Closed
Bug 824220
Opened 12 years ago
Closed 12 years ago
Constraints should be passed from calling thread to SIPCC thread using a pointer
Categories
(Core :: WebRTC: Signaling, defect, P1)
Core
WebRTC: Signaling
Tracking
()
RESOLVED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox19 | --- | disabled |
| firefox20 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | disabled |
People
(Reporter: abr, Assigned: abr)
Details
(Keywords: sec-audit, sec-moderate, Whiteboard: [WebRTC][blocking-webrtc+][qa-][adv-main20-])
Attachments
(1 file, 1 obsolete file)
|
27.87 KB,
patch
|
jesup
:
review+
jesup
:
checkin+
|
Details | Diff | Splinter Review |
Currently, the cc_invokeFeatureSDPMode function in cc_call_feature.c generates a random number as an index into a global hash table for storing offer and answer constraints. This isn't the most architecturally sound way of handling data passing. This bug is a memento to clean up this handling so that a pointer is passed directly via the callFeature.featData.ccData structure rather than indirectly by way of the hash table.
|
||
Comment 1•12 years ago
|
||
This hash table can be accessed from two threads in a non-safe manner, per abr: abr (The problem is that the hashtable is not synchronized, and it's being modified by two different threads) abr I'm not clear about whether this is the kind of issue that we should mark a bug as security sensitive for. But as long as it's in the open, I'm hesitant to add any comments about the potential for crashes. abr It should, in any case, be an easy fix, and it might stave off some of the fuzzer-generated bugs that appear to be popping up with some rapdity.
Group: core-security
|
||
Updated•12 years ago
|
Severity: normal → critical
Priority: -- → P1
Whiteboard: [WebRTC] → [WebRTC][blocking-webrtc+]
|
Assignee | |
Updated•12 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
Attachment #696113 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 3•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
Attachment #696115 -
Flags: review?(rjesup)
|
|
||
Updated•12 years ago
|
Attachment #696115 -
Flags: review?(rjesup) → review+
|
|
Assignee | |
Updated•12 years ago
|
Attachment #696115 -
Flags: checkin?(rjesup)
|
|
||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/35a0599d087a
Target Milestone: --- → mozilla20
|
||
Comment 5•12 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/35a0599d087a
status-firefox20:
--- → fixed
|
|
||
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Updated•12 years ago
|
Attachment #696115 -
Flags: checkin?(rjesup) → checkin+
|
||
Updated•12 years ago
|
Whiteboard: [WebRTC][blocking-webrtc+] → [WebRTC][blocking-webrtc+][qa-]
|
||
Updated•11 years ago
|
status-b2g18:
--- → disabled
status-firefox19:
--- → disabled
status-firefox-esr17:
--- → unaffected
|
|
||
Updated•11 years ago
|
Keywords: sec-audit,
sec-moderate
|
||
Updated•11 years ago
|
Whiteboard: [WebRTC][blocking-webrtc+][qa-] → [WebRTC][blocking-webrtc+][qa-][adv-main20-]
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•