From 8226b2ddae399264c13c9c682052d5ba8582bef1 Mon Sep 17 00:00:00 2001
From: Wei Jiangang <wei_jiangang@hoperun.com>
Date: Wed, 14 Aug 2024 10:40:35 +0800
Subject: [PATCH] Fix CVE-2024-31031

Signed-off-by: Wei Jiangang <wei_jiangang@hoperun.com>
---
 ...ndefinedBehaviorSanitizer-undefined-.patch | 84 +++++++++++++++++++
 libcoap.spec                                  |  9 +-
 2 files changed, 91 insertions(+), 2 deletions(-)
 create mode 100644 0001-coap_pdu.c-Fix-UndefinedBehaviorSanitizer-undefined-.patch

diff --git a/0001-coap_pdu.c-Fix-UndefinedBehaviorSanitizer-undefined-.patch b/0001-coap_pdu.c-Fix-UndefinedBehaviorSanitizer-undefined-.patch
new file mode 100644
index 0000000..2d27018
--- /dev/null
+++ b/0001-coap_pdu.c-Fix-UndefinedBehaviorSanitizer-undefined-.patch
@@ -0,0 +1,84 @@
+From acb9e78e124db83f5485cf7d4c3d2283b2685351 Mon Sep 17 00:00:00 2001
+From: Wei Jiangang <wei_jiangang@hoperun.com>
+Date: Wed, 14 Aug 2024 09:57:36 +0800
+Subject: [PATCH] coap_pdu.c: Fix UndefinedBehaviorSanitizer:
+ undefined-behavior This fixes a reported error in coap_update_token() where a
+ size_t calculation is overflowed (but all ends up with the correct value).
+
+Instead of adding an overflowed size_t, now subtract the reversed
+size_t calculation as appropriate.
+
+coap_update_option() and coap_insert_option() similarily updated.
+
+Fix CVE-2024-31031, refer to
+https://github.com/obgm/libcoap/commit/1abc64cc3f774d3316374db5e6328f9409da5f40
+
+Signed-off-by: Wei Jiangang <wei_jiangang@hoperun.com>
+---
+ src/coap_pdu.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git src/coap_pdu.c src/coap_pdu.c
+index afe445c..e3be3f0 100644
+--- src/coap_pdu.c
++++ src/coap_pdu.c
+@@ -389,12 +389,15 @@ coap_update_token(coap_pdu_t *pdu, size_t len, const uint8_t *data) {
+     memmove(&pdu->token[(len + bias) - pdu->e_token_length],
+             pdu->token, pdu->used_size);
+     pdu->used_size += len + bias - pdu->e_token_length;
++    if (pdu->data) {
++      pdu->data += (len + bias) - pdu->e_token_length;
++    }
+   } else {
+     pdu->used_size -= pdu->e_token_length - (len + bias);
+     memmove(pdu->token, &pdu->token[pdu->e_token_length - (len + bias)], pdu->used_size);
+-  }
+-  if (pdu->data) {
+-    pdu->data += (len + bias) - pdu->e_token_length;
++    if (pdu->data) {
++      pdu->data -= pdu->e_token_length - (len + bias);
++    }
+   }
+ 
+   pdu->actual_token.length = len;
+@@ -641,9 +644,15 @@ coap_insert_option(coap_pdu_t *pdu, coap_option_num_t number, size_t len,
+                        number - prev_number, data, len))
+     return 0;
+ 
+-  pdu->used_size += shift - shrink;
+-  if (pdu->data)
+-    pdu->data += shift - shrink;
++  if (shift >= shrink) {
++    pdu->used_size += shift - shrink;
++    if (pdu->data)
++      pdu->data += shift - shrink;
++  } else {
++    pdu->used_size -= shrink - shift;
++    if (pdu->data)
++      pdu->data -= shrink - shift;
++  }
+   return shift;
+ }
+ 
+@@ -681,9 +690,15 @@ coap_update_option(coap_pdu_t *pdu, coap_option_num_t number, size_t len,
+                        decode.delta, data, len))
+     return 0;
+ 
+-  pdu->used_size += new_length - old_length;
+-  if (pdu->data)
+-    pdu->data += new_length - old_length;
++  if (new_length >= old_length) {
++    pdu->used_size += new_length - old_length;
++    if (pdu->data)
++      pdu->data += new_length - old_length;
++  } else {
++    pdu->used_size -= old_length - new_length;
++    if (pdu->data)
++      pdu->data -= old_length - new_length;
++  }
+   return 1;
+ }
+ 
+-- 
+2.39.1
+
diff --git a/libcoap.spec b/libcoap.spec
index 1594e1c..24af69a 100644
--- a/libcoap.spec
+++ b/libcoap.spec
@@ -1,6 +1,6 @@
 Name:           libcoap
 Version:        4.3.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Implementation of a lightweight application-protocol CoAP
 # If build against gnutls the license is BSD + LGPL 2.1
 License:	BSD
@@ -8,6 +8,8 @@ License:	BSD
 URL:            https://libcoap.net
 Source0:        %{name}-%{version}.tar.gz
 
+Patch0001:      0001-coap_pdu.c-Fix-UndefinedBehaviorSanitizer-undefined-.patch
+
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  gcc
@@ -49,7 +51,7 @@ BuildArch: noarch
 Documentation for development with %{name}.
 
 %prep
-%autosetup -n %{name}-%{version}
+%autosetup -n %{name}-%{version} -p0
 
 %build
 autoreconf -vif
@@ -92,6 +94,9 @@ make check
 %{_libdir}/libcoap-3*.so
 
 %changelog
+* Wed Aug 14 2024 Wei Jiangang <wei_jiangang@hoperun.com> - 4.3.4-2
+- Fix CVE-2024-31031
+
 * Wed Jul 10 2024 zhangxingrong-<zhangxingrong@uniontech.cn> - 4.3.4-1
 - update to version 4.3.4
 
-- 
Gitee