[libnice] integer overflow in pseudotcp.c

[Jeremy Spiegel]

Hi,

It appears that get_current_time() in pseudotcp.c returns a guint32, representing milliseconds of the monotonic clock, which would overflow when the system has been up for ~50 days. I found this when my process was consuming 100% cpu on one of my test servers, which happened to be the only one up for that long. It looks like the problem occurs when the overflowed value is returned from pseudo_tcp_socket_get_next_clock() to adjust_tcp_clock() in agent.c, and is used to create a negative interval clamped to 0, which is passed to g_timeout_source_new(). Even though we explicitly set g_source_set_ready_time() to sometime in the future in adjust_tcp_clock(), g_timeout_set_expiration() in gmain.c seems to always sets the ready time to the current time since the timeout object was originally created with an interval of 0. I tried fixing this by having the times in PseudoTcpSocketPrivate be stored as offsets from when pseudo_tcp_socket_init() is called, and by having pseudo_tcp_socket_get_next_clock() pass through a non-overflowed guint64. This appears to have fixed the problem. Does this sound like the right explanation for the behavior I’m seeing?

Thanks,
Jeremy