Changeset 272504 in webkit


Ignore:
Timestamp:
Feb 8, 2021 11:47:30 AM (3 years ago)
Author:
youenn@apple.com
Message:

NetworkRTCSocketCocoa extractDataMessages should not read too much data
https://bugs.webkit.org/show_bug.cgi?id=221544

Reviewed by Eric Carlson.

Source/WebCore:

Move STUN/TURN message parsing to its own file routine so that we can add API test.
Code is taken from Source/WebKit/NetworkProcess/webrtc/NetworkRTCSocketCocoa.mm.
Fix the test verifying we can actually read a message given its expected length.

Covered by API test.

  • Headers.cmake:
  • Modules/mediastream/STUNMessageParsing.cpp: Added.

(WebCore::isStunMessage):
(WebCore::getSTUNOrTURNMessageLengths):
(WebCore::extractSTUNOrTURNMessages):
(WebCore::extractDataMessages):
(WebCore::extractMessages):

  • Modules/mediastream/STUNMessageParsing.h: Added.
  • Sources.txt:
  • WebCore.xcodeproj/project.pbxproj:

Source/WebKit:

  • NetworkProcess/webrtc/NetworkRTCSocketCocoa.mm:

Make use of WebCore method.

Tools:

  • TestWebKitAPI/Tests/WebCore/STUNMessageParsingTest.cpp: Added.

(TestWebKitAPI::TEST):

  • TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
Location:
trunk
Files:
3 added
8 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r272503 r272504  
     12021-02-08  Youenn Fablet  <youenn@apple.com>
     2
     3        NetworkRTCSocketCocoa extractDataMessages should not read too much data
     4        https://bugs.webkit.org/show_bug.cgi?id=221544
     5
     6        Reviewed by Eric Carlson.
     7
     8        Move STUN/TURN message parsing to its own file routine so that we can add API test.
     9        Code is taken from Source/WebKit/NetworkProcess/webrtc/NetworkRTCSocketCocoa.mm.
     10        Fix the test verifying we can actually read a message given its expected length.
     11
     12        Covered by API test.
     13
     14        * Headers.cmake:
     15        * Modules/mediastream/STUNMessageParsing.cpp: Added.
     16        (WebCore::isStunMessage):
     17        (WebCore::getSTUNOrTURNMessageLengths):
     18        (WebCore::extractSTUNOrTURNMessages):
     19        (WebCore::extractDataMessages):
     20        (WebCore::extractMessages):
     21        * Modules/mediastream/STUNMessageParsing.h: Added.
     22        * Sources.txt:
     23        * WebCore.xcodeproj/project.pbxproj:
     24
    1252021-02-08  Wenson Hsieh  <wenson_hsieh@apple.com>
    226

  • trunk/Source/WebCore/Headers.cmake

    r272480 r272504  
    107107    Modules/mediastream/MediaTrackConstraints.h
    108108    Modules/mediastream/RTCController.h
     109    Modules/mediastream/STUNMessageParsing.h
    109110    Modules/mediastream/UserMediaClient.h
    110111    Modules/mediastream/UserMediaController.h

  • trunk/Source/WebCore/Sources.txt

    r272395 r272504  
    180180Modules/mediastream/RTCTrackEvent.cpp
    181181Modules/mediastream/SFrameUtils.cpp
     182Modules/mediastream/STUNMessageParsing.cpp
    182183Modules/mediastream/UserMediaController.cpp
    183184Modules/mediastream/UserMediaRequest.cpp

  • trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

    r272480 r272504  
    11611161                41E12E9F24FE74E20093FFB4 /* WebSocketIdentifier.h in Headers */ = {isa = PBXBuildFile; fileRef = 41E12E9D24FE74E20093FFB4 /* WebSocketIdentifier.h */; settings = {ATTRIBUTES = (Private, ); }; };
    11621162                41E1B1D10FF5986900576B3B /* AbstractWorker.h in Headers */ = {isa = PBXBuildFile; fileRef = 41E1B1CB0FF5986900576B3B /* AbstractWorker.h */; };
     1163                41E67A8325D16847007B0A4C /* STUNMessageParsing.h in Headers */ = {isa = PBXBuildFile; fileRef = 41E67A8125D16847007B0A4C /* STUNMessageParsing.h */; settings = {ATTRIBUTES = (Private, ); }; };
    11631164                41E9DCE7231974BF00F35949 /* BlobLoader.h in Headers */ = {isa = PBXBuildFile; fileRef = 41E9DCE4231973FE00F35949 /* BlobLoader.h */; settings = {ATTRIBUTES = (Private, ); }; };
    11641165                41E9DCE92319CA7600F35949 /* NetworkSendQueue.h in Headers */ = {isa = PBXBuildFile; fileRef = 41E9DCE82319CA7500F35949 /* NetworkSendQueue.h */; settings = {ATTRIBUTES = (Private, ); }; };
     
    79527953                41E59400214865AA00D3CB61 /* RTCRtpHeaderExtensionParameters.idl */ = {isa = PBXFileReference; lastKnownFileType = text; path = RTCRtpHeaderExtensionParameters.idl; sourceTree = "<group>"; };
    79537954                41E59401214865AB00D3CB61 /* RTCRtpFecParameters.idl */ = {isa = PBXFileReference; lastKnownFileType = text; path = RTCRtpFecParameters.idl; sourceTree = "<group>"; };
     7955                41E67A7F25D16846007B0A4C /* STUNMessageParsing.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = STUNMessageParsing.cpp; sourceTree = "<group>"; };
     7956                41E67A8125D16847007B0A4C /* STUNMessageParsing.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = STUNMessageParsing.h; sourceTree = "<group>"; };
    79547957                41E9DCE4231973FE00F35949 /* BlobLoader.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BlobLoader.h; sourceTree = "<group>"; };
    79557958                41E9DCE62319742300F35949 /* EndingType.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = EndingType.idl; sourceTree = "<group>"; };
     
    1734417347                                41209E26257A2FBB00120ACA /* SFrameUtils.cpp */,
    1734517348                                41209E24257A2FBB00120ACA /* SFrameUtils.h */,
     17349                                41E67A7F25D16846007B0A4C /* STUNMessageParsing.cpp */,
     17350                                41E67A8125D16847007B0A4C /* STUNMessageParsing.h */,
    1734617351                                07221B8D17CEC32700848E51 /* UserMediaClient.h */,
    1734717352                                07221B8E17CEC32700848E51 /* UserMediaController.cpp */,
     
    3478434789                                849F77760EFEC6200090849D /* StrokeStyleApplier.h in Headers */,
    3478534790                                414B82051D6DF0E50077EBE3 /* StructuredClone.h in Headers */,
     34791                                41E67A8325D16847007B0A4C /* STUNMessageParsing.h in Headers */,
    3478634792                                713922BE2518AB77005DB3C2 /* Styleable.h in Headers */,
    3478734793                                E45BA6B6237622A3004DFC07 /* StyleAdjuster.h in Headers */,

  • trunk/Source/WebKit/ChangeLog

    r272496 r272504  
     12021-02-08  Youenn Fablet  <youenn@apple.com>
     2
     3        NetworkRTCSocketCocoa extractDataMessages should not read too much data
     4        https://bugs.webkit.org/show_bug.cgi?id=221544
     5
     6        Reviewed by Eric Carlson.
     7
     8        * NetworkProcess/webrtc/NetworkRTCSocketCocoa.mm:
     9        Make use of WebCore method.
     10
    1112021-02-08  Youenn Fablet  <youenn@apple.com>
    212

  • trunk/Source/WebKit/NetworkProcess/webrtc/NetworkRTCSocketCocoa.mm

    r272212 r272504  
    3131#include "DataReference.h"
    3232#include "LibWebRTCNetworkMessages.h"
     33#include <WebCore/STUNMessageParsing.h>
    3334#include <dispatch/dispatch.h>
    3435#include <wtf/BlockPtr.h>
     
    5455        return nullptr;
    5556    return makeUnique<NetworkRTCSocketCocoa>(identifier, rtcProvider, remoteAddress, tcpOptions, WTFMove(connection));
    56 }
    57 
    58 static inline bool isStunMessage(uint16_t messageType)
    59 {
    60     // https://tools.ietf.org/html/rfc5389#section-6 for STUN messages.
    61     // TURN messages start by the channel number which is constrained by https://tools.ietf.org/html/rfc5766#section-11.
    62     return !(messageType & 0xC000);
    63 }
    64 
    65 struct STUNMessageLengths {
    66     size_t messageLength { 0 };
    67     size_t messageLengthWithPadding { 0 };
    68 };
    69 
    70 static inline Optional<STUNMessageLengths> getSTUNOrTURNMessageLengths(const uint8_t* data, size_t size)
    71 {
    72     if (size < 4)
    73         return { };
    74 
    75     auto messageType = be16toh(*reinterpret_cast<const uint16_t*>(data));
    76     auto messageLength = be16toh(*reinterpret_cast<const uint16_t*>(data + 2));
    77 
    78     // STUN data message header is 20 bytes.
    79     if (isStunMessage(messageType)) {
    80         size_t length = 20 + messageLength;
    81         return STUNMessageLengths { length, length };
    82     }
    83 
    84     // TURN data message header is 4 bytes plus padding bytes to get 4 bytes alignment as needed.
    85     size_t length = 4 + messageLength;
    86     size_t roundedLength = length % 4 ? (length + 4 - (length % 4)) : length;
    87     return STUNMessageLengths { length, roundedLength };
    88 }
    89 
    90 static inline Vector<uint8_t> extractSTUNOrTURNMessages(Vector<uint8_t>&& buffered, const Function<void(const uint8_t* data, size_t size)>& processMessage)
    91 {
    92     auto* data = buffered.data();
    93     size_t size = buffered.size();
    94 
    95     while (true) {
    96         auto lengths = getSTUNOrTURNMessageLengths(data, size);
    97 
    98         if (!lengths || lengths->messageLengthWithPadding > size) {
    99             if (!size)
    100                 return { };
    101 
    102             std::memcpy(buffered.data(), data, size);
    103             buffered.resize(size);
    104             return WTFMove(buffered);
    105         }
    106 
    107         processMessage(data, lengths->messageLength);
    108 
    109         data += lengths->messageLengthWithPadding;
    110         size -= lengths->messageLengthWithPadding;
    111     }
    112 }
    113 
    114 static inline Vector<uint8_t> extractDataMessages(Vector<uint8_t>&& buffered, const Function<void(const uint8_t* data, size_t size)>& processMessage)
    115 {
    116     auto* data = buffered.data();
    117     size_t size = buffered.size();
    118 
    119     while (true) {
    120         bool canReadLength = size >= 2;
    121         size_t length = canReadLength ? be16toh(*reinterpret_cast<const uint16_t*>(data)) : 0;
    122         if (!canReadLength || length > size + 2) {
    123             if (!size)
    124                 return { };
    125 
    126             std::memcpy(buffered.data(), data, size);
    127             buffered.resize(size);
    128             return WTFMove(buffered);
    129         }
    130 
    131         data += 2;
    132         size -= 2;
    133 
    134         processMessage(data, length);
    135 
    136         data += length;
    137         size -= length;
    138     }
    139 }
    140 
    141 static inline Vector<uint8_t> extractMessages(Vector<uint8_t>&& buffer, bool isSTUN, const Function<void(const uint8_t* data, size_t size)>& processMessage)
    142 {
    143     return isSTUN ? extractSTUNOrTURNMessages(WTFMove(buffer), processMessage) : extractDataMessages(WTFMove(buffer), processMessage);
    14457}
    14558
     
    205118
    206119    processIncomingData(m_nwConnection.get(), [identifier = m_identifier, connection = m_connection.copyRef(), ip = remoteAddress.ipaddr(), port = remoteAddress.port(), isSTUN = m_isSTUN](auto&& buffer) mutable {
    207         return extractMessages(WTFMove(buffer), isSTUN, [&](auto* message, auto size) {
     120        return WebRTC::extractMessages(WTFMove(buffer), isSTUN ? WebRTC::MessageType::STUN : WebRTC::MessageType::Data, [&](auto* message, auto size) {
    208121            IPC::DataReference data(message, size);
    209122            connection->send(Messages::LibWebRTCNetwork::SignalReadPacket { identifier, data, RTCNetwork::IPAddress(ip), port, rtc::TimeMillis() * 1000 }, 0);
     
