From 0e68a850198501af891dbb9655dad74d2cfe4d2d Mon Sep 17 00:00:00 2001
From: Paul-Louis Ageneau <paul-louis@ageneau.org>
Date: Mon, 26 May 2025 15:28:41 +0200
Subject: [PATCH 1/2] Check non-symmetric addresses only on initial binding

---
 src/agent.c | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/src/agent.c b/src/agent.c
index 9f914f5..8d72e42 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -1467,21 +1467,20 @@ int agent_process_stun_binding(juice_agent_t *agent, const stun_message_t *msg,
 				return -1;
 			}
 
-			// 7.2.5.2.1. Non-Symmetric Transport Addresses:
-			// The ICE agent MUST check that the source and destination transport addresses in the
-			// Binding request and response are symmetric. [...] If the addresses are not symmetric,
-			// the agent MUST set the candidate pair state to Failed.
-			if (!addr_record_is_equal(src, &entry->record, true)) {
-				JLOG_DEBUG(
-				    "Candidate pair check failed (non-symmetric source address in response)");
-				entry->state = AGENT_STUN_ENTRY_STATE_FAILED;
-				entry->next_transmission = 0;
-				if (pair)
+			if (pair->state != ICE_CANDIDATE_PAIR_STATE_SUCCEEDED) {
+				// 7.2.5.2.1. Non-Symmetric Transport Addresses:
+				// The ICE agent MUST check that the source and destination transport addresses in
+				// the Binding request and response are symmetric. [...] If the addresses are not
+				// symmetric, the agent MUST set the candidate pair state to Failed.
+				if (!addr_record_is_equal(src, &entry->record, true)) {
+					JLOG_DEBUG(
+					    "Candidate pair check failed (non-symmetric source address in response)");
+					entry->state = AGENT_STUN_ENTRY_STATE_FAILED;
+					entry->next_transmission = 0;
 					pair->state = ICE_CANDIDATE_PAIR_STATE_FAILED;
-				break;
-			}
+					break;
+				}
 
-			if (pair->state != ICE_CANDIDATE_PAIR_STATE_SUCCEEDED) {
 				JLOG_DEBUG("Candidate pair check succeeded");
 				pair->state = ICE_CANDIDATE_PAIR_STATE_SUCCEEDED;
 			}

From b29f8338ff48a6841ede170394fd5d17e217b25a Mon Sep 17 00:00:00 2001
From: Paul-Louis Ageneau <paul-louis@ageneau.org>
Date: Mon, 26 May 2025 15:36:25 +0200
Subject: [PATCH 2/2] Ensure selected entry is consistent on nominated entry
 state change

---
 src/agent.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/agent.c b/src/agent.c
index 8d72e42..ea6ea68 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -1078,6 +1078,7 @@ int agent_bookkeeping(juice_agent_t *agent, timestamp_t *next_timestamp) {
 			    nominated_entry->state != AGENT_STUN_ENTRY_STATE_SUCCEEDED_KEEPALIVE) {
 				nominated_entry->state = AGENT_STUN_ENTRY_STATE_SUCCEEDED_KEEPALIVE;
 				agent_arm_keepalive(agent, nominated_entry);
+				atomic_store(&agent->selected_entry, nominated_entry); // for consistency
 			}
 
 			// If the entry of the nominated candidate is relayed locally, we need also to