From 502406dbbbf8ef3d5aa702bc07c77171400b34f4 Mon Sep 17 00:00:00 2001
From: chrysn <chrysn@fsfe.org>
Date: Sat, 6 Apr 2024 11:28:03 +0200
Subject: [PATCH 1/2] gcoap: Avoid reading beyond defined input buffer

---
 sys/net/application_layer/gcoap/gcoap.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/sys/net/application_layer/gcoap/gcoap.c b/sys/net/application_layer/gcoap/gcoap.c
index e6fc5d91ff8b..6d016f6519ee 100644
--- a/sys/net/application_layer/gcoap/gcoap.c
+++ b/sys/net/application_layer/gcoap/gcoap.c
@@ -1664,13 +1664,19 @@ ssize_t gcoap_req_send(const uint8_t *buf, size_t len,
 
         switch (msg_type) {
         case COAP_TYPE_CON:
+            /* Can't store it for retransmission, even though sending it from
+             * the provided buffer once is possible */
+            if (len > CONFIG_GCOAP_PDU_BUF_SIZE) {
+                return -EINVAL;
+            }
+
             /* copy buf to resend_bufs record */
             memo->msg.data.pdu_buf = NULL;
             for (int i = 0; i < CONFIG_GCOAP_RESEND_BUFS_MAX; i++) {
                 if (!_coap_state.resend_bufs[i][0]) {
                     memo->msg.data.pdu_buf = &_coap_state.resend_bufs[i][0];
                     memcpy(memo->msg.data.pdu_buf, buf,
-                           CONFIG_GCOAP_PDU_BUF_SIZE);
+                           len);
                     memo->msg.data.pdu_len = len;
                     break;
                 }

From 2f7cbd3e1f96ebfe44c9d764496049f59da6e4a2 Mon Sep 17 00:00:00 2001
From: chrysn <chrysn@fsfe.org>
Date: Sat, 6 Apr 2024 11:37:35 +0200
Subject: [PATCH 2/2] gcoap: Avoid lockup from error paths

---
 sys/net/application_layer/gcoap/gcoap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sys/net/application_layer/gcoap/gcoap.c b/sys/net/application_layer/gcoap/gcoap.c
index 6d016f6519ee..b0494f761489 100644
--- a/sys/net/application_layer/gcoap/gcoap.c
+++ b/sys/net/application_layer/gcoap/gcoap.c
@@ -1657,6 +1657,9 @@ ssize_t gcoap_req_send(const uint8_t *buf, size_t len,
             ssize_t res = _cache_check(buf, len, memo, &cache_hit);
 
             if (res < 0) {
+                DEBUG("gcoap: Error from cache check");
+                memo->state = GCOAP_MEMO_UNUSED;
+                mutex_unlock(&_coap_state.lock);
                 return res;
             }
             len = res;
@@ -1667,6 +1670,9 @@ ssize_t gcoap_req_send(const uint8_t *buf, size_t len,
             /* Can't store it for retransmission, even though sending it from
              * the provided buffer once is possible */
             if (len > CONFIG_GCOAP_PDU_BUF_SIZE) {
+                DEBUG("gcoap: Request too large for retransmit buffer");
+                memo->state = GCOAP_MEMO_UNUSED;
+                mutex_unlock(&_coap_state.lock);
                 return -EINVAL;
             }