Bug 908740 - Reject obviously bogus STUN and TURN candidates. r=ekr
authorByron Campen [:bwc] <docfaraday@gmail.com>
Tue, 10 Sep 2013 11:33:19 -0700
changeset 146486 9b69c26b9dc24fd94efbe7ec3f897635a0fe3207
parent 146485 9e5d584bc36c0c09d9298ae05c9a6b9a53fbbcae
child 146487 ea05a04019d8a3484c7f8e489c6ca38713b176f1
push id25261
push usercbook@mozilla.com
push dateWed, 11 Sep 2013 07:31:01 +0000
treeherdermozilla-central@f9e8e8ce552c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersekr
bugs908740
milestone26.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 908740 - Reject obviously bogus STUN and TURN candidates. r=ekr
media/mtransport/third_party/nICEr/src/stun/stun_client_ctx.c
media/mtransport/third_party/nICEr/src/stun/stun_client_ctx.h
--- a/media/mtransport/third_party/nICEr/src/stun/stun_client_ctx.c
+++ b/media/mtransport/third_party/nICEr/src/stun/stun_client_ctx.c
@@ -399,16 +399,27 @@ static int nr_stun_client_send_request(n
 static int nr_stun_client_get_password(void *arg, nr_stun_message *msg, Data **password)
 {
     *password = (Data*)arg;
     if (!arg)
         return(R_NOT_FOUND);
     return(0);
 }
 
+int nr_stun_transport_addr_check(nr_transport_addr* addr)
+  {
+    if(nr_transport_addr_is_wildcard(addr))
+      return(R_BAD_DATA);
+
+    if (nr_transport_addr_is_loopback(addr))
+      return(R_BAD_DATA);
+
+    return(0);
+  }
+
 int nr_stun_client_process_response(nr_stun_client_ctx *ctx, UCHAR *msg, int len, nr_transport_addr *peer_addr)
   {
     int r,_status;
     char string[256];
     char *username;
     Data *password = 0;
     nr_stun_message_attribute *attr;
     nr_transport_addr *mapped_addr = 0;
@@ -617,16 +628,19 @@ int nr_stun_client_process_response(nr_s
         if (! nr_stun_message_has_attribute(ctx->response, NR_STUN_ATTR_XOR_MAPPED_ADDRESS, 0))
             ABORT(R_BAD_DATA);
         if (! nr_stun_message_has_attribute(ctx->response, NR_STUN_ATTR_MESSAGE_INTEGRITY, 0))
             ABORT(R_BAD_DATA);
 
         if (!nr_stun_message_has_attribute(ctx->response, NR_STUN_ATTR_XOR_RELAY_ADDRESS, &attr))
           ABORT(R_BAD_DATA);
 
+        if ((r=nr_stun_transport_addr_check(&attr->u.relay_address.unmasked)))
+          ABORT(r);
+
         if ((r=nr_transport_addr_copy(
                 &ctx->results.allocate_response.relay_addr,
                 &attr->u.relay_address.unmasked)))
           ABORT(r);
 
         if (!nr_stun_message_has_attribute(ctx->response, NR_STUN_ATTR_LIFETIME, &attr))
           ABORT(R_BAD_DATA);
         ctx->results.allocate_response.lifetime_secs=attr->u.lifetime_secs;
@@ -658,20 +672,26 @@ int nr_stun_client_process_response(nr_s
     /* make sure we have the most up-to-date address from this peer */
     if (nr_transport_addr_cmp(&ctx->peer_addr, peer_addr, NR_TRANSPORT_ADDR_CMP_MODE_ALL)) {
         r_log(NR_LOG_STUN,LOG_INFO,"STUN-CLIENT(%s): Peer moved from %s to %s", ctx->label, ctx->peer_addr.as_string, peer_addr->as_string);
         nr_transport_addr_copy(&ctx->peer_addr, peer_addr);
     }
 
     if (mapped_addr) {
         if (nr_stun_message_has_attribute(ctx->response, NR_STUN_ATTR_XOR_MAPPED_ADDRESS, &attr)) {
+            if ((r=nr_stun_transport_addr_check(&attr->u.xor_mapped_address.unmasked)))
+                ABORT(r);
+
             if ((r=nr_transport_addr_copy(mapped_addr, &attr->u.xor_mapped_address.unmasked)))
                 ABORT(r);
         }
         else if (nr_stun_message_has_attribute(ctx->response, NR_STUN_ATTR_MAPPED_ADDRESS, &attr)) {
+            if ((r=nr_stun_transport_addr_check(&attr->u.mapped_address)))
+                ABORT(r);
+
             if ((r=nr_transport_addr_copy(mapped_addr, &attr->u.mapped_address)))
                 ABORT(r);
         }
         else
             ABORT(R_BAD_DATA);
 
 
         r_log(NR_LOG_STUN,LOG_DEBUG,"STUN-CLIENT(%s): Received mapped address: %s", ctx->label, mapped_addr->as_string);
--- a/media/mtransport/third_party/nICEr/src/stun/stun_client_ctx.h
+++ b/media/mtransport/third_party/nICEr/src/stun/stun_client_ctx.h
@@ -183,13 +183,14 @@ struct nr_stun_client_ctx_ {
 };
 
 int nr_stun_client_ctx_create(char *label, nr_socket *sock, nr_transport_addr *peer, UINT4 RTO, nr_stun_client_ctx **ctxp);
 int nr_stun_client_start(nr_stun_client_ctx *ctx, int mode, NR_async_cb finished_cb, void *cb_arg);
 int nr_stun_client_restart(nr_stun_client_ctx *ctx);
 int nr_stun_client_force_retransmit(nr_stun_client_ctx *ctx);
 int nr_stun_client_reset(nr_stun_client_ctx *ctx);
 int nr_stun_client_ctx_destroy(nr_stun_client_ctx **ctxp);
+int nr_stun_transport_addr_check(nr_transport_addr* addr);
 int nr_stun_client_process_response(nr_stun_client_ctx *ctx, UCHAR *msg, int len, nr_transport_addr *peer_addr);
 int nr_stun_client_cancel(nr_stun_client_ctx *ctx);
 
 #endif