[libnice] NULL dereference on socket_is_reliable

alberto alberto at ikatu.com
Thu Nov 5 18:11:53 PST 2015 

Hi,
We found that Libnice attempts to dereference a NULL pointer during ICE 
negotiation when checking if a socket is reliable.
The error happened when using TURN servers with ports different than 
3478. In particular, the follwoing is a dump for a crash that happened 
when when trying to use a TURN relay using TLS over TCP on port 5349. 
The crash includes libnice log and some GDB output.

<<<
(process:350): libnice-DEBUG: Created NiceStream (1 created, 0 destroyed)
(process:350): libnice-DEBUG: Created NiceComponent (1 created, 0 destroyed)
(process:350): libnice-DEBUG: Agent 0x9a0e000 : allocating stream id 1 
(0x9a0e800)
(process:350): libnice-DEBUG: Agent 0x9a0e000: added relay server 
[50.97.253.79]:443 of type 0 to s/c 1/1 with user/pass : 
1_784f5292-83c5-11e5-b069-b4497d285982 -- 
784f5332-83c5-11e5-8b0f-3ebfa97e64eb
(process:350): libnice-DEBUG: Agent 0x9a0e000: added relay server 
[50.97.253.79]:443 of type 1 to s/c 1/1 with user/pass : 
1_784f5292-83c5-11e5-b069-b4497d285982 -- 
784f5332-83c5-11e5-8b0f-3ebfa97e64eb
(process:350): libnice-DEBUG: Agent 0x9a0e000: added relay server 
[50.97.253.79]:5349 of type 0 to s/c 1/1 with user/pass : 
1_784f5292-83c5-11e5-b069-b4497d285982 -- 
784f5332-83c5-11e5-8b0f-3ebfa97e64eb
(process:350): libnice-DEBUG: Agent 0x9a0e000: added relay server 
[50.97.253.79]:5349 of type 1 to s/c 1/1 with user/pass : 
1_784f5292-83c5-11e5-b069-b4497d285982 -- 
784f5332-83c5-11e5-8b0f-3ebfa97e64eb
(process:350): libnice-DEBUG: Agent 0x9a0e000 : In ICE-FULL mode, 
starting candidate gathering.
(process:350): libnice-DEBUG: Agent 0x9a0e000 : libnice compiled without 
UPnP support
(process:350): libnice-DEBUG: Agent 0x9a0e000: Trying to create host 
candidate on port 0
(process:350): libnice-DEBUG: Agent 0x9a0e000: Could not set IPV6 socket 
ToS: Protocol not available
(process:350): libnice-DEBUG: Component 0x9a46f00 (agent 0x9a0e000): 
Attach source (stream 1).
(process:350): libnice-DEBUG: Attaching source 0x9a13f48 (socket 
0x9a16c00, FD 59) to context 0xf370a9f8
(process:350): libnice-DEBUG: Agent 0x9a0e000 : Adding new srv-rflx 
candidate discovery 0x9a53948

(process:350): libnice-DEBUG: Agent 0x9a0e000 : Adding new relay-rflx 
candidate discovery 0x9a66498

(process:350): libnice-DEBUG: Agent 0x9a0e000: Could not set IPV6 socket 
ToS: Protocol not available
(process:350): libnice-DEBUG: Component 0x9a46f00 (agent 0x9a0e000): 
Attach source (stream 1).
(process:350): libnice-DEBUG: Attaching source 0x97ec438 (socket 
0x9a16c90, FD 60) to context 0xf370a9f8
(process:350): libnice-DEBUG: Agent 0x9a0e000 : Adding new relay-rflx 
candidate discovery 0x9a78fe8

(process:350): libnice-DEBUG: Agent 0x9a0e000 : Adding new relay-rflx 
candidate discovery 0x9a9bb50

(process:350): libnice-DEBUG: Agent 0x9a0e000: Could not set IPV6 socket 
ToS: Protocol not available
(process:350): libnice-DEBUG: Component 0x9a46f00 (agent 0x9a0e000): 
Attach source (stream 1).
(process:350): libnice-DEBUG: Attaching source 0x97ec4a0 (socket 
0x9a16d20, FD 61) to context 0xf370a9f8
(process:350): libnice-DEBUG: Agent 0x9a0e000 : Adding new relay-rflx 
candidate discovery 0x9aae6a0

