Server throws NPE if client sends the wrong SDP type in receiveVideoFrom RPC

[j1elo]

Describe the bug

When a malformed (or malicious) client sends an SDP Answer, while the server expected an SDP Offer in the receiveVideoFrom RPC method, the server throws a NullPointerException.

This is not critical because some higher-level catch is able to handle the unexpected exception. So this it not strictly speaking a "bug" report. Still, could be interesting to look closer into it, in case it uncovers potential issues hidden in the code.

Expected behavior

The server is able to recognize that the client went out of its expected path. This allows the server to fail fast and would also allow to generate an appropriate, more helpful error message.

Wrong current behavior

The server doesn't know about what happened; it just continues working, and only happens to discover about the problem much later, when it tries to access a null variable. Luckily, a catch-all safety net seems to avoid a crash. Still, a better error handling could be done in such scenarios.

This is the stack trace that shows up in the server logs:

[INFO] 2022-06-08 14:43:36,666 [SessionHandler-6fp9ufv4gosdoh0n2mb8bccd20-e29-t0] io.openvidu.server.rpc.RpcHandler - New candidate received from participant con_RAn8Lyv84i: {connectionId: "con_RAn8Lyv84i", sdpMid: 1, sdpMLineIndex: 1, candidate: "candidate:2618592765 1 tcp 1518280447 172.19.13.2 9 typ host tcptype active generation 0 ufrag TXV6 network-id 1"}
[ERROR] 2022-06-08 14:43:36,667 [SessionHandler-8kqvbplb6s4rg90rf20mbuia1j-e27-t0] org.kurento.jsonrpc.internal.JsonRpcHandlerManager - Exception while processing request {"id":30,"method":"receiveVideoFrom","params":{"sender":"str_CAM_ZTrH_con_RAn8Lyv84i","sdpAnswer":"<An SDP message, redacted for readability>"},"jsonrpc":"2.0"}
java.lang.NullPointerException: null
   at io.openvidu.server.kurento.core.KurentoParticipant.receiveMedia(KurentoParticipant.java:279)
   at io.openvidu.server.kurento.core.KurentoSessionManager.subscribe(KurentoSessionManager.java:658)
   at io.openvidu.server.rpc.RpcHandler.receiveVideoFrom(RpcHandler.java:393)
   at io.openvidu.server.rpc.RpcHandler.handleRequest(RpcHandler.java:141)
   at org.kurento.jsonrpc.internal.JsonRpcHandlerManager.handleRequest(JsonRpcHandlerManager.java:142)
   at org.kurento.jsonrpc.internal.server.ProtocolManager$3.run(ProtocolManager.java:218)
   at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
   at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
   at java.base/java.lang.Thread.run(Thread.java:829)

OpenVidu tutorial where to replicate the error

• Start with the Hello World tutorial: https://docs.openvidu.io/en/2.22.0/tutorials/openvidu-hello-world/
• Edit app.js and set OPENVIDU_SERVER_URL and OPENVIDU_SERVER_SECRET to use any available Openvidu server deployment (I tested with master).
• Edit the openvidu-browser JS file that comes embedded with that tutorial.
• Inside Stream.prototype.completeWebRtcPeerReceive, change the line params['sdpOffer'] = sdpString, so it now looks like this: params['sdpAnswer'] = sdpString.
• Run the tutorial.
• Observe the logs in the OpenVidu server and in the RPC responses.

OpenVidu deployment info

Tested with master tutorial and master OpenVidu server.

Client device info (if applicable)

Affects any implementation of the RPC, including official SDKs.

Screenshots

Additional context