diff options
| author | Fabrice Bellet <fabrice@bellet.info> | 2019-06-09 13:13:43 +0200 |
|---|---|---|
| committer | Olivier CrĂȘte <olivier.crete@collabora.com> | 2019-07-04 17:03:43 -0400 |
| commit | 8e5809b7f709f8f2b49022610e0da7c8e761d322 (patch) | |
| tree | c33d8815d315285f26adfccbf3c8a73b1284694d /agent/component.c | |
| parent | 17170c9a393041157f69a3d4ae4eca5a1aaf9a7a (diff) | |
| download | libnice-8e5809b7f709f8f2b49022610e0da7c8e761d322.tar.gz | |
discovery: fix an use-after-free in SFB user credentials
The base64 decoded username and password strings given to
stun_usage_turn_create() should not freed immediately, since they remain
used when handling the following related inbound stun replies.
Diffstat (limited to 'agent/component.c')
| -rw-r--r-- | agent/component.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/agent/component.c b/agent/component.c index 60ffe5e..536ee86 100644 --- a/agent/component.c +++ b/agent/component.c @@ -1482,6 +1482,10 @@ turn_server_new (const gchar *server_ip, guint server_port, } turn->username = g_strdup (username); turn->password = g_strdup (password); + turn->decoded_username = + g_base64_decode ((gchar *)username, &turn->decoded_username_len); + turn->decoded_password = + g_base64_decode ((gchar *)password, &turn->decoded_password_len); turn->type = type; return turn; @@ -1503,6 +1507,8 @@ turn_server_unref (TurnServer *turn) if (turn->ref_count == 0) { g_free (turn->username); g_free (turn->password); + g_free (turn->decoded_username); + g_free (turn->decoded_password); g_slice_free (TurnServer, turn); } } |