Closed
Bug 836931
Opened 11 years ago
Closed 11 years ago
WebRTC use-after-free crash [@nr_ice_srvrflx_stun_finished_cb]
Categories
(Core :: WebRTC: Networking, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 838169
Tracking | Status | |
---|---|---|
firefox18 | --- | unaffected |
firefox19 | --- | disabled |
firefox20 | --- | disabled |
firefox21 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | disabled |
People
(Reporter: posidron, Assigned: jib)
References
Details
(Keywords: crash, csectype-uaf, sec-critical, Whiteboard: [WebRTC],[blocking-webrtc+][adv-main21-])
Crash Data
Attachments
(1 file)
9.85 KB,
text/plain
|
Details |
This crash occurred while "brute forcing" a valid PeerConnection call with malformed iceServer attributes inside a while(true) loop. After around 50 consecutive attempts all further attempts failed and after ~3000 further tries this crash popped up. alloc: ice_candidate.c:196 if(!(cand=RCALLOC(sizeof(nr_ice_candidate)))) free: ice_candidate.c:196 RFREE(cand->foundation); RFREE(cand->label); RFREE(cand); re-use: ice_candidate.c:487 static void nr_ice_srvrflx_stun_finished_cb(NR_SOCKET sock, int how, void *cb_arg) { int _status; nr_ice_candidate *cand=cb_arg; r_log(LOG_ICE,LOG_DEBUG,"ICE(%s): %s for %s",cand->ctx->label,__FUNCTION__,cand->label); Tested with m-c changeset: 120354:2cc710018b14
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ nr_ice_srvrflx_stun_finished_cb]
Comment 1•11 years ago
|
||
The problem here seems to be that we don't destroy the stun client context if it is destroyed during candidate gathering. I think we need to add: nr_stun_client_ctx_destroy(&cand->u.srvrflx.stun); Under the server reflexive arm of: nr_ice_candidate_destroy(). I can test this, but if someone else wanted to, that would also be fine.
Comment 2•11 years ago
|
||
If someone cal unload ekr and generate a patch, that would probably be a good use of resources
Assignee: nobody → ekr
Priority: -- → P1
Whiteboard: [WebRTC],[blocking-webrtc+]
Comment 3•11 years ago
|
||
I am actually already working on a patch and a unit test.
Updated•11 years ago
|
status-firefox18:
--- → unaffected
status-firefox19:
--- → disabled
status-firefox20:
--- → disabled
status-firefox21:
--- → affected
Updated•11 years ago
|
Assignee | ||
Updated•11 years ago
|
Assignee: ekr → jib
Comment 4•11 years ago
|
||
cdiehl: I believe this is fixed by: https://hg.mozilla.org/integration/mozilla-inbound/rev/e870235b44ce Can you please retest?
Flags: needinfo?(cdiehl)
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Updated•11 years ago
|
Whiteboard: [WebRTC],[blocking-webrtc+] → [WebRTC],[blocking-webrtc+][adv-main21-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•