From bf12e12afdbe7331e1173c54ca732b9c23b64b83 Mon Sep 17 00:00:00 2001
From: aler9 <46489434+aler9@users.noreply.github.com>
Date: Sat, 7 Jan 2023 11:05:25 +0100
Subject: [PATCH] client: decrease security issues with AnyPortEnable

When AnyPortEnable is true, store the port of the first incoming packet
and check that following packets use the same port
---
 client.go     | 32 ++++++++++++++++++--------------
 clientudpl.go | 10 +++++++++-
 2 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/client.go b/client.go
index 67f9ad8a..3af98b2c 100644
--- a/client.go
+++ b/client.go
@@ -1247,14 +1247,16 @@ func (c *Client) doSetup(
 			}
 		}
 
-		cm.udpRTPListener.readIP = func() net.IP {
-			if thRes.Source != nil {
-				return *thRes.Source
-			}
-			return c.nconn.RemoteAddr().(*net.TCPAddr).IP
-		}()
+		if thRes.Source != nil {
+			cm.udpRTPListener.readIP = *thRes.Source
+		} else {
+			cm.udpRTPListener.readIP = c.nconn.RemoteAddr().(*net.TCPAddr).IP
+		}
+
 		if thRes.ServerPorts != nil {
-			cm.udpRTPListener.readPort = thRes.ServerPorts[0]
+			if !c.AnyPortEnable {
+				cm.udpRTPListener.readPort = thRes.ServerPorts[0]
+			}
 			cm.udpRTPListener.writeAddr = &net.UDPAddr{
 				IP:   c.nconn.RemoteAddr().(*net.TCPAddr).IP,
 				Zone: c.nconn.RemoteAddr().(*net.TCPAddr).Zone,
@@ -1262,14 +1264,16 @@ func (c *Client) doSetup(
 			}
 		}
 
-		cm.udpRTCPListener.readIP = func() net.IP {
-			if thRes.Source != nil {
-				return *thRes.Source
-			}
-			return c.nconn.RemoteAddr().(*net.TCPAddr).IP
-		}()
+		if thRes.Source != nil {
+			cm.udpRTCPListener.readIP = *thRes.Source
+		} else {
+			cm.udpRTCPListener.readIP = c.nconn.RemoteAddr().(*net.TCPAddr).IP
+		}
+
 		if thRes.ServerPorts != nil {
-			cm.udpRTCPListener.readPort = thRes.ServerPorts[1]
+			if !c.AnyPortEnable {
+				cm.udpRTCPListener.readPort = thRes.ServerPorts[1]
+			}
 			cm.udpRTCPListener.writeAddr = &net.UDPAddr{
 				IP:   c.nconn.RemoteAddr().(*net.TCPAddr).IP,
 				Zone: c.nconn.RemoteAddr().(*net.TCPAddr).Zone,
diff --git a/clientudpl.go b/clientudpl.go
index 7ed52051..5120a538 100644
--- a/clientudpl.go
+++ b/clientudpl.go
@@ -186,7 +186,15 @@ func (u *clientUDPListener) runReader(forPlay bool) {
 
 		uaddr := addr.(*net.UDPAddr)
 
-		if !u.readIP.Equal(uaddr.IP) || (!u.anyPortEnable && u.readPort != uaddr.Port) {
+		if !u.readIP.Equal(uaddr.IP) {
+			continue
+		}
+
+		// in case of anyPortEnable, store the port of the first packet we receive.
+		// this reduces security issues
+		if u.anyPortEnable && u.readPort == 0 {
+			u.readPort = uaddr.Port
+		} else if u.readPort != uaddr.Port {
 			continue
 		}