Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge branch 'advisory-fix-1' CVE-2020-26262
  • Loading branch information
misi committed Jan 10, 2021
2 parents 104ab83 + d84028b commit abfe1fd
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 2 deletions.
29 changes: 27 additions & 2 deletions src/client/ns_turn_ioaddr.c
Expand Up @@ -483,9 +483,9 @@ int ioa_addr_is_loopback(ioa_addr *addr)
return (u[0] == 127);
} else if(addr->ss.sa_family == AF_INET6) {
const uint8_t *u = ((const uint8_t*)&(addr->s6.sin6_addr));
if(u[7] == 1) {
if(u[15] == 1) {
int i;
for(i=0;i<7;++i) {
for(i=0;i<15;++i) {
if(u[i])
return 0;
}
Expand All @@ -496,6 +496,31 @@ int ioa_addr_is_loopback(ioa_addr *addr)
return 0;
}

/*
To avoid a vulnerability this function checks whether the addr is in 0.0.0.0/8 or ::/128.
Source from (INADDR_ANY) 0.0.0.0/32 and (in6addr_any) ::/128 routed to loopback on Linux systems for old BSD backward compatibility.
https://github.com/torvalds/linux/blob/a2f5ea9e314ba6778f885c805c921e9362ec0420/net/ipv6/tcp_ipv6.c#L182
To avoid any trouble we match the whole 0.0.0.0/8 that defined in RFC6890 as local network "this".
*/
int ioa_addr_is_zero(ioa_addr *addr)
{
if(addr) {
if(addr->ss.sa_family == AF_INET) {
const uint8_t *u = ((const uint8_t*)&(addr->s4.sin_addr));
return (u[0] == 0);
} else if(addr->ss.sa_family == AF_INET6) {
const uint8_t *u = ((const uint8_t*)&(addr->s6.sin6_addr));
int i;
for(i=0;i<=15;++i) {
if(u[i])
return 0;
}
return 1;
}
}
return 0;
}

/////// Map "public" address to "private" address //////////////

// Must be called only in a single-threaded context,
Expand Down
1 change: 1 addition & 0 deletions src/client/ns_turn_ioaddr.h
Expand Up @@ -89,6 +89,7 @@ void ioa_addr_range_cpy(ioa_addr_range* dest, const ioa_addr_range* src);

int ioa_addr_is_multicast(ioa_addr *a);
int ioa_addr_is_loopback(ioa_addr *addr);
int ioa_addr_is_zero(ioa_addr *addr);

/////// Map "public" address to "private" address //////////////

Expand Down
2 changes: 2 additions & 0 deletions src/server/ns_turn_server.c
Expand Up @@ -273,6 +273,8 @@ static int good_peer_addr(turn_turnserver *server, const char* realm, ioa_addr *
return 0;
if( !*(server->allow_loopback_peers) && ioa_addr_is_loopback(peer_addr))
return 0;
if (ioa_addr_is_zero(peer_addr))
return 0;

{
int i;
Expand Down

0 comments on commit abfe1fd

Please sign in to comment.