Fixed a couple of data channels potential leaks, and addressed potent…

…ial overflow when forwarding data channel messages in plugins (see issue meetecho#302)
speak · Aug 28, 2015 · 1894378 · 1894378
1 parent 8aa3c50
commit 1894378
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 26 deletions.
diff --git a/plugins/janus_echotest.c b/plugins/janus_echotest.c
@@ -508,15 +508,17 @@ void janus_echotest_incoming_data(janus_plugin_session *handle, char *buf, int l
 			return;
 		if(buf == NULL || len <= 0)
 			return;
-		char *text = calloc(len+1, sizeof(char));
+		char *text = g_malloc0(len+1);
 		memcpy(text, buf, len);
 		*(text+len) = '\0';
 		JANUS_LOG(LOG_VERB, "Got a DataChannel message (%zu bytes) to bounce back: %s\n", strlen(text), text);
-		char reply[1<<16];
-		memset(reply, 0, 1<<16);
-		g_snprintf(reply, 1<<16, "Janus EchoTest here! You wrote: %s", text);
-		free(text);
+		/* We send back the same text with a custom prefix */
+		const char *prefix = "Janus EchoTest here! You wrote: ";
+		char *reply = g_malloc0(strlen(prefix)+len+1);
+		g_snprintf(reply, strlen(prefix)+len, "%s%s", prefix, text);
+		g_free(text);
 		gateway->relay_data(handle, reply, strlen(reply));
+		g_free(reply);
 	}
 }
 

diff --git a/plugins/janus_videocall.c b/plugins/janus_videocall.c
@@ -672,12 +672,12 @@ void janus_videocall_incoming_data(janus_plugin_session *handle, char *buf, int
 			return;
 		if(buf == NULL || len <= 0)
 			return;
-		char text[1<<16];
-		memset(text, 0, 1<<16);
+		char *text = g_malloc0(len+1);
 		memcpy(text, buf, len);
-		text[len] = '\0';
+		*(text+len) = '\0';
 		JANUS_LOG(LOG_VERB, "Got a DataChannel message (%zu bytes) to forward: %s\n", strlen(text), text);
 		gateway->relay_data(session->peer->handle, text, strlen(text));
+		g_free(text);
 	}
 }
 

diff --git a/plugins/janus_videoroom.c b/plugins/janus_videoroom.c
@@ -339,11 +339,6 @@ typedef struct janus_videoroom_rtp_relay_packet {
 	uint16_t seq_number;
 } janus_videoroom_rtp_relay_packet;
 
-typedef struct janus_videoroom_data_relay_packet {
-	char *data;
-	gint length;
-} janus_videoroom_data_relay_packet;
-
 /* SDP offer/answer templates */
 #define OPUS_PT		111
 #define VP8_PT		100
@@ -1865,10 +1860,13 @@ void janus_videoroom_incoming_data(janus_plugin_session *handle, char *buf, int
 	if(!session || session->destroyed || !session->participant || session->participant_type != janus_videoroom_p_type_publisher)
 		return;
 	janus_videoroom_participant *participant = (janus_videoroom_participant *)session->participant;
-	janus_videoroom_data_relay_packet packet;
-	packet.data = buf;
-	packet.length = len;
-	g_slist_foreach(participant->listeners, janus_videoroom_relay_data_packet, &packet);
+	/* Get a string out of the data */
+	char *text = g_malloc0(len+1);
+	memcpy(text, buf, len);
+	*(text+len) = '\0';
+	JANUS_LOG(LOG_VERB, "Got a DataChannel message (%zu bytes) to forward: %s\n", strlen(text), text);
+	g_slist_foreach(participant->listeners, janus_videoroom_relay_data_packet, text);
+	g_free(text);
 }
 
 void janus_videoroom_slow_link(janus_plugin_session *handle, int uplink, int video) {
@@ -3719,7 +3717,7 @@ static void janus_videoroom_relay_rtp_packet(gpointer data, gpointer user_data)
 }
 
 static void janus_videoroom_relay_data_packet(gpointer data, gpointer user_data) {
-	janus_videoroom_data_relay_packet *packet = (janus_videoroom_data_relay_packet *)user_data;
+	char *text = (char *)user_data;
 	janus_videoroom_listener *listener = (janus_videoroom_listener *)data;
 	if(!listener || !listener->session || !listener->data || listener->paused) {
 		return;
@@ -3731,12 +3729,8 @@ static void janus_videoroom_relay_data_packet(gpointer data, gpointer user_data)
 	if(!session->started) {
 		return;
 	}
-	if(gateway != NULL) {
-		char text[1<<16];
-		memset(text, 0, 1<<16);
-		memcpy(text, packet->data, packet->length);
-		text[packet->length] = '\0';
-		JANUS_LOG(LOG_VERB, "Got a DataChannel message (%zu bytes) to forward: %s\n", strlen(text), text);
+	if(gateway != NULL && text != NULL) {
+		JANUS_LOG(LOG_VERB, "Forwarding DataChannel message (%zu bytes) to viewer: %s\n", strlen(text), text);
 		gateway->relay_data(session->handle, text, strlen(text));
 	}
 	return;

diff --git a/sctp.c b/sctp.c
@@ -1310,10 +1310,20 @@ void *janus_sctp_thread(void *data) {
 	JANUS_LOG(LOG_INFO, "[%"SCNu64"] Leaving SCTP association thread\n", sctp->handle_id);
 	/* This association has been destroyed, wait a bit and then free all the resources */
 	g_usleep (1*G_USEC_PER_SEC);
-	g_queue_free(sctp->in_messages);
+	GQueue *tmp = sctp->in_messages;
 	sctp->in_messages = NULL;
-	g_queue_free(sctp->out_messages);
+	while(!g_queue_is_empty(tmp)) {
+		message = g_queue_pop_head(tmp);
+		janus_sctp_message_destroy(message);
+	}
+	g_queue_free(tmp);
+	tmp = sctp->out_messages;
 	sctp->out_messages = NULL;
+	while(!g_queue_is_empty(tmp)) {
+		message = g_queue_pop_head(tmp);
+		janus_sctp_message_destroy(message);
+	}
+	g_queue_free(tmp);
 	sctp->thread = NULL;
 #ifdef DEBUG_SCTP
 	if(sctp->debug_dump != NULL)