pexip · havardgraff · Apr 30, 2026 · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026
diff --git a/agent/agent-priv.h b/agent/agent-priv.h
@@ -89,7 +89,6 @@ struct _NiceAgent
   GSource *event_source;
 
   gboolean full_mode;             /* property: full-mode */
-  GTimeVal next_check_tv;         /* property: next conncheck timestamp */
   gchar *stun_server_ip;          /* property: STUN server IP */
   guint stun_server_port;         /* property: STUN server port */
   gchar *proxy_ip;                /* property: Proxy server IP */

diff --git a/agent/agent.c b/agent/agent.c
@@ -3281,13 +3281,13 @@ _priv_set_socket_tos (NiceAgent * agent, NiceSocket * sock, gint tos)
   if (sock->fileno &&
       setsockopt (g_socket_get_fd (sock->fileno), IPPROTO_IP,
           IP_TOS, (const char *) &tos, sizeof (tos)) < 0) {
-    GST_WARNING_OBJECT (agent, "Could not set socket ToS", g_strerror (errno));
+    GST_WARNING_OBJECT (agent, "Could not set socket ToS: %s", g_strerror (errno));
   }
 #ifdef IPV6_TCLASS
   if (sock->fileno &&
       setsockopt (g_socket_get_fd (sock->fileno), IPPROTO_IPV6,
           IPV6_TCLASS, (const char *) &tos, sizeof (tos)) < 0) {
-    GST_DEBUG_OBJECT (agent, "Could not set IPV6 socket ToS",
+    GST_DEBUG_OBJECT (agent, "Could not set IPV6 socket ToS: %s",
         g_strerror (errno));
   }
 #endif

diff --git a/agent/conncheck.c b/agent/conncheck.c
diff --git a/agent/conncheck.h b/agent/conncheck.h
@@ -75,7 +75,7 @@ struct _CandidateCheckPair
   gboolean controlling;
   gboolean timer_restarted;
   guint64 priority;
-  GTimeVal next_tick;       /* next tick timestamp */
+  gint64 next_tick;         /* next tick timestamp, wall-clock microseconds (g_get_real_time) */
   StunTimer timer;
   uint8_t stun_buffer[STUN_MAX_MESSAGE_SIZE];
   StunMessage stun_message;

diff --git a/agent/discovery.c b/agent/discovery.c
@@ -65,11 +65,9 @@
 GST_DEBUG_CATEGORY_EXTERN (niceagent_debug);
 #define GST_CAT_DEFAULT niceagent_debug
 
-static inline int priv_timer_expired (GTimeVal *timer, GTimeVal *now)
+static inline int priv_timer_expired (gint64 timer, gint64 now)
 {
-  return (now->tv_sec == timer->tv_sec) ?
-    now->tv_usec >= timer->tv_usec :
-    now->tv_sec >= timer->tv_sec;
+  return now >= timer;
 }
 
 /*
@@ -148,6 +146,16 @@ void refresh_free_item (gpointer data, gpointer user_data)
 
   g_assert (user_data == NULL);
 
+  GST_INFO_OBJECT (agent,
+      "%u/%u: Freeing TURN refresh candidate %p "
+      "(refresh_count=%u, last_lifetime=%u s, "
+      "consecutive_stale_nonce=%u); sending REFRESH lifetime=0 to "
+      "release the allocation",
+      cand->stream ? cand->stream->id : 0,
+      cand->component ? cand->component->id : 0,
+      cand, cand->refresh_count,
+      cand->last_lifetime_s, cand->consecutive_stale_nonce);
+
   if (cand->timer_source != NULL) {
     g_source_destroy (cand->timer_source);
     g_source_unref (cand->timer_source);
@@ -189,13 +197,18 @@ void refresh_free_item (gpointer data, gpointer user_data)
     nice_address_copy_to_sockaddr(&cand->server, (struct sockaddr *)&server_address);
     stun_message_log(&cand->stun_message, TRUE, (struct sockaddr *)&server_address);
 
