Merge pull request #773 from haseebq/performance_fix

Fix for performance regression caused by CVE-2020-4067 fix

src/apps/relay/ns_ioalib_engine_impl.c

@@ -297,15 +297,15 @@ static stun_buffer_list_elem *new_blist_elem(ioa_engine_handle e)
 
 	if(!ret) {
 	  ret = (stun_buffer_list_elem *)malloc(sizeof(stun_buffer_list_elem));
-	  if (ret) {
-		ret->next = NULL;
-	  } else {
-		TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot allocate memory for STUN buffer!\n", __FUNCTION__);
-	  }
 	}
 
 	if(ret) {
-	  bzero(&ret->buf, sizeof(stun_buffer));
+	  ret->buf.len = 0;
+	  ret->buf.offset = 0;
+	  ret->buf.coffset = 0;
+	  ret->next = NULL;
+	} else {
+	  TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot allocate memory for STUN buffer!\n", __FUNCTION__);
 	}
 
 	return ret;

src/client/ns_turn_msg.c

@@ -1448,8 +1448,10 @@ int stun_attr_add_str(uint8_t* buf, size_t *len, uint16_t attr, const uint8_t* a
   int clen = stun_get_command_message_len_str(buf,*len);
   int newlen = clen + 4 + alen;
   int newlenrem4=newlen & 0x00000003;
+  int paddinglen = 0;
   if(newlenrem4) {
-    newlen=newlen+(4-newlenrem4);
+	paddinglen=4-newlenrem4;
+    newlen=newlen+paddinglen;
   }
   if(newlen>=MAX_STUN_MESSAGE_SIZE) return -1;
   else {
@@ -1463,6 +1465,10 @@ int stun_attr_add_str(uint8_t* buf, size_t *len, uint16_t attr, const uint8_t* a
     attr_start_16t[0]=nswap16(attr);
     attr_start_16t[1]=nswap16(alen);
     if(alen>0) bcopy(avalue,attr_start+4,alen);
+	
+	// Write 0 padding to not leak data
+	bzero(attr_start+4+alen, paddinglen);
+
     return 0;
   }
 }