2 files changed, 83 insertions, 0 deletions
diff --git a/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2024-31031.patch b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2024-31031.patch
new file mode 100644
index 0000000000..bd1a88c87a
--- /dev/null
+++ b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2024-31031.patch
@@ -0,0 +1,82 @@
+From 214665ac4b44b1b6a7e38d4d6907ee835a174928 Mon Sep 17 00:00:00 2001
+From: Jon Shallow <supjps-libcoap@jpshallow.com>
+Date: Mon, 25 Mar 2024 20:44:48 +0000
+Subject: [PATCH] coap_pdu.c: Fix UndefinedBehaviorSanitizer:
+ undefined-behavior
+This fixes a reported error in coap_update_token() where a size_t
+calculation is overflowed (but all ends up with the correct value).
+Instead of adding an overflowed size_t, now subtract the reversed
+size_t calculation as appropriate.
+coap_update_option() and coap_insert_option() similarily updated.
+CVE: CVE-2024-31031
+Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/coap_pdu.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+diff --git a/src/coap_pdu.c b/src/coap_pdu.c
+index afe445c8..e3be3f02 100644
+--- a/src/coap_pdu.c
+++ b/src/coap_pdu.c
+@@ -389,12 +389,15 @@ coap_update_token(coap_pdu_t *pdu, size_t len, const uint8_t *data) {
+     memmove(&pdu->token[(len + bias) - pdu->e_token_length],
+             pdu->token, pdu->used_size);
+     pdu->used_size += len + bias - pdu->e_token_length;
+    if (pdu->data) {
+      pdu->data += (len + bias) - pdu->e_token_length;
+    }
+   } else {
+     pdu->used_size -= pdu->e_token_length - (len + bias);
+     memmove(pdu->token, &pdu->token[pdu->e_token_length - (len + bias)], pdu->used_size);
+-  }
+-  if (pdu->data) {
+-    pdu->data += (len + bias) - pdu->e_token_length;
+    if (pdu->data) {
+      pdu->data -= pdu->e_token_length - (len + bias);
+    }
+   }
+ 
+   pdu->actual_token.length = len;
+@@ -641,9 +644,15 @@ coap_insert_option(coap_pdu_t *pdu, coap_option_num_t number, size_t len,
+                        number - prev_number, data, len))
+     return 0;
+ 
+-  pdu->used_size += shift - shrink;
+-  if (pdu->data)
+-    pdu->data += shift - shrink;
+  if (shift >= shrink) {
+    pdu->used_size += shift - shrink;
+    if (pdu->data)
+      pdu->data += shift - shrink;
+  } else {
+    pdu->used_size -= shrink - shift;
+    if (pdu->data)
+      pdu->data -= shrink - shift;
+  }
+   return shift;
+ }
+ 
+@@ -681,9 +690,15 @@ coap_update_option(coap_pdu_t *pdu, coap_option_num_t number, size_t len,
+                        decode.delta, data, len))
+     return 0;
+ 
+-  pdu->used_size += new_length - old_length;
+-  if (pdu->data)
+-    pdu->data += new_length - old_length;
+  if (new_length >= old_length) {
+    pdu->used_size += new_length - old_length;
+    if (pdu->data)
+      pdu->data += new_length - old_length;
+  } else {
+    pdu->used_size -= old_length - new_length;
+    if (pdu->data)
+      pdu->data -= old_length - new_length;
+  }
+   return 1;
+ }
+ 
diff --git a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
index 98f0f02fb8..65bf455d9b 100644
--- a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
+++ b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=1978dbc41673ab1c20e64b287c8317bc"
 SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \
           file://run-ptest \
           file://CVE-2024-0962.patch \
+           file://CVE-2024-31031.patch \
           "
 SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615"

diff --git a/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2024-31031.patch b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2024-31031.patch new file mode 100644 index 0000000000..bd1a88c87a --- /dev/null +++ b/meta-networking/recipes-devtools/libcoap/libcoap/CVE-2024-31031.patch
@@ -0,0 +1,82 @@
		1	From 214665ac4b44b1b6a7e38d4d6907ee835a174928 Mon Sep 17 00:00:00 2001
		2	From: Jon Shallow <supjps-libcoap@jpshallow.com>
		3	Date: Mon, 25 Mar 2024 20:44:48 +0000
		4	Subject: [PATCH] coap_pdu.c: Fix UndefinedBehaviorSanitizer:
		5	undefined-behavior
		6
		7	This fixes a reported error in coap_update_token() where a size_t
		8	calculation is overflowed (but all ends up with the correct value).