-    /* send the refresh twice since we won't do retransmissions */
+    /* RFC 5766 §7: the release REFRESH (lifetime=0) is purely
+     * advisory. We have already forgotten the transaction above and
+     * the server keeps its own allocation-expiry timer (last granted
+     * lifetime, max 600 s) as a backstop. Sending it twice -- which
+     * the original code did as a poor-man's retransmission -- causes
+     * TURN servers to process the duplicate as a separate request,
+     * yielding either a second STUN response that we can no longer
+     * match (logged as "*** ERROR *** unmatched stun response …") or
+     * a spurious 437 Allocation Mismatch on the duplicate when the
+     * first request has just succeeded. Send exactly once. */
     nice_socket_send (cand->nicesock, &cand->server,
         buffer_len, (gchar *)cand->stun_buffer);
-    if (!nice_socket_is_reliable (cand->nicesock)) {
-      nice_socket_send (cand->nicesock, &cand->server,
-          buffer_len, (gchar *)cand->stun_buffer);
-    }
 
   }
 
@@ -931,7 +944,9 @@ static gboolean priv_discovery_tick_unlocked (gpointer pointer)
               &cand->stun_message,  cand->stun_buffer, sizeof(cand->stun_buffer),
               cand->stun_resp_msg.buffer == NULL ? NULL : &cand->stun_resp_msg,
               STUN_USAGE_TURN_REQUEST_PORT_NORMAL,
-              -1, -1,
+              /* RFC 5766 §6.1: explicitly request LIFETIME=600 s
+               * rather than relying on the server's default. */
+              -1, 600,
               username, username_len,
               password, password_len,
               turn_compat);
@@ -966,7 +981,7 @@ static gboolean priv_discovery_tick_unlocked (gpointer pointer)
               buffer_len, (gchar *)cand->stun_buffer);
 
 	  /* case: success, start waiting for the result */
-	  g_get_current_time (&cand->next_tick);
+	  cand->next_tick = g_get_real_time ();
 
 	} else {
 	  /* case: error in starting discovery, start the next discovery */
@@ -984,16 +999,16 @@ static gboolean priv_discovery_tick_unlocked (gpointer pointer)
     }
 
     if (cand->done != TRUE) {
-      GTimeVal now;
+      gint64 now;
 
-      g_get_current_time (&now);
+      now = g_get_real_time ();
 
       if (cand->stun_message.buffer == NULL) {
 	GST_DEBUG_OBJECT (agent, "%u/%u: STUN discovery was cancelled, marking discovery done.",
             cand->stream->id, cand->component->id);
 	cand->done = TRUE;
       }
-      else if (priv_timer_expired (&cand->next_tick, &now)) {
+      else if (priv_timer_expired (cand->next_tick, now)) {
         switch (stun_timer_refresh (&cand->timer)) {
           case STUN_USAGE_TIMER_RETURN_TIMEOUT:
             {
@@ -1031,9 +1046,8 @@ static gboolean priv_discovery_tick_unlocked (gpointer pointer)
                   stun_message_length (&cand->stun_message),
                   (gchar *)cand->stun_buffer);
 
-              /* note: convert from milli to microseconds for g_time_val_add() */
-              cand->next_tick = now;
-              g_time_val_add (&cand->next_tick, timeout * 1000);
+              /* note: convert from milli to microseconds */
+              cand->next_tick = now + (gint64) timeout * 1000;
 
               ++not_done; /* note: retry later */
               break;
@@ -1042,8 +1056,7 @@ static gboolean priv_discovery_tick_unlocked (gpointer pointer)
             {
               unsigned int timeout = stun_timer_remainder (&cand->timer);
 
-              cand->next_tick = now;
-              g_time_val_add (&cand->next_tick, timeout * 1000);
+              cand->next_tick = now + (gint64) timeout * 1000;
 
