From d95b9088d9daf89e311d17834238c3c7719c30c2 Mon Sep 17 00:00:00 2001 From: "Byron Campen [:bwc]" Date: Mon, 5 Oct 2015 14:32:22 -0500 Subject: [PATCH] Bug 1211389 - Make absolutely sure the relay->srflx pointer doesn't dangle. r=drno --- media/mtransport/third_party/nICEr/src/ice/ice_candidate.c | 6 ++++-- media/mtransport/third_party/nICEr/src/ice/ice_candidate.h | 3 +++ media/mtransport/third_party/nICEr/src/ice/ice_component.c | 5 ++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/media/mtransport/third_party/nICEr/src/ice/ice_candidate.c b/media/mtransport/third_party/nICEr/src/ice/ice_candidate.c index d3373b2db89..e69dd836aeb 100644 --- a/media/mtransport/third_party/nICEr/src/ice/ice_candidate.c +++ b/media/mtransport/third_party/nICEr/src/ice/ice_candidate.c @@ -284,8 +284,6 @@ static void nr_ice_candidate_mark_done(nr_ice_candidate *cand, int state) * piggybacking on it. Make sure it is marked done too. */ if ((cand->type == RELAYED) && cand->u.relayed.srvflx_candidate) { nr_ice_candidate *srflx=cand->u.relayed.srvflx_candidate; - /* Calling done_cb can destroy this, make sure it doesn't dangle. */ - cand->u.relayed.srvflx_candidate=0; if (state == NR_ICE_CAND_STATE_INITIALIZED && nr_turn_client_get_mapped_address(cand->u.relayed.turn, &srflx->addr)) { @@ -325,6 +323,8 @@ int nr_ice_candidate_destroy(nr_ice_candidate **candp) case RELAYED: if (cand->u.relayed.turn_handle) nr_ice_socket_deregister(cand->isock, cand->u.relayed.turn_handle); + if (cand->u.relayed.srvflx_candidate) + cand->u.relayed.srvflx_candidate->u.srvrflx.relay_candidate=0; nr_turn_client_ctx_destroy(&cand->u.relayed.turn); nr_socket_destroy(&cand->u.relayed.turn_sock); break; @@ -332,6 +332,8 @@ int nr_ice_candidate_destroy(nr_ice_candidate **candp) case SERVER_REFLEXIVE: if (cand->u.srvrflx.stun_handle) nr_ice_socket_deregister(cand->isock, cand->u.srvrflx.stun_handle); + if (cand->u.srvrflx.relay_candidate) + cand->u.srvrflx.relay_candidate->u.relayed.srvflx_candidate=0; nr_stun_client_ctx_destroy(&cand->u.srvrflx.stun); break; default: diff --git a/media/mtransport/third_party/nICEr/src/ice/ice_candidate.h b/media/mtransport/third_party/nICEr/src/ice/ice_candidate.h index 096ca956d03..16be4027613 100644 --- a/media/mtransport/third_party/nICEr/src/ice/ice_candidate.h +++ b/media/mtransport/third_party/nICEr/src/ice/ice_candidate.h @@ -76,6 +76,9 @@ struct nr_ice_candidate_ { struct { nr_stun_client_ctx *stun; void *stun_handle; + /* If this is a srflx that is piggybacking on a relay candidate, this is + * a back pointer to that relay candidate. */ + nr_ice_candidate *relay_candidate; } srvrflx; struct { nr_turn_client_ctx *turn; diff --git a/media/mtransport/third_party/nICEr/src/ice/ice_component.c b/media/mtransport/third_party/nICEr/src/ice/ice_component.c index 85ede56ebb2..cd4c6cad59d 100644 --- a/media/mtransport/third_party/nICEr/src/ice/ice_component.c +++ b/media/mtransport/third_party/nICEr/src/ice/ice_component.c @@ -286,7 +286,10 @@ static int nr_ice_component_initialize_udp(struct nr_ice_ctx_ *ctx,nr_ice_compon isock,turn_sock,RELAYED,0, &ctx->turn_servers[j].turn_server,component->component_id,&cand)) ABORT(r); - cand->u.relayed.srvflx_candidate=srvflx_cand; + if (srvflx_cand) { + cand->u.relayed.srvflx_candidate=srvflx_cand; + srvflx_cand->u.srvrflx.relay_candidate=cand; + } cand->u.relayed.server=&ctx->turn_servers[j]; TAILQ_INSERT_TAIL(&component->candidates,cand,entry_comp); component->candidate_ct++;