From 4de6c14f71c9469c2b610131f3e556d6e174d659 Mon Sep 17 00:00:00 2001
From: Gustavo Garcia <gustavogb@gmail.com>
Date: Fri, 11 Jul 2025 12:40:28 +0200
Subject: [PATCH] Fix null pointer dereference in set_ssl_ctx function (#1720)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR fixes a null pointer dereference vulnerability where
`set_ssl_ctx()` could crash when passed a NULL engine handle.

## Problem

The `create_ioa_engine()` function can return NULL when invalid
parameters are provided:

```c
if (!relays_number || !relay_addrs || !tp) {
  TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot create TURN engine\n", __FUNCTION__);
  return NULL;
}
```

However, two calling functions don't check for NULL before passing the
result to `set_ssl_ctx()`:

1. **`setup_relay_server()`** (line 1646):
   ```c
   rs->ioa_eng = create_ioa_engine(...);
set_ssl_ctx(rs->ioa_eng, &turn_params); // Potential NULL dereference
   ```

2. **`create_new_listener_engine()`** (line 955):
   ```c
   ioa_engine_handle e = create_ioa_engine(...);
   set_ssl_ctx(e, &turn_params);  // Potential NULL dereference
   ```

The `set_ssl_ctx()` function then dereferences the engine parameter
without checking:
```c
struct event_base *base = e->event_base;  // Crashes if e is NULL
```

## Solution

Added a simple check before calling `set_ssl_ctx()`:

## Impact

- ✅ Prevents crashes when `create_ioa_engine()` fails due to invalid
configuration
- ✅ Minimal change with no functional impact on normal operation
- ✅ All existing tests continue to pass
- ✅ Follows defensive programming best practices

Fixes #1718.
---
 src/apps/relay/netengine.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/apps/relay/netengine.c b/src/apps/relay/netengine.c
index 2f83f17..589a99b 100644
--- a/src/apps/relay/netengine.c
+++ b/src/apps/relay/netengine.c
@@ -948,6 +948,9 @@ static ioa_engine_handle create_new_listener_engine(void) {
                         &turn_params.redis_statsdb
 #endif
       );
+  if (!e) {
+    exit(-1);
+  }
   set_ssl_ctx(e, &turn_params);
   ioa_engine_set_rtcp_map(e, turn_params.listener.rtcpmap);
   return e;
@@ -1639,6 +1642,9 @@ static void setup_relay_server(struct relay_server *rs, ioa_engine_handle e, int
                                     &turn_params.redis_statsdb
 #endif
     );
+    if (!rs->ioa_eng) {
+      exit(-1);
+    }
     set_ssl_ctx(rs->ioa_eng, &turn_params);
     ioa_engine_set_rtcp_map(rs->ioa_eng, turn_params.listener.rtcpmap);
   }