From d2f8fd489a635679d5603d94e911bc4d3b403274 Mon Sep 17 00:00:00 2001 From: Richard Fuchs Date: Tue, 3 Jun 2025 11:09:46 -0400 Subject: [PATCH] MT#55283 loosen check from e969a7942 The internally used VALID flag doesn't reflect the "valid" state from the RFC, possibly leading to legitimate packets (DTLS etc) to be ignored. Introduce a new flag to track which ICE pairs have been authenticated through requests or responses. Change-Id: I11b8e2bb6a7638ab9405304c6f45c29b20d3739c --- daemon/ice.c | 6 +++++- include/ice.h | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/daemon/ice.c b/daemon/ice.c index 83a2ad725..7bdf39c08 100644 --- a/daemon/ice.c +++ b/daemon/ice.c @@ -1259,6 +1259,8 @@ int ice_request(stream_fd *sfd, const endpoint_t *src, goto err; } + PAIR_SET(pair, AUTHENTICATED); + if (!AGENT_ISSET(ag, LITE_SELF)) { /* determine role conflict */ if (attrs->controlling && AGENT_ISSET(ag, CONTROLLING)) { @@ -1391,6 +1393,8 @@ int ice_response(stream_fd *sfd, const endpoint_t *src, goto out; } + PAIR_SET(pair, AUTHENTICATED); + /* we don't discover peer reflexive here (RFC 5245 7.1.3.2.1) as we don't expect to be behind NAT */ /* we also skip parts of 7.1.3.2.2 as we don't do server reflexive */ @@ -1533,7 +1537,7 @@ bool ice_peer_address_known(struct ice_agent *ag, const endpoint_t *sin, struct struct ice_candidate_pair *pair = __pair_lookup(ag, cand, ifa); if (!pair) return false; - if (!PAIR_ISSET(pair, VALID)) + if (!PAIR_ISSET(pair, AUTHENTICATED)) return false; return true; diff --git a/include/ice.h b/include/ice.h index 1d3348022..6ea5fe943 100644 --- a/include/ice.h +++ b/include/ice.h @@ -38,6 +38,7 @@ #define ICE_PAIR_VALID 0x0040 #define ICE_PAIR_TO_USE 0x0080 #define ICE_PAIR_TRIGGERED 0x0100 +#define ICE_PAIR_AUTHENTICATED 0x0200 #define PAIR_ISSET(p, f) bf_isset(&(p)->pair_flags, ICE_PAIR_ ## f) #define PAIR_SET(p, f) bf_set(&(p)->pair_flags, ICE_PAIR_ ## f)