[Backport] CVE-2020-6532: Use after free in SCTP

Manual backport of patch originally reviewed on https://webrtc-review.googlesource.com/c/src/+/179161 Check for null before accessing SctpTransport map. Bug: chromium:1104061 Change-Id: I52d44ff1603341777a873e747c625665bc11bfa5 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Taylor Brandstetter <deadbeef@webrtc.org> 2020-07-13 11:51:49 -0700
committer: Michael Brüning <michael.bruning@qt.io> 2020-07-29 10:55:40 +0000
commit: da24a7f8bcb62406c1b21e3b0635f9cea6b13553 (patch)
tree: 06a27b0f3931ca55a309a3ca8774eb39aaa9c0bc
parent: a5e8bd5e8c93d8cd52423b3189ffe9a04279149c (diff)
download: qtwebengine-chromium-da24a7f8bcb62406c1b21e3b0635f9cea6b13553.tar.gz
1 files changed, 15 insertions, 1 deletions
diff --git a/chromium/third_party/webrtc/media/sctp/sctp_transport.cc b/chromium/third_party/webrtc/media/sctp/sctp_transport.cc
index e788d89bd64..6b14fcce7f2 100644
--- a/chromium/third_party/webrtc/media/sctp/sctp_transport.cc
+++ b/chromium/third_party/webrtc/media/sctp/sctp_transport.cc
@@ -302,18 +302,21 @@ class SctpTransport::UsrSctpWrapper {
   }
 
   static void UninitializeUsrSctp() {
-    delete g_transport_map_;
     RTC_LOG(LS_INFO) << __FUNCTION__;
     // usrsctp_finish() may fail if it's called too soon after the transports
     // are
     // closed. Wait and try again until it succeeds for up to 3 seconds.
     for (size_t i = 0; i < 300; ++i) {
       if (usrsctp_finish() == 0) {
+        delete g_transport_map_;
+        g_transport_map_ = nullptr;
         return;
       }
 
       rtc::Thread::SleepMs(10);
     }
+    delete g_transport_map_;
+    g_transport_map_ = nullptr;
     RTC_LOG(LS_ERROR) << "Failed to shutdown usrsctp.";
   }
 
@@ -340,6 +343,11 @@ class SctpTransport::UsrSctpWrapper {
                                   size_t length,
                                   uint8_t tos,
                                   uint8_t set_df) {
+    if (!g_transport_map_) {
+      RTC_LOG(LS_ERROR)
+          << "OnSctpOutboundPacket called after usrsctp uninitialized?";
+      return EINVAL;
+    }
     SctpTransport* transport =
         g_transport_map_->Retrieve(reinterpret_cast<uintptr_t>(addr));
     if (!transport) {
@@ -462,6 +470,12 @@ class SctpTransport::UsrSctpWrapper {
     // id of the transport that created them, so [0] is as good as any other.
     struct sockaddr_conn* sconn =
         reinterpret_cast<struct sockaddr_conn*>(&addrs[0]);
+    if (!g_transport_map_) {
+      RTC_LOG(LS_ERROR)
+          << "GetTransportFromSocket called after usrsctp uninitialized?";
+      usrsctp_freeladdrs(addrs);
+      return nullptr;
+    }
     SctpTransport* transport = g_transport_map_->Retrieve(
         reinterpret_cast<uintptr_t>(sconn->sconn_addr));
     usrsctp_freeladdrs(addrs);
author	Taylor Brandstetter <deadbeef@webrtc.org>	2020-07-13 11:51:49 -0700
committer	Michael Brüning <michael.bruning@qt.io>	2020-07-29 10:55:40 +0000
commit	da24a7f8bcb62406c1b21e3b0635f9cea6b13553 (patch)
tree	06a27b0f3931ca55a309a3ca8774eb39aaa9c0bc
parent	a5e8bd5e8c93d8cd52423b3189ffe9a04279149c (diff)
download	qtwebengine-chromium-da24a7f8bcb62406c1b21e3b0635f9cea6b13553.tar.gz