Title: [270327] branches/safari-610-branch/Source/ThirdParty/libwebrtc
- Revision
- 270327
- Author
- [email protected]
- Date
- 2020-12-01 13:39:26 -0800 (Tue, 01 Dec 2020)
Log Message
Apply patch. rdar://problem/71381873
Modified Paths
Diff
Modified: branches/safari-610-branch/Source/ThirdParty/libwebrtc/ChangeLog (270326 => 270327)
--- branches/safari-610-branch/Source/ThirdParty/libwebrtc/ChangeLog 2020-12-01 21:38:29 UTC (rev 270326)
+++ branches/safari-610-branch/Source/ThirdParty/libwebrtc/ChangeLog 2020-12-01 21:39:26 UTC (rev 270327)
@@ -1,3 +1,16 @@
+2020-12-01 Alan Coon <[email protected]>
+
+ Apply patch. rdar://problem/71381873
+
+ 2020-12-01 Youenn Fablet <[email protected]>
+
+ Check length before dereferencing SCTP notifications.
+ rdar://problem/71381873
+
+ Cherry-picking of upstream webrtc patch.
+
+ * Source/webrtc/media/sctp/sctp_transport.cc:
+
2020-10-28 Russell Epstein <[email protected]>
Cherry-pick r268952. rdar://problem/70795327
Modified: branches/safari-610-branch/Source/ThirdParty/libwebrtc/Source/webrtc/media/sctp/sctp_transport.cc (270326 => 270327)
--- branches/safari-610-branch/Source/ThirdParty/libwebrtc/Source/webrtc/media/sctp/sctp_transport.cc 2020-12-01 21:38:29 UTC (rev 270326)
+++ branches/safari-610-branch/Source/ThirdParty/libwebrtc/Source/webrtc/media/sctp/sctp_transport.cc 2020-12-01 21:39:26 UTC (rev 270327)
@@ -1170,14 +1170,31 @@
void SctpTransport::OnNotificationFromSctp(
const rtc::CopyOnWriteBuffer& buffer) {
RTC_DCHECK_RUN_ON(network_thread_);
+ if (buffer.size() < sizeof(sctp_notification::sn_header)) {
+ RTC_LOG(LS_ERROR) << "SCTP notification is shorter than header size: "
+ << buffer.size();
+ return;
+ }
+
const sctp_notification& notification =
reinterpret_cast<const sctp_notification&>(*buffer.data());
- RTC_DCHECK(notification.sn_header.sn_length == buffer.size());
+ if (buffer.size() != notification.sn_header.sn_length) {
+ RTC_LOG(LS_ERROR) << "SCTP notification length (" << buffer.size()
+ << ") does not match sn_length field ("
+ << notification.sn_header.sn_length << ").";
+ return;
+ }
// TODO(ldixon): handle notifications appropriately.
switch (notification.sn_header.sn_type) {
case SCTP_ASSOC_CHANGE:
RTC_LOG(LS_VERBOSE) << "SCTP_ASSOC_CHANGE";
+ if (buffer.size() < sizeof(notification.sn_assoc_change)) {
+ RTC_LOG(LS_ERROR)
+ << "SCTP_ASSOC_CHANGE notification has less than required length: "
+ << buffer.size();
+ return;
+ }
OnNotificationAssocChange(notification.sn_assoc_change);
break;
case SCTP_REMOTE_ERROR:
@@ -1204,6 +1221,12 @@
RTC_LOG(LS_INFO) << "SCTP_NOTIFICATIONS_STOPPED_EVENT";
break;
case SCTP_SEND_FAILED_EVENT: {
+ if (buffer.size() < sizeof(notification.sn_send_failed_event)) {
+ RTC_LOG(LS_ERROR) << "SCTP_SEND_FAILED_EVENT notification has less "
+ "than required length: "
+ << buffer.size();
+ return;
+ }
const struct sctp_send_failed_event& ssfe =
notification.sn_send_failed_event;
RTC_LOG(LS_WARNING) << "SCTP_SEND_FAILED_EVENT: message with"
@@ -1216,6 +1239,12 @@
break;
}
case SCTP_STREAM_RESET_EVENT:
+ if (buffer.size() < sizeof(notification.sn_strreset_event)) {
+ RTC_LOG(LS_ERROR) << "SCTP_STREAM_RESET_EVENT notification has less "
+ "than required length: "
+ << buffer.size();
+ return;
+ }
OnStreamResetEvent(¬ification.sn_strreset_event);
break;
case SCTP_ASSOC_RESET_EVENT:
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
