Closed Bug 767380 Opened 10 years ago Closed 10 years ago
RTC signaling has fixed-size SDP buffers that need to be dynamic
There are multiple instances of fixed-size SDP buffers in SIPCC (media/webrtc/signaling) that need to be dynamically sized. If we can't count on infallible malloc (these SDPs are provided by JS code and could be any size), then we'll want to put a 'silly' maximum like 128K or some such in place. (I suspect we can rely on infallible malloc - need to check.) Leaks are possible as these weren't allocated/freed before, so lifetimes of these objects should be checked, and it might be good to include some type of debug-build "live buffer" lists to catch attempts to use-after-free and to help pinpoint leaks.
Adding some information: Internally in SIPCC the SDP buffer size is set to 2048 #define CCSIP_SDP_BUF_SIZE 2048 buf = (char *) cpr_malloc(CCSIP_SDP_BUF_SIZE); later on cpr_free(part->body);
$ chfind SDP_SIZE ./src/sipcc/core/includes/ccapi.h:#define SDP_SIZE 1024 // must increase this ./src/sipcc/core/includes/ccapi.h: char offerSDP[SDP_SIZE]; ./src/sipcc/core/includes/ccapi.h: char answerSDP[SDP_SIZE]; ./src/sipcc/core/includes/ccapi.h: char remoteOfferSDP[SDP_SIZE]; ./src/sipcc/core/includes/ccapi.h: char sdp[SDP_SIZE]; $ chfind SDP_MAX_LEN ./src/sipcc/core/sdp/sdp.h:#define SDP_MAX_LEN 1024 (no uses of this it appears) $ hfind SDP_MAX_ ./src/sipcc/core/sdp/sdp_private.h:#define SDP_MAX_STRING_LEN 80 /* Max len for SDP string ./src/sipcc/core/sdp/sdp_private.h:#define SDP_MAX_LINE_LEN 80 /* Max len for SDP Line */ (lots of hits removed) (many, many uses deleted - these all need to be length-checked if used in parsing, or if used in generation if any of the inputs are controllable) Just some quick greps of the code...
Dynamically allocated buffers form SDP was pushed as part of Bug 798873
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 798873
You need to log in before you can comment on or make changes to this bug.