Bug 1589990 - STUN: stun_getifaddrs() can return uninitialised bits which are subsequently used. r=bwc.

In media/mtransport/third_party/nICEr/src/stun/addrs.c: stun_getifaddrs() is used on all non-WIN32 targets. It extracts from the kernel an array describing network interfaces (I think). These are written into its out-parameter nr_local_addr addrs[] and the number of entries is written to int *count. There is a path through the main loop in stun_getifaddrs() which can cause a nr_local_addr record to be returned with its .interface.type field being uninitialized, but which nevertheless is later used. It also looks as if the .interface.estimated_speed field is not initialised. This commit zero-initialises the entire output array before writing anything into it, to avoid such problems, on all targets. Differential Revision: https://phabricator.services.mozilla.com/D58822 --HG-- extra : moz-landing-system : lando
2024-10-18 07:45:30 +00:00 · 2020-01-06 18:11:56 +00:00 · 2020-01-06 18:11:56 +00:00 · b261ffc229
commit b261ffc229
parent a93aae0a62
1 changed files with 5 additions and 0 deletions
--- a/media/mtransport/third_party/nICEr/src/stun/addrs.c
+++ b/media/mtransport/third_party/nICEr/src/stun/addrs.c
@ -437,6 +437,11 @@ nr_stun_get_addrs(nr_local_addr addrs[], int maxaddrs, int *count)
    int i;
    char typestr[100];

+    // Ensure output records are always fully defined.  See bug 1589990.
+    if (maxaddrs > 0) {
+       memset(addrs, 0, maxaddrs * sizeof(nr_local_addr));
+    }
+
 #ifdef WIN32
    _status = stun_get_win32_addrs(addrs, maxaddrs, count);
 #else