Bug 1211389 - Make absolutely sure the relay->srflx pointer doesn't dangle. r=drno

2024-09-13 09:24:08 -07:00 · 2015-10-05 14:32:22 -05:00 · 2015-10-05 14:32:22 -05:00 · d95b9088d9
commit d95b9088d9
parent ed03c0ad5f
3 changed files with 11 additions and 3 deletions
--- a/media/mtransport/third_party/nICEr/src/ice/ice_candidate.c
+++ b/media/mtransport/third_party/nICEr/src/ice/ice_candidate.c
@ -284,8 +284,6 @@ static void nr_ice_candidate_mark_done(nr_ice_candidate *cand, int state)
     * piggybacking on it. Make sure it is marked done too. */
    if ((cand->type == RELAYED) && cand->u.relayed.srvflx_candidate) {
      nr_ice_candidate *srflx=cand->u.relayed.srvflx_candidate;
-      /* Calling done_cb can destroy this, make sure it doesn't dangle. */
-      cand->u.relayed.srvflx_candidate=0;
      if (state == NR_ICE_CAND_STATE_INITIALIZED &&
          nr_turn_client_get_mapped_address(cand->u.relayed.turn,
                                            &srflx->addr)) {
@ -325,6 +323,8 @@ int nr_ice_candidate_destroy(nr_ice_candidate **candp)
      case RELAYED:
        if (cand->u.relayed.turn_handle)
          nr_ice_socket_deregister(cand->isock, cand->u.relayed.turn_handle);
+        if (cand->u.relayed.srvflx_candidate)
+          cand->u.relayed.srvflx_candidate->u.srvrflx.relay_candidate=0;
        nr_turn_client_ctx_destroy(&cand->u.relayed.turn);
        nr_socket_destroy(&cand->u.relayed.turn_sock);
        break;
@ -332,6 +332,8 @@ int nr_ice_candidate_destroy(nr_ice_candidate **candp)
      case SERVER_REFLEXIVE:
        if (cand->u.srvrflx.stun_handle)
          nr_ice_socket_deregister(cand->isock, cand->u.srvrflx.stun_handle);
+        if (cand->u.srvrflx.relay_candidate)
+          cand->u.srvrflx.relay_candidate->u.relayed.srvflx_candidate=0;
        nr_stun_client_ctx_destroy(&cand->u.srvrflx.stun);
        break;
      default:
--- a/media/mtransport/third_party/nICEr/src/ice/ice_candidate.h
+++ b/media/mtransport/third_party/nICEr/src/ice/ice_candidate.h
@ -76,6 +76,9 @@ struct nr_ice_candidate_ {
    struct {
      nr_stun_client_ctx *stun;
      void *stun_handle;
+      /* If this is a srflx that is piggybacking on a relay candidate, this is
+       * a back pointer to that relay candidate. */
+      nr_ice_candidate *relay_candidate;
    } srvrflx;
    struct {
      nr_turn_client_ctx *turn;
--- a/media/mtransport/third_party/nICEr/src/ice/ice_component.c
+++ b/media/mtransport/third_party/nICEr/src/ice/ice_component.c
@ -286,7 +286,10 @@ static int nr_ice_component_initialize_udp(struct nr_ice_ctx_ *ctx,nr_ice_compon
          isock,turn_sock,RELAYED,0,
          &ctx->turn_servers[j].turn_server,component->component_id,&cand))
           ABORT(r);
-        cand->u.relayed.srvflx_candidate=srvflx_cand;
+        if (srvflx_cand) {
+          cand->u.relayed.srvflx_candidate=srvflx_cand;
+          srvflx_cand->u.srvrflx.relay_candidate=cand;
+        }
        cand->u.relayed.server=&ctx->turn_servers[j];
        TAILQ_INSERT_TAIL(&component->candidates,cand,entry_comp);
        component->candidate_ct++;