Closed
Bug 857256
Opened 12 years ago
Closed 12 years ago
WebRTC TURN use-after-free crash [@nr_turn_client_process_response]
Categories
(Core :: WebRTC: Networking, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | - | unaffected |
| firefox23 | + | unaffected |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: ekr)
References
Details
(4 keywords, Whiteboard: [webrtc][blocking-webrtc-][turn][qa-] not in tree yet)
Attachments
(1 file)
|
7.55 KB,
text/plain
|
Details |
The crash occurred while running the IceConnectTest.TestConnectTurn test.
I am not sure how much this is related to bug 856382 (which is not reproducible anymore) or because I am running the unit test without a TURN server.
alloc: ./media/mtransport/third_party/nICEr/src/stun/turn_client_ctx.c:304
int nr_turn_client_ctx_create(char *label, nr_socket *sock,
char *username, Data *password,
nr_transport_addr *addr,
nr_turn_client_ctx **ctxp)
{
[...]
if(!(ctx=RCALLOC(sizeof(nr_turn_client_ctx))))
ABORT(R_NO_MEMORY);
free: ./media/mtransport/third_party/nICEr/src/stun/turn_client_ctx.c:347
int
nr_turn_client_ctx_destroy(nr_turn_client_ctx **ctxp)
{
nr_turn_client_ctx *ctx;
if(!ctxp || !*ctxp)
return(0);
ctx=*ctxp;
*ctxp = 0;
nr_turn_client_cancel(ctx);
RFREE(ctx);
re-use: ./media/mtransport/third_party/nICEr/src/stun/turn_client_ctx.c:532
int nr_turn_client_process_response(nr_turn_client_ctx *ctx,
UCHAR *msg, int len,
nr_transport_addr *turn_server_addr)
{
int r, _status;
nr_turn_stun_ctx *sc1;
switch (ctx->state) {
Tested with m-i changeset: 126927:9fe83576713e and the applied patch of bug 786235.
|
Reporter | |
Updated•12 years ago
|
Component: WebRTC → WebRTC: Networking
|
||
Updated•12 years ago
|
Whiteboard: [webrtc][blocking-webrtc?]
|
Assignee | |
Comment 1•12 years ago
|
||
What do you mean "without a TURN server". What is it pointed at?
|
|
Reporter | |
Comment 2•12 years ago
|
||
std::string g_turn_server("172.16.131.149");
I was referring to your comment in the meeting where you said, that a TURN server will be required in order to run the TURN unit-tests but perhaps I misunderstood.
|
||
Updated•12 years ago
|
Keywords: csec-uaf,
sec-critical
|
||
Updated•12 years ago
|
|
|
Reporter | |
Updated•12 years ago
|
Summary: WebRTC use-after-free crash [@nr_turn_client_process_response] → WebRTC TURN use-after-free crash [@nr_turn_client_process_response]
|
|
||
Updated•12 years ago
|
Whiteboard: [webrtc][blocking-webrtc?] → [webrtc][blocking-webrtc-][turn]
|
|
||
Comment 3•12 years ago
|
||
I'll note this would only rate as a security bug once the patch being tested lands, and then only if the problem hasn't already been resolved or made moot by changes to the patch. I'm not sure if it should be sec-critical at this point, but it certainly would be if it lands as-id.
Assignee: nobody → ekr
|
|
||
Comment 4•12 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #3)
> I'll note this would only rate as a security bug once the patch being tested
> lands
FYI, by "rate" I meant "rate sec-critical severity"
|
|
Reporter | |
Comment 5•12 years ago
|
||
This seems to be fixed with the updated patch https://bugzilla.mozilla.org/show_bug.cgi?id=786235#c18
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
Flags: in-testsuite-
Whiteboard: [webrtc][blocking-webrtc-][turn] → [webrtc][blocking-webrtc-][turn][qa-]
|
|
||
Comment 6•12 years ago
|
||
The tracking flags were set incorrectly here - they should all be cleared since we haven't even landed the patch that generates the bug. No need to track for any Firefox release until there's code in the tree.
|
||
Comment 7•12 years ago
|
||
I disagree: there is a desire to get this feature into Firefox 23, and possibly uplift to 22, so we need to track this bug to make sure it's fixed should that happen.
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox-esr17:
--- → unaffected
tracking-firefox22:
--- → +
tracking-firefox23:
--- → +
Whiteboard: [webrtc][blocking-webrtc-][turn][qa-] → [webrtc][blocking-webrtc-][turn][qa-] not in tree yet
|
|
||
Comment 8•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #7)
> I disagree: there is a desire to get this feature into Firefox 23, and
> possibly uplift to 22, so we need to track this bug to make sure it's fixed
> should that happen.
Let's take this to a side email thread.
|
||
Comment 9•12 years ago
|
||
this crash is no longer appearing in report lists for 22 nor 23
|
||
Comment 10•12 years ago
|
||
Bug 786235 suggests that FF22 should be explicitly unaffected, and FF23 sounds like it's fixed.
|
|
||
Comment 11•12 years ago
|
||
We have no intention to enable TURN for FF22. TURN will be on for FF23
|
||
Comment 12•12 years ago
|
||
Is this affected on FF23?
|
|
||
Comment 13•12 years ago
|
||
per comment 5, I'll mark FF23 fixed even though it never landed in the tree in the broken state. Feel free to change to unaffected if that fits the process better.
|
|
||
Comment 14•12 years ago
|
||
Sounds like we've got our answer to comment 12's question in comment 13.
Flags: needinfo?(cdiehl)
|
|
||
Comment 15•12 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #13)
> per comment 5, I'll mark FF23 fixed even though it never landed in the tree
> in the broken state. Feel free to change to unaffected if that fits the
> process better.
Let's actually do unaffected in this case - that will work with our security QA's bug process for tracking bugs before landing vs. post landing.
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•