freeswitch icon indicating copy to clipboard operation
freeswitch copied to clipboard
verified publisher icon signalwire

switch_stun_lookup() fails to extract IP/port when additional attributes are present in STUN Binding Success Response

Open alekseiZh opened this issue 9 months ago • 0 comments

Describe the bug The switch_stun_lookup() function in switch_stun.c fails to extract the IP and port from a valid STUN Binding Success Response when additional attributes (SOFTWARE in my case) precede the XOR-MAPPED-ADDRESS.

Despite the packet being well-formed and the function returning SWITCH_STATUS_SUCCESS, the resulting IP and port values are NULL, leading to misleading logs such as:

STUN Failed! [Success]

To Reproduce Steps to reproduce the behavior:

  1. Send a STUN Binding Request to a STUN server that includes a SOFTWARE attribute in the response (before XOR-MAPPED-ADDRESS).
  2. Observe that the function switch_stun_lookup() returns success but does not extract IP/port values.

Working Packet Example (IP and Port extracted correctly)

Session Traversal Utilities for NAT
    Message Type: 0x0101 (Binding Success Response)
    Message Length: 12
    Message Cookie: 2112a443
    Message Transaction ID: 6c554d6c417a644161644244
    Attributes
        XOR-MAPPED-ADDRESS: x.x.x.x:48755
            Attribute Type: XOR-MAPPED-ADDRESS
            Attribute Length: 8
            Reserved: 00
            Protocol Family: IPv4 (0x01)
            Port (XOR-d): 9f61
            IP (XOR-d): X

Failing Packet Example (Returns success, but IP/port are NULL)

Session Traversal Utilities for NAT
    Message Type: 0x0101 (Binding Success Response)
    Message Length: 32
    Message Cookie: 2112a443
    Message Transaction ID: 58424932767a4a3748354561
    Attributes
        SOFTWARE
            Attribute Type: SOFTWARE
            Attribute Length: 15
            Software: P1 STUN library
            Padding: 1
        XOR-MAPPED-ADDRESS: x.x.x.x:34996
            Attribute Type: XOR-MAPPED-ADDRESS
            Attribute Length: 8
            Reserved: 00
            Protocol Family: IPv4 (0x01)
            Port (XOR-d): a9a6
            IP (XOR-d): x

Captured using Wireshark. Both packets conform to RFC 5389.

Expected behavior switch_stun_lookup() should extract XOR-MAPPED-ADDRESS correctly regardless of its position in the attribute list.

Trace logs

freeswitch@sbc> stun stunserver1
-STUN Failed! [Success]

freeswitch@sbc> stun stunserver2
x.x.x.x:37215

Package version or git hash

  • 1.10.10

alekseiZh avatar Mar 22 '25 02:03 alekseiZh