(process:350): libnice-DEBUG: Agent 0x9a0e000: Trying to create host 
candidate on port 0
(process:350): libnice-DEBUG: Agent 0x9a0e000: Trying to create host 
candidate on port 0
(process:350): libnice-DEBUG: Agent 0x9a0e000: Could not set IPV6 socket 
ToS: Protocol not available
(process:350): libnice-DEBUG: Component 0x9a46f00 (agent 0x9a0e000): 
Attach source (stream 1).
(process:350): libnice-DEBUG: Attaching source 0x9a10728 (socket 
0x9a16db0, FD 62) to context 0xf370a9f8
(process:350): libnice-DEBUG: Agent 0x9a0e000 : discovery tick #1 with 
list 0x97f98d8 (1)
(process:350): libnice-DEBUG: Agent 0x9a0e000 : discovery - scheduling 
cand type 1 addr 50.97.253.79.
(process:350): libnice-DEBUG: Agent 0x9a0e000 : stream 1 component 1 
STATE-CHANGE disconnected -> gathering.
(process:350): libnice-DEBUG: Agent 0x9a0e000 : discovery - scheduling 
cand type 3 addr 50.97.253.79.
(process:350): libnice-DEBUG: Agent 0x9a0e000 : discovery - scheduling 
cand type 3 addr 50.97.253.79.
(process:350): libnice-DEBUG: Agent 0x9a0e000 : discovery - scheduling 
cand type 3 addr 50.97.253.79.
(process:350): libnice-DEBUG: Agent 0x9a0e000 : discovery - scheduling 
cand type 3 addr 50.97.253.79.
(process:350): libnice-DEBUG: Agent 0x9a0e000: NiceSocket 0x9a16d20 has 
received HUP
(process:350): libnice-DEBUG: Detach socket 0x9a16d20.
(process:350): libnice-DEBUG: Detaching source 0x97ec4a0 (socket 
0x9a16d20, FD 61) from context 0xf370a9f8
(process:350): libnice-DEBUG: Detaching source (nil) (socket 0x9a16d20, 
FD 61) from context (nil)
(process:350): libnice-stun-DEBUG: STUN transaction retransmitted 
(timeout 397ms).
(process:350): libnice-stun-DEBUG: STUN transaction retransmitted 
(timeout 397ms).
(process:350): libnice-stun-DEBUG: STUN transaction retransmitted 
(timeout 397ms).
(process:350): libnice-stun-DEBUG: STUN transaction retransmitted 
(timeout 397ms).
(process:350): libnice-stun-DEBUG: STUN transaction retransmitted 
(timeout 397ms).

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xe8affb40 (LWP 413)]
0xf55c5896 in socket_is_reliable (sock=0x9a16d20) at udp-turn-over-tcp.c:442
442      return nice_socket_is_reliable (priv->base_socket);
(gdb) where
#0  0xf55c5896 in socket_is_reliable (sock=0x9a16d20) at 
udp-turn-over-tcp.c:442
#1  0xf55c297d in nice_socket_is_reliable (sock=sock at entry=0x9a16d20) at 
socket.c:249
#2  0xf55b1696 in agent_socket_send (sock=0x9a16d20, 
addr=addr at entry=0x9aae6ac, len=92, buf=buf at entry=0x9ab0c88 "") at 
agent.c:5992
#3  0xf55b8a07 in priv_discovery_tick_unlocked 
(pointer=pointer at entry=0x9a0e000) at discovery.c:1130
#4  0xf55b8b42 in priv_discovery_tick (pointer=0x9a0e000) at 
discovery.c:1189
#5  0xf545c312 in g_timeout_dispatch () from /usr/lib/libglib-2.0.so.0
#6  0xf545a5b5 in g_main_dispatch () from /usr/lib/libglib-2.0.so.0
#7  0xf545b175 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#8  0xf545b362 in g_main_context_iterate () from /usr/lib/libglib-2.0.so.0
#9  0xf545b7dc in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#10 0x08bbfac7 in DataChannel::Loop () at 
Src/datachannel/DataChannel.cpp:598
#11 0x0915e83e in StartSeparateDelegateThread (thr=0x8bbfa66 
<DataChannel::Loop()>) at Src/Threads.cpp:73
#12 0xf5395f70 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#13 0xf52cbbee in clone () from /lib/i386-linux-gnu/libc.so.6
(gdb) p sock
$1 = (NiceSocket *) 0x9a16d20
(gdb) p sock->priv
$2 = (void *) 0x0
(gdb)
 >>>

If we modify the file udp-turn-over-tcp.c on line 442 in the following way:

442      return priv->base_socket != NULL && nice_socket_is_reliable 
(priv->base_socket);

then the program does not crash anymore, but we are unsure that this is 
a correct solution or just a (possibly unneeded) security check.

Has anyone encountered this kind of situation?

Thanks!
Alberto Canabal

More information about the nice mailing list