conncheck: Only valid stun messages used for Keepalive

Previously, a STUN response for which there was no associated request
would be considered valid media input and as such could keep a dead
connection alive. If peer A was communicating with peer B and peer B got
disconnected, the keepalive mechanism in peer A should detect this.
However, a misbehaving STUN server could keep sending STUN responses to
peer A which would then be considered a valid communication between A
and B and thereby prevent the keepalive mechanism from shutting down the
connection.

Situation above refers to a stun message validated as
STUN_VALIDATION_UNMATCHED_RESPONSE. With this change only messages
validated as STUN_VALIDATION_SUCCESS may keep the connection alive.

diff --git a/agent/agent.c b/agent/agent.c
index 13bdb36..e642b63 100644 (file)
--- a/agent/agent.c
+++ b/agent/agent.c
@@ -4341,7 +4341,6 @@ agent_recv_message_unlocked (
         nice_debug ("%s: Valid STUN packet received.", G_STRFUNC);
         retval = RECV_OOB;
         g_free (big_buf);
-        agent->media_after_tick = TRUE;
         goto done;
       }
     }

diff --git a/agent/conncheck.c b/agent/conncheck.c
index 7900251..d511e7a 100644 (file)
--- a/agent/conncheck.c
+++ b/agent/conncheck.c
@@ -4693,6 +4693,7 @@ gboolean conn_check_handle_inbound_stun (NiceAgent *agent, NiceStream *stream,
     return FALSE;
   }
 
+  agent->media_after_tick = TRUE;
 
   if (stun_message_get_class (&req) == STUN_REQUEST) {
     if (   agent->compatibility == NICE_COMPATIBILITY_MSN