlen(arg), &uri) < 0) {
+-      coap_log_err("invalid CoAP URI\n");
+-      return -1;
+-    }
+-
+     /* Need to special case use of reliable */
+     if (uri.scheme == COAP_URI_SCHEME_COAPS && reliable) {
+       if (!coap_tls_is_supported()) {
+diff --git a/src/coap_address.c b/src/coap_address.c
+index 2dabb366..6cd55ba5 100644
+--- a/src/coap_address.c
+++ b/src/coap_address.c
+@@ -469,10 +469,15 @@ coap_resolve_address_info(const coap_str_const_t *address,
+ #endif /* COAP_AF_UNIX_SUPPORT */
+ 
+   memset(addrstr, 0, sizeof(addrstr));
+-  if (address && address->length)
+  if (address && address->length) {
+    if (address->length >= sizeof(addrstr)) {
+      coap_log_warn("Host name too long (%zu > 255)\n", address->length);
+      return NULL;
+    }
+     memcpy(addrstr, address->s, address->length);
+-  else
+  } else {
+     memcpy(addrstr, "localhost", 9);
+  }
+ 
+   memset((char *)&hints, 0, sizeof(hints));
+   hints.ai_socktype = 0;
+diff --git a/src/coap_uri.c b/src/coap_uri.c
+index 6f658730..f2360ceb 100644
+--- a/src/coap_uri.c
+++ b/src/coap_uri.c
+@@ -59,6 +59,15 @@ coap_uri_info_t coap_uri_scheme[COAP_URI_SCHEME_LAST] = {
+   { "coaps+ws",    443,               0, COAP_URI_SCHEME_COAPS_WS }
+ };
+ 
+/*
+ * Returns  0 All OK
+ *         -1 Insufficient / Invalid parameters
+ *         -2 No '://'
+ *         -3 Ipv6 definition error or no host defined after scheme://
+ *         -4 Invalid port value
+ *         -5 Port defined for Unix domain
+ *         -6 Hostname > 255 chars
+ */
+ static int
+ coap_split_uri_sub(const uint8_t *str_var,
+                    size_t len,
+@@ -165,8 +174,10 @@ coap_split_uri_sub(const uint8_t *str_var,
+   if (len && *p == '[') {
+     /* IPv6 address reference */
+     ++p;
+    ++q;
+    --len;
+ 
+-    while (len && *q != ']') {
+    while (len && *q != ']' && (isxdigit(*q) || *q == ':')) {
+       ++q;
+       --len;
+     }
+@@ -197,6 +208,12 @@ coap_split_uri_sub(const uint8_t *str_var,
+       goto error;
+     }
+ 
+    if ((int)(q - p) > 255) {
+      coap_log_warn("Host name length too long (%d > 255)\n", (int)(q - p));
+      res = -6;
+      goto error;
+    }
+
+     COAP_SET_STR(&uri->host, q - p, p);
+   }
+ 
+@@ -222,6 +239,7 @@ coap_split_uri_sub(const uint8_t *str_var,
+ 
+       /* check if port number is in allowed range */
+       if (uri_port > UINT16_MAX) {
+        coap_log_warn("Port number too big (%ld > 65535)\n", uri_port);
+         res = -4;
+         goto error;
+       }
--- a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
+++ b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
@ -12,6 +12,7 @@ SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \
           file://CVE-2024-0962.patch \
           file://CVE-2024-31031.patch \
           file://CVE-2025-59391.patch \
+           file://CVE-2025-34468.patch \
           "
 SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615"