From 567d643226e9b33579d8c49ad8df4ff9a04e9d40 Mon Sep 17 00:00:00 2001
From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com>
Date: Mon, 17 Jul 2017 14:25:50 -0400
Subject: [PATCH] srtp: fix bad memory access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* fix non-initialized memory at SRTP session creation.
* fix invalid access when SRTP session is free in some conditions.
Change-Id: I95a1e2cd45b8007cb20445ca219f8e667e977656
Reviewed-by: Anthony LĂ©onard <anthony.leonard@savoirfairelinux.com>
---
src/media/socket_pair.cpp | 3 +++
src/media/srtp.c | 12 ++++++++----
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/media/socket_pair.cpp b/src/media/socket_pair.cpp
index 34dd7035fd..5beb98d6ad 100644
--- a/src/media/socket_pair.cpp
+++ b/src/media/socket_pair.cpp
@@ -25,6 +25,7 @@
#include "ice_socket.h"
#include "libav_utils.h"
#include "logger.h"
+#include "security/memory.h"
#include <iostream>
#include <string>
@@ -69,6 +70,8 @@ class SRTPProtoContext {
public:
SRTPProtoContext(const char* out_suite, const char* out_key,
const char* in_suite, const char* in_key) {
+ ring_secure_memzero(&srtp_out, sizeof(srtp_out));
+ ring_secure_memzero(&srtp_in, sizeof(srtp_in));
if (out_suite && out_key) {
// XXX: see srtp_open from libavformat/srtpproto.c
if (ff_srtp_set_crypto(&srtp_out, out_suite, out_key) < 0) {
diff --git a/src/media/srtp.c b/src/media/srtp.c
index e349e32c43..ea529460d3 100644
--- a/src/media/srtp.c
+++ b/src/media/srtp.c
@@ -42,10 +42,14 @@ void ff_srtp_free(struct SRTPContext *s)
return;
// aes and hmac have an opaque pointer type.
// No API to safely erase them, so just re-init with "dummy keys" to sanitize them
- av_aes_init(s->aes, zero_buffer, 128, 0);
- av_hmac_init(s->hmac, zero_buffer, sizeof(s->rtp_auth));
- av_freep(&s->aes);
- av_hmac_free(s->hmac);
+ if (s->aes) {
+ av_aes_init(s->aes, zero_buffer, 128, 0);
+ av_freep(&s->aes);
+ }
+ if (s->hmac) {
+ av_hmac_init(s->hmac, zero_buffer, sizeof(s->rtp_auth));
+ av_hmac_free(s->hmac);
+ }
ring_secure_memzero(s, sizeof(*s));
}
--
GitLab