Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

coap: Update to latest libcoap code (4.3.2rc1) (IEC-32) #215

Merged
merged 1 commit into from
Jul 27, 2023
Merged

coap: Update to latest libcoap code (4.3.2rc1) (IEC-32) #215

merged 1 commit into from
Jul 27, 2023

Conversation

mrdeep1
Copy link
Contributor

@mrdeep1 mrdeep1 commented Jul 22, 2023

Checklist

  • Component contains License
  • Component contains README.md
  • Component contains idf_component.yml file with url field defined
  • Component was added to upload job
  • Component was added to build job
  • Optional: Component contains unit tests
  • CI passing

Change description

Update libcoap to the latest version.

Code now builds if IPv4 or IPv6 is not available.

@github-actions github-actions bot changed the title coap: Update to latest libcoap code (4.3.2rc1) coap: Update to latest libcoap code (4.3.2rc1) (IEC-32) Jul 22, 2023
@mrdeep1 mrdeep1 force-pushed the libcoap_update branch 2 times, most recently from 30200d9 to f201d9b Compare July 23, 2023 13:47
@mahavirj mahavirj requested a review from hmalpani July 24, 2023 10:35
mahavirj
mahavirj reviewed Jul 24, 2023
View reviewed changes
coap/Kconfig Show resolved Hide resolved
coap/examples/coap_client/main/coap_client_example_main.c Show resolved Hide resolved
coap/examples/coap_server/main/idf_component.yml Outdated Show resolved Hide resolved
coap/idf_component.yml Outdated Show resolved Hide resolved
@mrdeep1 mrdeep1 force-pushed the libcoap_update branch 2 times, most recently from 5ed1862 to 140ebdf Compare July 24, 2023 13:57
mahavirj
mahavirj reviewed Jul 25, 2023
View reviewed changes
coap/Kconfig Outdated Show resolved Hide resolved
coap/Kconfig Outdated Show resolved Hide resolved
coap/Kconfig Outdated Show resolved Hide resolved
coap/Kconfig Show resolved Hide resolved
coap/Kconfig Outdated Show resolved Hide resolved
coap/examples/coap_client/main/coap_client_example_main.c Show resolved Hide resolved
coap/Kconfig Show resolved Hide resolved
mahavirj
mahavirj reviewed Jul 25, 2023
View reviewed changes
.gitmodules Outdated Show resolved Hide resolved
@mahavirj
Copy link
Member

mahavirj commented Jul 25, 2023
edited
Loading

@mrdeep1

Thank you for taking care of this update!

Just wanted to inform you that we have been experimenting with the SBOM related tool to assist in monitoring the application against known security vulnerabilities. At this moment, if we run the tool against coap examples then it reports following vulnerabilities from coap component:

Following vulnerabilities were found. Further analysis may be required for confirmation.
CVEID:   CVE-2023-35862
CPE:     cpe:2.3:a:libcoap:libcoap:4.3.1:*:*:*:*:*:*:*
DETAIL:  https://nvd.nist.gov/vuln/detail/CVE-2023-35862
PACKAGE: submodule-./libcoap
SPDXID:  SPDXRef-SUBMODULE-coap-libcoap
libcoap 4.3.1 contains a buffer over-read via the function
coap_parse_oscore_conf_mem at coap_oscore.c.

CVEID:   CVE-2023-30362
CPE:     cpe:2.3:a:libcoap:libcoap:4.3.1:*:*:*:*:*:*:*
DETAIL:  https://nvd.nist.gov/vuln/detail/CVE-2023-30362
PACKAGE: submodule-./libcoap
SPDXID:  SPDXRef-SUBMODULE-coap-libcoap
Buffer Overflow vulnerability in coap_send function in libcoap library
4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 allows attackers to
obtain sensitive information via malformed pdu.

As I see that corresponding fixes have been merged upstream and hence with this PR, we should have clean run for the coap examples against any known security issues. Just FYI. Thanks.

hmalpani
hmalpani reviewed Jul 25, 2023
View reviewed changes
Copy link
Contributor

@hmalpani hmalpani left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have done some static code analysis. Here are the results:

Example Version DRAM .data DRAM .bss Flash .text Flash .rodata Flash Total
Coap Client(PR) 684 10358 47449 6602 54735
Coap Client(Master) 256 10890 47769 14160 62185
Coap Server(PR) 704 12022 56167 7674 64545
Coap Server(Master) 276 12678 60447 16280 77003

@mrdeep1
Copy link
Contributor Author

mrdeep1 commented Jul 25, 2023

I have done some static code analysis. Here are the results:

These look good. A large part will be down the removal of code for the higher level logging.

@mrdeep1
Copy link
Contributor Author

mrdeep1 commented Jul 26, 2023

Code changes pushed. Updated examples to easily support CoAP over WebSockets if WebSockets is enabled.

@mrdeep1 mrdeep1 force-pushed the libcoap_update branch 3 times, most recently from 4175fcb to fe4d830 Compare July 26, 2023 13:22
mahavirj
mahavirj reviewed Jul 26, 2023
View reviewed changes
coap/examples/coap_client/README.md Outdated Show resolved Hide resolved
coap/CMakeLists.txt Show resolved Hide resolved
@mahavirj
Copy link
Member

Minor comments, otherwise LGTM!

@mrdeep1
Copy link
Contributor Author

mrdeep1 commented Jul 26, 2023

Minor comments, otherwise LGTM!

Thanks for all your help in checking this through.

@mahavirj mahavirj merged commit 83707af into espressif:master Jul 27, 2023
54 checks passed
@mrdeep1 mrdeep1 deleted the libcoap_update branch July 27, 2023 08:21
@mrdeep1 mrdeep1 mentioned this pull request Jul 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hmalpani hmalpani hmalpani left review comments

@mahavirj mahavirj mahavirj approved these changes

Assignees
No one assigned
Labels
Component: coap
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mrdeep1 @mahavirj @hmalpani @tom-borcin