search

saltyrtc / saltyrtc-client-java

SaltyRTC Java implementation.
Apache License 2.0
3 stars 4 forks source link

Client accepts CSN which are incremented by more than one. #136

Open rustonaut opened 2 years ago

rustonaut commented 2 years ago

Following code checks the CSN:

https://github.com/saltyrtc/saltyrtc-client-java/blob/d01e553c06a05c74a532104608c0dc57cb9a23f2/src/main/java/org/saltyrtc/client/signaling/Signaling.java#L1088-L1096

accepting any CSN which is larger then the previous CSN.

But the spec states it must have been incremented by 1:

If the message is received by a client or received by and intended for a server (the destination address is 0x00), the peer does the following checks: [...]

  • In case that the peer does make use of the combined sequence number, it MUST check that the combined sequence number of the source peer has been increased by 1 and has not reset to 0. Implementations that use the combined sequence number SHALL ignore the following three checks.
lgrahl commented 2 years ago

It should be noted that although this being a spec violation it's not security relevant since the CSN is only allowed to monotonically increase.