Closed Bug 836931 Opened 7 years ago Closed 7 years ago

WebRTC use-after-free crash [@nr_ice_srvrflx_stun_finished_cb]

Categories

(Core :: WebRTC: Networking, defect, P1, critical)

x86_64
macOS
defect

Tracking

()

RESOLVED DUPLICATE of bug 838169
Tracking Status
firefox18 --- unaffected
firefox19 --- disabled
firefox20 --- disabled
firefox21 + fixed
firefox-esr17 --- unaffected
b2g18 --- disabled

People

(Reporter: posidron, Assigned: jib)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf, sec-critical, Whiteboard: [WebRTC],[blocking-webrtc+][adv-main21-])

Crash Data

Attachments

(1 file)

Attached file callstack
This crash occurred while "brute forcing" a valid PeerConnection call with malformed iceServer attributes inside a while(true) loop. After around 50 consecutive attempts all further attempts failed and after ~3000 further tries this crash popped up.


alloc: ice_candidate.c:196

    if(!(cand=RCALLOC(sizeof(nr_ice_candidate))))


free: ice_candidate.c:196

    RFREE(cand->foundation);
    RFREE(cand->label);
    RFREE(cand);


re-use: ice_candidate.c:487

static void nr_ice_srvrflx_stun_finished_cb(NR_SOCKET sock, int how, void *cb_arg)
  {
    int _status;
    nr_ice_candidate *cand=cb_arg;

    r_log(LOG_ICE,LOG_DEBUG,"ICE(%s): %s for %s",cand->ctx->label,__FUNCTION__,cand->label);


Tested with m-c changeset: 120354:2cc710018b14
Crash Signature: [@ nr_ice_srvrflx_stun_finished_cb]
The problem here seems to be that we don't destroy the stun client context if it is destroyed during
candidate gathering. I think we need to add:

        nr_stun_client_ctx_destroy(&cand->u.srvrflx.stun);

Under the server reflexive arm of:

        nr_ice_candidate_destroy().

I can test this, but if someone else wanted to, that would also be fine.
If someone cal unload ekr and generate a patch, that would probably be a good use of resources
Assignee: nobody → ekr
Priority: -- → P1
Whiteboard: [WebRTC],[blocking-webrtc+]
I am actually already working on a patch and a unit test.
Blocks: 796463
Assignee: ekr → jib
cdiehl: I believe this is fixed by:

https://hg.mozilla.org/integration/mozilla-inbound/rev/e870235b44ce

Can you please retest?
Flags: needinfo?(cdiehl)
Fixed.
Flags: needinfo?(cdiehl)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 838169
Whiteboard: [WebRTC],[blocking-webrtc+] → [WebRTC],[blocking-webrtc+][adv-main21-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.