Closed
Bug 862890
Opened 12 years ago
Closed 12 years ago
WebRTC TURN use-after-free [@nr_turn_client_process_response]
Categories
(Core :: WebRTC: Networking, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 946733
| Tracking | Status | |
|---|---|---|
| firefox20 | --- | unaffected |
| firefox21 | --- | unaffected |
| firefox22 | --- | disabled |
| firefox23 | --- | affected |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: ekr)
References
Details
(Keywords: crash, csectype-uaf, sec-critical, Whiteboard: [WebRTC][blocking-webrtc-][turn])
Attachments
(1 file)
|
8.35 KB,
text/plain
|
Details |
This happened during experimental fuzzing of TURN while being a MITM.
alloc: media/mtransport/third_party/nICEr/src/stun/turn_client_ctx.c:102
* if (!(sctx=RCALLOC(sizeof(nr_turn_stun_ctx))))
ABORT(R_NO_MEMORY);
free: media/mtransport/third_party/nICEr/src/stun/turn_client_ctx.c:386
/* Destroy the STUN client ctxs */
while (!STAILQ_EMPTY(&ctx->stun_ctxs)) {
nr_turn_stun_ctx *stun = STAILQ_FIRST(&ctx->stun_ctxs);
STAILQ_REMOVE_HEAD(&ctx->stun_ctxs, entry);
* nr_turn_stun_ctx_destroy(&stun);
}
re-use: media/mtransport/third_party/nICEr/src/stun/turn_client_ctx.c:555
* sc1 = STAILQ_FIRST(&ctx->stun_ctxs);
I don't have a testcase for this handy.
Tested with m-i changeset: 129073:b9f7fd0996f0
|
||
Updated•12 years ago
|
Whiteboard: [turn] → [WebRTC][blocking-webrtc-][turn]
|
||
Updated•12 years ago
|
Assignee: nobody → ekr
Priority: -- → P1
|
||
Comment 1•12 years ago
|
||
When did TURN land? Is it disabled everywhere at the moment? I'm going to set it affected on 23 in case it gets turned on in 23.
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox23:
--- → affected
status-firefox-esr17:
--- → unaffected
|
|
||
Comment 2•12 years ago
|
||
TURN is on in 23 (Nightly) currently. It landed about a week ago. See Bug 855769 and Bug 786235 for more details.
|
|
||
Updated•12 years ago
|
status-firefox20:
--- → unaffected
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
Keywords: testcase-wanted
QA Contact: jsmith
|
|
||
Comment 5•12 years ago
|
||
It's been a week without activity here - Christoph do you have an eta on a test case?
QA Contact: cdiehl
|
|
Reporter | |
Comment 6•12 years ago
|
||
No sorry, this crash wasn't reproducible with a single testcase.
Flags: needinfo?(cdiehl)
|
|
||
Updated•12 years ago
|
status-firefox24:
--- → affected
tracking-firefox24:
--- → ?
|
||
Comment 7•12 years ago
|
||
Eric, are you going to be able to proceed without a testcase? If not, we should probably close this as incomplete until we can reproduce this issue.
status-firefox24:
affected → ---
tracking-firefox24:
? → ---
|
|
||
Updated•12 years ago
|
Whiteboard: [WebRTC][blocking-webrtc-][turn] → [WebRTC][blocking-webrtc-][turn][closeme 6/6/2013]
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INCOMPLETE
|
|
||
Updated•12 years ago
|
Keywords: testcase-wanted
Whiteboard: [WebRTC][blocking-webrtc-][turn][closeme 6/6/2013] → [WebRTC][blocking-webrtc-][turn]
|
|
||
Comment 8•12 years ago
|
||
We should no longer be tracking this for 23. Please see comment 7. (We would need a test case to proceed.)
tracking-firefox23:
+ → ---
|
||
Updated•11 years ago
|
Group: core-security
|
||
Comment 9•9 years ago
|
||
Almost positive this is a dupe of bug 946733.
Resolution: INCOMPLETE → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•