Bug 2275803 (CVE-2024-31031)

Summary: CVE-2024-31031 libcoap: unsigned integer overflow vulnerability in coap_pdu.c
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2275804    
Bug Blocks:    

Description Robb Gatica 2024-04-17 21:16:16 UTC 
An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to cause undefined behavior via a sequence of messages leading to unsigned integer overflow.

Description:
After sending a sequence of messages to the CoAP server, a runtime error was reported by UndefinedBehaviorSanitizer (UBSan). The error indicated an unsigned integer overflow occurred in coap_pdu.c at the line where an address calculation was being performed. Specifically, an unsigned offset addition to a base address resulted in an overflow, indicating that the calculated address wrapped around to a lower value than the original address. This is a sign of undefined behavior due to integer overflow during pointer arithmetic. This suggests that the resulting address calculation wrapped around, which is indicative of undefined behavior in the program.

Expected Behavior:
The server is expected to handle a sequence of incoming messages reliably without encountering arithmetic overflows or other undefined behaviors during address calculations. Memory operations should remain within their allocated bounds, and all pointer arithmetic should result in valid memory addresses that are within the expected range.

Actual Behavior:
The server exhibited undefined behavior after processing a sequence of messages, indicating a potential flaw in the address calculation within the coap_update_token function.

References:
https://github.com/obgm/libcoap/issues/1351
Comment 1 Robb Gatica 2024-04-17 21:16:28 UTC 
Created libcoap tracking bugs for this issue:

Affects: fedora-all [bug 2275804]