From 13082beae8e86760807de1cd7e8cd7ca037b9f4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= <misi@majd.eu>
Date: Thu, 7 Jan 2021 21:31:12 +0000
Subject: [PATCH] Fixes #600

---
 ChangeLog                   | 2 ++
 src/server/ns_turn_server.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index d00764f..75b94b2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -36,6 +36,8 @@ Version 4.5.2 'dan Eider':
 	- Add systemd notification for better systemd integration
 	- Fix Issue #621 (by ycaibb)
 		* Fix: Null pointer dereference on tcp_client_input_handler_rfc6062data function
+	- Fix Issue #600 (by ycaibb)
+		* Fix: use-after-free vulnerability on write_to_peerchannel function
 
 24/06/2020 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
 Version 4.5.1.3 'dan Eider':
diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c
index d57d280..c8c9265 100644
--- a/src/server/ns_turn_server.c
+++ b/src/server/ns_turn_server.c
@@ -4134,7 +4134,7 @@ static int write_to_peerchannel(ts_ur_super_session* ss, uint16_t chnum, ioa_net
 			int skip = 0;
 			rc = send_data_from_ioa_socket_nbh(get_relay_socket_ss(ss, chn->peer_addr.ss.sa_family), &(chn->peer_addr), nbh, in_buffer->recv_ttl-1, in_buffer->recv_tos, &skip);
 
-			if (!skip) {
+			if (!skip && rc > -1) {
 				++(ss->peer_sent_packets);
 				ss->peer_sent_bytes += (uint32_t)ioa_network_buffer_get_size(in_buffer->nbh);
 				turn_report_session_usage(ss, 0);