diff options
| author | Taylor Brandstetter <deadbeef@webrtc.org> | 2020-09-16 13:10:06 -0700 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-10-27 09:27:47 +0000 |
| commit | 489d6e637e53f9293ea8cb91c045b37213455033 (patch) | |
| tree | 007d8f83451c06b4a1678e8b1bd903a858a30c0f | |
| parent | 99877493b3288cb78fd48a2a28d9b06f258d5866 (diff) | |
| download | qtwebengine-chromium-489d6e637e53f9293ea8cb91c045b37213455033.tar.gz | |
[Backport] CVE-2020-15987: Use after free in WebRTC (1/2)
Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/184283:
Check length before dereferencing SCTP notifications.
Bug: chromium:1127774
Change-Id: I6ccf1f5246dfacb26f480bac899f295f89b53d08
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/webrtc/media/sctp/sctp_transport.cc | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/chromium/third_party/webrtc/media/sctp/sctp_transport.cc b/chromium/third_party/webrtc/media/sctp/sctp_transport.cc index ad68c37ac97..78bb777cfc5 100644 --- a/chromium/third_party/webrtc/media/sctp/sctp_transport.cc +++ b/chromium/third_party/webrtc/media/sctp/sctp_transport.cc @@ -1184,14 +1184,31 @@ void SctpTransport::OnDataFromSctpToTransport( void SctpTransport::OnNotificationFromSctp( const rtc::CopyOnWriteBuffer& buffer) { RTC_DCHECK_RUN_ON(network_thread_); + if (buffer.size() < sizeof(sctp_notification::sn_header)) { + RTC_LOG(LS_ERROR) << "SCTP notification is shorter than header size: " + << buffer.size(); + return; + } + const sctp_notification& notification = reinterpret_cast<const sctp_notification&>(*buffer.data()); - RTC_DCHECK(notification.sn_header.sn_length == buffer.size()); + if (buffer.size() != notification.sn_header.sn_length) { + RTC_LOG(LS_ERROR) << "SCTP notification length (" << buffer.size() + << ") does not match sn_length field (" + << notification.sn_header.sn_length << ")."; + return; + } // TODO(ldixon): handle notifications appropriately. switch (notification.sn_header.sn_type) { case SCTP_ASSOC_CHANGE: RTC_LOG(LS_VERBOSE) << "SCTP_ASSOC_CHANGE"; + if (buffer.size() < sizeof(notification.sn_assoc_change)) { + RTC_LOG(LS_ERROR) + << "SCTP_ASSOC_CHANGE notification has less than required length: " + << buffer.size(); + return; + } OnNotificationAssocChange(notification.sn_assoc_change); break; case SCTP_REMOTE_ERROR: @@ -1218,6 +1235,12 @@ void SctpTransport::OnNotificationFromSctp( RTC_LOG(LS_INFO) << "SCTP_NOTIFICATIONS_STOPPED_EVENT"; break; case SCTP_SEND_FAILED_EVENT: { + if (buffer.size() < sizeof(notification.sn_send_failed_event)) { + RTC_LOG(LS_ERROR) << "SCTP_SEND_FAILED_EVENT notification has less " + "than required length: " + << buffer.size(); + return; + } const struct sctp_send_failed_event& ssfe = notification.sn_send_failed_event; RTC_LOG(LS_WARNING) << "SCTP_SEND_FAILED_EVENT: message with" @@ -1230,6 +1253,12 @@ void SctpTransport::OnNotificationFromSctp( break; } case SCTP_STREAM_RESET_EVENT: + if (buffer.size() < sizeof(notification.sn_strreset_event)) { + RTC_LOG(LS_ERROR) << "SCTP_STREAM_RESET_EVENT notification has less " + "than required length: " + << buffer.size(); + return; + } OnStreamResetEvent(¬ification.sn_strreset_event); break; case SCTP_ASSOC_RESET_EVENT: |