agent: make candidate username and password immutable

With this patch we prevent the username and the password of a candidate
to be modified during a session, as required by the RFC, sect 9.1.2.
This is also needed from a memory management point of view, because the
password string pointer may be recorded in the components stun agent
sent_ids[] struct key member, and freeing these values there may cause
an use-after-free condition, when an inbound stun is received from this
candidate. This behavior has been observed with pidgin, xmpp, and
farstream when a same remote candidates are "updated" several times,
even if the credentials don't change in this case.

Reviewed-by: Olivier Crête <olivier.crete@collabora.com>
Differential Revision: https://phabricator.freedesktop.org/D1917

0 files changed, 0 insertions, 0 deletions