               ++not_done; /* note: retry later */
               break;

diff --git a/agent/discovery.h b/agent/discovery.h
@@ -50,7 +50,7 @@ typedef struct
   NiceCandidateType type;   /**< candidate type STUN or TURN */
   NiceSocket *nicesock;  /**< XXX: should be taken from local cand: existing socket to use */
   NiceAddress server;       /**< STUN/TURN server address */
-  GTimeVal next_tick;       /**< next tick timestamp */
+  gint64 next_tick;         /**< next tick timestamp, wall-clock microseconds (g_get_real_time) */
   gboolean pending;         /**< is discovery in progress? */
   gboolean done;            /**< is discovery complete? */
   Stream *stream;
@@ -87,8 +87,47 @@ typedef struct
   StunMessage stun_message;
   uint8_t stun_resp_buffer[STUN_MAX_MESSAGE_SIZE];
   StunMessage stun_resp_msg;
+
+  /*
+   * Robustness counters used by the TURN refresh code.
+   *
+   * - refresh_count: how many Refresh requests we have sent on this
+   *   allocation (including resends after 438). Used in log lines so
+   *   that "is this the first refresh, or is it stuck in a retry
+   *   loop?" can be answered from the log.
+   * - consecutive_stale_nonce: how many 438/401-realm-changed responses
+   *   we have received in a row without an intervening success. Reset
+   *   to zero on any RELAY_SUCCESS response. Compared against
+   *   NICE_TURN_MAX_CONSECUTIVE_STALE_NONCE: when the counter reaches
+   *   the limit, the refresh logic backs off and re-arms the periodic
+   *   refresh instead of immediately failing the allocation.
+   * - last_lifetime_s: lifetime (seconds) granted by the most recent
+   *   successful Allocate / Refresh response. Used both for log lines
+   *   and for the release REFRESH at teardown.
+   * - tolerate_one_timeout: when TRUE, the next retransmission timeout
+   *   in priv_turn_allocate_refresh_retransmissions_tick will trigger
+   *   one extra refresh attempt rather than tearing down the
+   *   allocation. Set automatically after every successful refresh so
+   *   that a single lost refresh does not kill the allocation.
+   */
+  guint refresh_count;
+  guint consecutive_stale_nonce;
+  guint32 last_lifetime_s;
+  gboolean tolerate_one_timeout;
 } CandidateRefresh;
 
+/* How many Refresh transactions in total we will send on a single
+ * candidate while the server keeps returning 438 (Stale Nonce) /
+ * 401 (realm changed). RFC 5389 only mandates one retry, but real-world
+ * TURN servers (notably coturn with short stale-nonce values) can
+ * rotate the nonce again between our retry being sent and reaching
+ * them, so be a little more lenient — but not so lenient that a
+ * misbehaving server can keep us looping for a long time. With siblings
+ * (e.g. an RTP+RTCP pair sharing one TURN server) the total Refresh
+ * traffic generated for one component is bounded by
+ * NICE_TURN_MAX_CONSECUTIVE_STALE_NONCE * <number of sibling refreshes>. */
+#define NICE_TURN_MAX_CONSECUTIVE_STALE_NONCE 5
+
 void refresh_free_item (gpointer data, gpointer user_data);
 void refresh_free (NiceAgent *agent);
 void refresh_prune_stream (NiceAgent *agent, guint stream_id);

diff --git a/meson.build b/meson.build
@@ -90,5 +90,5 @@ subdir('agent')
 subdir('nice')
 subdir('gst')
 
-#subdir('tests')
+subdir('tests')
 #subdir('python')
diff --git a/socket/tcp-bsd.c b/socket/tcp-bsd.c
@@ -348,9 +348,9 @@ socket_send_more (
     }
 
     if (ret < 0) {
-      if(gerr != NULL &&
-          g_error_matches (gerr, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK)
-          || g_error_matches (gerr, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED)) {
+      if (gerr != NULL &&
+          (g_error_matches (gerr, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK) ||
+           g_error_matches (gerr, G_IO_ERROR, G_IO_ERROR_NOT_CONNECTED))) {
         add_to_be_sent (sock, tbs->buf, tbs->length, TRUE);
         g_free (tbs->buf);
         g_slice_free (struct to_be_sent, tbs);