		9
		10	Instead of adding an overflowed size_t, now subtract the reversed
		11	size_t calculation as appropriate.
		12
		13	coap_update_option() and coap_insert_option() similarily updated.
		14
		15	CVE: CVE-2024-31031
		16	Upstream-Status: Backport [https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928]
		17	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		18	---
		19	src/coap_pdu.c \| 33 ++++++++++++++++++++++++---------
		20	1 file changed, 24 insertions(+), 9 deletions(-)
		21
		22	diff --git a/src/coap_pdu.c b/src/coap_pdu.c
		23	index afe445c8..e3be3f02 100644
		24	--- a/src/coap_pdu.c
		25	+++ b/src/coap_pdu.c
		26	@@ -389,12 +389,15 @@ coap_update_token(coap_pdu_t pdu, size_t len, const uint8_t data) {
		27	memmove(&pdu->token[(len + bias) - pdu->e_token_length],
		28	pdu->token, pdu->used_size);
		29	pdu->used_size += len + bias - pdu->e_token_length;
		30	+ if (pdu->data) {
		31	+ pdu->data += (len + bias) - pdu->e_token_length;
		32	+ }
		33	} else {
		34	pdu->used_size -= pdu->e_token_length - (len + bias);
		35	memmove(pdu->token, &pdu->token[pdu->e_token_length - (len + bias)], pdu->used_size);
		36	- }
		37	- if (pdu->data) {
		38	- pdu->data += (len + bias) - pdu->e_token_length;
		39	+ if (pdu->data) {
		40	+ pdu->data -= pdu->e_token_length - (len + bias);
		41	+ }
		42	}
		43
		44	pdu->actual_token.length = len;
		45	@@ -641,9 +644,15 @@ coap_insert_option(coap_pdu_t *pdu, coap_option_num_t number, size_t len,
		46	number - prev_number, data, len))
		47	return 0;
		48
		49	- pdu->used_size += shift - shrink;
		50	- if (pdu->data)
		51	- pdu->data += shift - shrink;
		52	+ if (shift >= shrink) {
		53	+ pdu->used_size += shift - shrink;
		54	+ if (pdu->data)
		55	+ pdu->data += shift - shrink;
		56	+ } else {
		57	+ pdu->used_size -= shrink - shift;
		58	+ if (pdu->data)
		59	+ pdu->data -= shrink - shift;
		60	+ }
		61	return shift;
		62	}
		63
		64	@@ -681,9 +690,15 @@ coap_update_option(coap_pdu_t *pdu, coap_option_num_t number, size_t len,
		65	decode.delta, data, len))
		66	return 0;
		67
		68	- pdu->used_size += new_length - old_length;
		69	- if (pdu->data)
		70	- pdu->data += new_length - old_length;
		71	+ if (new_length >= old_length) {
		72	+ pdu->used_size += new_length - old_length;
		73	+ if (pdu->data)
		74	+ pdu->data += new_length - old_length;
		75	+ } else {
		76	+ pdu->used_size -= old_length - new_length;
		77	+ if (pdu->data)
		78	+ pdu->data -= old_length - new_length;
		79	+ }
		80	return 1;
		81	}
		82


diff --git a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb index 98f0f02fb8..65bf455d9b 100644 --- a/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb +++ b/meta-networking/recipes-devtools/libcoap/libcoap_4.3.4.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=1978dbc41673ab1c20e64b287c8317bc"
10	SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \	10	SRC_URI = "git://github.com/obgm/libcoap.git;branch=main;protocol=https \
11	file://run-ptest \	11	file://run-ptest \
12	file://CVE-2024-0962.patch \	12	file://CVE-2024-0962.patch \
		13	file://CVE-2024-31031.patch \
13	"	14	"
14	SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615"	15	SRCREV = "5fd2f89ef068214130e5d60b7087ef48711fa615"
15		16