    242155
    243156    if (m_isSTUN) {
    244         auto messageLengths = getSTUNOrTURNMessageLengths(data, size);
     157        auto messageLengths = WebRTC::getSTUNOrTURNMessageLengths(data, size);
    245158        if (!messageLengths)
    246159            return { };

  • trunk/Tools/ChangeLog

    r272499 r272504  
     12021-02-08  Youenn Fablet  <youenn@apple.com>
     2
     3        NetworkRTCSocketCocoa extractDataMessages should not read too much data
     4        https://bugs.webkit.org/show_bug.cgi?id=221544
     5
     6        Reviewed by Eric Carlson.
     7
     8        * TestWebKitAPI/Tests/WebCore/STUNMessageParsingTest.cpp: Added.
     9        (TestWebKitAPI::TEST):
     10        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
     11
    1122021-02-08  Alicia Boya García  <aboya@igalia.com>
    213

  • trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

    r272445 r272504  
    243243                41848F4424891879000E2588 /* open-window-with-file-url-with-host.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 41848F4324891815000E2588 /* open-window-with-file-url-with-host.html */; };
    244244                41882F0321010C0D002FF288 /* ProcessPreWarming.mm in Sources */ = {isa = PBXBuildFile; fileRef = 41882F0221010A70002FF288 /* ProcessPreWarming.mm */; };
     245                41E67A8525D16E83007B0A4C /* STUNMessageParsingTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 41E67A8425D16E83007B0A4C /* STUNMessageParsingTest.cpp */; };
    245246                44077BB123144B5000179E2D /* DataDetectorsTestIOS.mm in Sources */ = {isa = PBXBuildFile; fileRef = 44077BB0231449D200179E2D /* DataDetectorsTestIOS.mm */; };
    246247                4433A396208044140091ED57 /* SynchronousTimeoutTests.mm in Sources */ = {isa = PBXBuildFile; fileRef = 4433A395208044130091ED57 /* SynchronousTimeoutTests.mm */; };
     
    19941995                41973B5C1AF22875006C7B36 /* SharedBuffer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SharedBuffer.cpp; sourceTree = "<group>"; };
    19951996                41BAF4E225AC9DB800D82F32 /* getUserMedia2.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = getUserMedia2.html; sourceTree = "<group>"; };
     1997                41E67A8425D16E83007B0A4C /* STUNMessageParsingTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = STUNMessageParsingTest.cpp; sourceTree = "<group>"; };
    19961998                44077BB0231449D200179E2D /* DataDetectorsTestIOS.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = DataDetectorsTestIOS.mm; sourceTree = "<group>"; };
    19971999                442BBF681C91CAD90017087F /* RefLogger.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = RefLogger.cpp; sourceTree = "<group>"; };
     
    35973599                                ECA680CD1E68CC0900731D20 /* StringUtilities.mm */,
    35983600                                CE4D5DE51F6743BA0072CFC6 /* StringWithDirection.cpp */,
     3601                                41E67A8425D16E83007B0A4C /* STUNMessageParsingTest.cpp */,
    35993602                                93A258981F92FF15003E510C /* TextCodec.cpp */,
    36003603                                CDC2C7141797089D00E627FB /* TimeRanges.cpp */,
     
    55525555                                ECA680CE1E68CC0900731D20 /* StringUtilities.mm in Sources */,
    55535556                                CE4D5DE71F6743BA0072CFC6 /* StringWithDirection.cpp in Sources */,
     5557                                41E67A8525D16E83007B0A4C /* STUNMessageParsingTest.cpp in Sources */,
    55545558                                7CCE7ED21A411A7E00447C4C /* SubresourceErrorCrash.mm in Sources */,
    55555559                                51EB126724CB8753000CB030 /* SunLightApplicationGenericNES.mm in Sources */,
Note: See TracChangeset for help on using the changeset viewer.