openwrt-mirror/telephony
1
0
Fork 0
mirror of https://github.com/openwrt/telephony.git synced 2025-12-26 11:16:39 +04:00
Code Issues Packages Projects Releases Wiki Activity
Files
51e62de1821e28c574da3158c73d9e32596f5d4c
telephony/net/restund/patches/200-turn-block-forwarding-to-loopback-any.patch
Sebastian Kemper 612a7535ee restund: fix CVE-2021-21382 
Patches taken from [1].

Added a postinstall note about the upcoming deletion of this package.

[1] https://github.com/wireapp/restund/pull/7

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
(cherry picked from commit dec6316f2f)
2021-12-09 00:22:45 +01:00

70 lines
1.8 KiB
Diff
Raw Blame History

From ffa2d56cac3d37715fe1381df81802774240da92 Mon Sep 17 00:00:00 2001
From: Dusan Stevanovic <dule@wire.com>
Date: Thu, 11 Mar 2021 10:58:32 +0100
Subject: [PATCH] turn: block forwarding to loopback/any
---
modules/turn/turn.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/modules/turn/turn.c
+++ b/modules/turn/turn.c
@@ -153,6 +153,7 @@ static bool indication_handler(struct re
struct stun_attr *data, *peer;
struct allocation *al;
struct perm *perm;
+ const struct sa *psa;
int err;
(void)sock;
(void)ctx;
@@ -173,13 +174,17 @@ static bool indication_handler(struct re
if (!peer || !data)
return true;
- perm = perm_find(al->perms, &peer->v.xor_peer_addr);
+ psa = &peer->v.xor_peer_addr;
+ perm = perm_find(al->perms, psa);
if (!perm) {
++al->dropc_tx;
return true;
}
- err = udp_send(al->rel_us, &peer->v.xor_peer_addr, &data->v.data);
+ if (sa_is_loopback(psa) || sa_is_any(psa))
+ err = EPERM;
+ else
+ err = udp_send(al->rel_us, psa, &data->v.data);
if (err)
turnd.errc_tx++;
else {
@@ -200,6 +205,7 @@ static bool raw_handler(int proto, const
uint16_t numb, len;
struct perm *perm;
struct chan *chan;
+ const struct sa *psa;
int err;
al = allocation_find(proto, src, dst);
@@ -219,7 +225,8 @@ static bool raw_handler(int proto, const
if (!chan)
return false;
- perm = perm_find(al->perms, chan_peer(chan));
+ psa = chan_peer(chan);
+ perm = perm_find(al->perms, psa);
if (!perm) {
++al->dropc_tx;
return false;
@@ -227,7 +234,10 @@ static bool raw_handler(int proto, const
mb->end = mb->pos + len;
- err = udp_send(al->rel_us, chan_peer(chan), mb);
+ if (sa_is_loopback(psa) || sa_is_any(psa))
+ err = EPERM;
+ else
+ err = udp_send(al->rel_us, psa, mb);
if (err)
turnd.errc_tx++;
else {
Reference in New Issue View Git Blame Copy Permalink