From d7d61eddf21ef678e2f9a810435e0b3888f8a0f3 Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Fri, 19 Sep 2025 10:47:21 -0400
Subject: [PATCH] MT#55283 reorder ICE candidate check

Run the check against ICE candidates not just for DTLS packets, but for
all received packets, except STUN which have authentication and are
needed to learn new ICE candidates.

Change-Id: I25df8fa6db4f828a68ba3b9e5cd35d2b56c0df08
---
 daemon/media_socket.c | 46 +++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 24 deletions(-)

diff --git a/daemon/media_socket.c b/daemon/media_socket.c
index aa25ee9dc..435068e30 100644
--- a/daemon/media_socket.c
+++ b/daemon/media_socket.c
@@ -2687,20 +2687,30 @@ static const char *__stream_ssrc_out(struct packet_stream *out_srtp, uint32_t ss
 // -1 = packet not handled, proceed;
 // 1 = same as 0, but stream can be kernelized
 static int media_demux_protocols(struct packet_handler_ctx *phc) {
-	if (MEDIA_ISSET(phc->mp.media, DTLS) && is_dtls(&phc->s)) {
-		// verify DTLS packet against ICE checks if present
-		if (MEDIA_ISSET(phc->mp.media, ICE) && phc->mp.media->ice_agent) {
-			if (!ice_peer_address_known(phc->mp.media->ice_agent, &phc->mp.fsin, phc->mp.stream,
-						phc->mp.sfd->local_intf))
-			{
-				ilog(LOG_DEBUG, "Ignoring DTLS packet from %s%s%s to %s as no matching valid "
-					"ICE candidate pair exists",
-						FMT_M(endpoint_print_buf(&phc->mp.fsin)),
-						endpoint_print_buf(&phc->mp.sfd->socket.local));
-				return 0;
-			}
+	if (phc->mp.media->ice_agent && is_stun(&phc->s)) {
+		int stun_ret = stun(&phc->s, phc->mp.sfd, &phc->mp.fsin);
+		if (!stun_ret)
+			return 0;
+		if (stun_ret == 1) {
+			call_media_state_machine(phc->mp.media);
+			return 1;
+		}
+	}
+
+	// verify packet against ICE checks if present
+	if (MEDIA_ISSET(phc->mp.media, ICE) && phc->mp.media->ice_agent) {
+		if (!ice_peer_address_known(phc->mp.media->ice_agent, &phc->mp.fsin, phc->mp.stream,
+					phc->mp.sfd->local_intf))
+		{
+			ilog(LOG_DEBUG, "Ignoring packet from %s%s%s to %s as no matching valid "
+				"ICE candidate pair exists",
+					FMT_M(endpoint_print_buf(&phc->mp.fsin)),
+					endpoint_print_buf(&phc->mp.sfd->socket.local));
+			return 0;
 		}
+	}
 
+	if (MEDIA_ISSET(phc->mp.media, DTLS) && is_dtls(&phc->s)) {
 		LOCK(&phc->mp.stream->lock);
 		int ret = dtls(phc->mp.sfd, &phc->s, &phc->mp.fsin);
 		if (ret == 1) {
@@ -2712,18 +2722,6 @@ static int media_demux_protocols(struct packet_handler_ctx *phc) {
 			return 0;
 	}
 
-	if (phc->mp.media->ice_agent && is_stun(&phc->s)) {
-		int stun_ret = stun(&phc->s, phc->mp.sfd, &phc->mp.fsin);
-		if (!stun_ret)
-			return 0;
-		if (stun_ret == 1) {
-			call_media_state_machine(phc->mp.media);
-			return 1;
-		}
-		else {
-			/* not an stun packet */
-		}
-	}
 	return -1;
 }