From 2a7a0693825f670b3dc47b553d3679c91b8c2a5f Mon Sep 17 00:00:00 2001
From: zhangzeyang <zhangzeyang@kylinos.cn>
Date: Wed, 4 Dec 2024 10:42:48 +0800
Subject: [PATCH] Fix CVE-2024-46304 for #IAVUCS

---
 0002-fix-CVE-2024-46304.patch | 23 +++++++++++++++++++++++
 libcoap.spec                  |  6 +++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 0002-fix-CVE-2024-46304.patch

diff --git a/0002-fix-CVE-2024-46304.patch b/0002-fix-CVE-2024-46304.patch
new file mode 100644
index 0000000..259ec5f
--- /dev/null
+++ b/0002-fix-CVE-2024-46304.patch
@@ -0,0 +1,23 @@
+diff -urN libcoap-4.3.4/src/coap_session.c libcoap-4.3.4.new/src/coap_session.c
+--- libcoap-4.3.4/src/coap_session.c	2023-10-05 05:04:19.000000000 +0800
++++ libcoap-4.3.4.new/src/coap_session.c	2024-12-04 10:29:35.907960771 +0800
+@@ -994,6 +994,19 @@
+     return session;
+   }
+ 
++  #if COAP_CLIENT_SUPPORT
++  if (coap_is_mcast(&packet->addr_info.local)) {
++    /* Check if this a proxy client packet we sent on another socket */
++    SESSIONS_ITER(endpoint->context->sessions, session, rtmp) {
++      if (coap_address_equals(&session->addr_info.remote, &packet->addr_info.local) &&
++          coap_address_get_port(&session->addr_info.local) ==
++          coap_address_get_port(&packet->addr_info.remote)) {
++        /* Drop looped back packet to stop recursion / confusion */
++        return NULL;
++      }
++    }
++  }
++
+   SESSIONS_ITER(endpoint->sessions, session, rtmp) {
+     if (session->ref == 0 && session->delayqueue == NULL) {
+       if (session->type == COAP_SESSION_TYPE_SERVER) {
diff --git a/libcoap.spec b/libcoap.spec
index 24af69a..476078a 100644
--- a/libcoap.spec
+++ b/libcoap.spec
@@ -1,6 +1,6 @@
 Name:           libcoap
 Version:        4.3.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Implementation of a lightweight application-protocol CoAP
 # If build against gnutls the license is BSD + LGPL 2.1
 License:	BSD
@@ -9,6 +9,7 @@ URL:            https://libcoap.net
 Source0:        %{name}-%{version}.tar.gz
 
 Patch0001:      0001-coap_pdu.c-Fix-UndefinedBehaviorSanitizer-undefined-.patch
+Patch0002:      0002-fix-CVE-2024-46304.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -94,6 +95,9 @@ make check
 %{_libdir}/libcoap-3*.so
 
 %changelog
+* Wed Dec 4  2024 zhangzeyang <zhengzeyang@kylinos.cn>   - 4.3.4-3
+- Fix CVE-2024-46304
+
 * Wed Aug 14 2024 Wei Jiangang <wei_jiangang@hoperun.com> - 4.3.4-2
 - Fix CVE-2024-31031
 
-- 
Gitee