From 567d643226e9b33579d8c49ad8df4ff9a04e9d40 Mon Sep 17 00:00:00 2001 From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com> Date: Mon, 17 Jul 2017 14:25:50 -0400 Subject: [PATCH] srtp: fix bad memory access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix non-initialized memory at SRTP session creation. * fix invalid access when SRTP session is free in some conditions. Change-Id: I95a1e2cd45b8007cb20445ca219f8e667e977656 Reviewed-by: Anthony Léonard <anthony.leonard@savoirfairelinux.com> --- src/media/socket_pair.cpp | 3 +++ src/media/srtp.c | 12 ++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/src/media/socket_pair.cpp b/src/media/socket_pair.cpp index 34dd7035fd..5beb98d6ad 100644 --- a/src/media/socket_pair.cpp +++ b/src/media/socket_pair.cpp @@ -25,6 +25,7 @@ #include "ice_socket.h" #include "libav_utils.h" #include "logger.h" +#include "security/memory.h" #include <iostream> #include <string> @@ -69,6 +70,8 @@ class SRTPProtoContext { public: SRTPProtoContext(const char* out_suite, const char* out_key, const char* in_suite, const char* in_key) { + ring_secure_memzero(&srtp_out, sizeof(srtp_out)); + ring_secure_memzero(&srtp_in, sizeof(srtp_in)); if (out_suite && out_key) { // XXX: see srtp_open from libavformat/srtpproto.c if (ff_srtp_set_crypto(&srtp_out, out_suite, out_key) < 0) { diff --git a/src/media/srtp.c b/src/media/srtp.c index e349e32c43..ea529460d3 100644 --- a/src/media/srtp.c +++ b/src/media/srtp.c @@ -42,10 +42,14 @@ void ff_srtp_free(struct SRTPContext *s) return; // aes and hmac have an opaque pointer type. // No API to safely erase them, so just re-init with "dummy keys" to sanitize them - av_aes_init(s->aes, zero_buffer, 128, 0); - av_hmac_init(s->hmac, zero_buffer, sizeof(s->rtp_auth)); - av_freep(&s->aes); - av_hmac_free(s->hmac); + if (s->aes) { + av_aes_init(s->aes, zero_buffer, 128, 0); + av_freep(&s->aes); + } + if (s->hmac) { + av_hmac_init(s->hmac, zero_buffer, sizeof(s->rtp_auth)); + av_hmac_free(s->hmac); + } ring_secure_memzero(s, sizeof(*s)); } -- GitLab