Skip to content

Commit

Permalink
client: decrease security issues with AnyPortEnable
Browse files Browse the repository at this point in the history 
When AnyPortEnable is true, store the port of the first incoming packet
and check that following packets use the same port
  • Loading branch information
@aler9
aler9 committed Jan 7, 2023
1 parent 7137d85 commit bf12e12
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 15 deletions.
32 changes: 18 additions & 14 deletions client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1247,29 +1247,33 @@ func (c *Client) doSetup(
}
}

cm.udpRTPListener.readIP = func() net.IP {
if thRes.Source != nil {
return *thRes.Source
}
return c.nconn.RemoteAddr().(*net.TCPAddr).IP
}()
if thRes.Source != nil {
cm.udpRTPListener.readIP = *thRes.Source
} else {
cm.udpRTPListener.readIP = c.nconn.RemoteAddr().(*net.TCPAddr).IP
}

if thRes.ServerPorts != nil {
cm.udpRTPListener.readPort = thRes.ServerPorts[0]
if !c.AnyPortEnable {
cm.udpRTPListener.readPort = thRes.ServerPorts[0]
}
cm.udpRTPListener.writeAddr = &net.UDPAddr{
IP: c.nconn.RemoteAddr().(*net.TCPAddr).IP,
Zone: c.nconn.RemoteAddr().(*net.TCPAddr).Zone,
Port: thRes.ServerPorts[0],
}
}

cm.udpRTCPListener.readIP = func() net.IP {
if thRes.Source != nil {
return *thRes.Source
}
return c.nconn.RemoteAddr().(*net.TCPAddr).IP
}()
if thRes.Source != nil {
cm.udpRTCPListener.readIP = *thRes.Source
} else {
cm.udpRTCPListener.readIP = c.nconn.RemoteAddr().(*net.TCPAddr).IP
}

if thRes.ServerPorts != nil {
cm.udpRTCPListener.readPort = thRes.ServerPorts[1]
if !c.AnyPortEnable {
cm.udpRTCPListener.readPort = thRes.ServerPorts[1]
}
cm.udpRTCPListener.writeAddr = &net.UDPAddr{
IP: c.nconn.RemoteAddr().(*net.TCPAddr).IP,
Zone: c.nconn.RemoteAddr().(*net.TCPAddr).Zone,
Expand Down
10 changes: 9 additions & 1 deletion clientudpl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,15 @@ func (u *clientUDPListener) runReader(forPlay bool) {

uaddr := addr.(*net.UDPAddr)

if !u.readIP.Equal(uaddr.IP) || (!u.anyPortEnable && u.readPort != uaddr.Port) {
if !u.readIP.Equal(uaddr.IP) {
continue
}

// in case of anyPortEnable, store the port of the first packet we receive.
// this reduces security issues
if u.anyPortEnable && u.readPort == 0 {
u.readPort = uaddr.Port
} else if u.readPort != uaddr.Port {
continue
}

Expand Down

0 comments on commit bf12e12

Please sign in to comment.