WebRTC use-after-free crash [@nr_ice_srvrflx_stun_finished_cb]

RESOLVED DUPLICATE of bug 838169

Status

()

Core
WebRTC: Networking
P1
critical
RESOLVED DUPLICATE of bug 838169
6 years ago
5 years ago

People

(Reporter: posidron, Assigned: jib)

Tracking

(Blocks: 1 bug, {crash, csectype-uaf, sec-critical})

Trunk
x86_64
Mac OS X
crash, csectype-uaf, sec-critical
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox18 unaffected, firefox19 disabled, firefox20 disabled, firefox21+ fixed, firefox-esr17 unaffected, b2g18 disabled)

Details

(Whiteboard: [WebRTC],[blocking-webrtc+][adv-main21-], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 708818 [details]
callstack

This crash occurred while "brute forcing" a valid PeerConnection call with malformed iceServer attributes inside a while(true) loop. After around 50 consecutive attempts all further attempts failed and after ~3000 further tries this crash popped up.


alloc: ice_candidate.c:196

    if(!(cand=RCALLOC(sizeof(nr_ice_candidate))))


free: ice_candidate.c:196

    RFREE(cand->foundation);
    RFREE(cand->label);
    RFREE(cand);


re-use: ice_candidate.c:487

static void nr_ice_srvrflx_stun_finished_cb(NR_SOCKET sock, int how, void *cb_arg)
  {
    int _status;
    nr_ice_candidate *cand=cb_arg;

    r_log(LOG_ICE,LOG_DEBUG,"ICE(%s): %s for %s",cand->ctx->label,__FUNCTION__,cand->label);


Tested with m-c changeset: 120354:2cc710018b14
(Reporter)

Updated

6 years ago
Crash Signature: [@ nr_ice_srvrflx_stun_finished_cb]

Comment 1

6 years ago
The problem here seems to be that we don't destroy the stun client context if it is destroyed during
candidate gathering. I think we need to add:

        nr_stun_client_ctx_destroy(&cand->u.srvrflx.stun);

Under the server reflexive arm of:

        nr_ice_candidate_destroy().

I can test this, but if someone else wanted to, that would also be fine.
If someone cal unload ekr and generate a patch, that would probably be a good use of resources
Assignee: nobody → ekr
Priority: -- → P1
Whiteboard: [WebRTC],[blocking-webrtc+]

Comment 3

6 years ago
I am actually already working on a patch and a unit test.
status-firefox18: --- → unaffected
status-firefox19: --- → disabled
status-firefox20: --- → disabled
status-firefox21: --- → affected
status-b2g18: --- → disabled
status-firefox-esr17: --- → unaffected
tracking-firefox21: --- → +
Assignee: ekr → jib

Comment 4

6 years ago
cdiehl: I believe this is fixed by:

https://hg.mozilla.org/integration/mozilla-inbound/rev/e870235b44ce

Can you please retest?
Flags: needinfo?(cdiehl)
(Reporter)

Comment 5

6 years ago
Fixed.
Flags: needinfo?(cdiehl)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 838169

Updated

6 years ago
status-firefox21: affected → fixed

Updated

5 years ago
Whiteboard: [WebRTC],[blocking-webrtc+] → [WebRTC],[blocking-webrtc+][adv-main21-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.