From 4d0b3c7660afc8adbd89f0d400d6e03febe80d33 Mon Sep 17 00:00:00 2001 From: Pavel Punsky Date: Sat, 18 Apr 2026 17:10:50 -0700 Subject: [PATCH] Abort on malformed allowed/denied-peer-ip at startup (#1872) A bad value like CIDR notation in allowed-peer-ip or denied-peer-ip was silently dropped: add_ip_list_range returned -1 but the config parser kept going, leaving the intended whitelist or blocklist partial. Operators expecting denied-peer-ip=10.0.0.0/8 would end up with no block at all, enabling SSRF-via-TURN to internal networks. Fail closed: log the offending value and exit, so the problem is visible at startup. CIDR parsing is not added (separate feature). --- src/apps/relay/mainrelay.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index b18b269f..54c79eac 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -2420,11 +2420,25 @@ static void set_option(int c, char *value) { case ALLOWED_PEER_IPS: if (add_ip_list_range(value, NULL, &turn_params.ip_whitelist) == 0) { TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "White listing: %s\n", value); + } else { + /* Fail closed: a malformed allowed-peer-ips entry must abort startup so the operator + notices, instead of silently leaving the intended whitelist incomplete. */ + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, + "Aborting: invalid allowed-peer-ip value %s. Use IP or IP-IP range (CIDR is not supported).\n", + value); + exit(-1); } break; case DENIED_PEER_IPS: if (add_ip_list_range(value, NULL, &turn_params.ip_blacklist) == 0) { TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "Black listing: %s\n", value); + } else { + /* Fail closed: a malformed denied-peer-ips entry would otherwise leave intended + blocks unenforced, exposing internal targets (SSRF-via-TURN). */ + TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, + "Aborting: invalid denied-peer-ip value %s. Use IP or IP-IP range (CIDR is not supported).\n", + value); + exit(-1); } break; case CIPHER_LIST_OPT: