Giters

ossrs / srs

SRS is a simple, high-efficiency, real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181.

Home Page:https://ossrs.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

identify_create_stream_client' appears to have an infinite recursion, causing the stack to overflow and resulting in a core dump.

shantengfei opened this issue · comments

commented

Phenomenon: In the SRS (Simple Real-time Streaming) system, when entering the stream_service_cycle to provide service, the client is first verified. When it is determined to be Identify_create_stream_client, it will enter the function to create a stream. However, when parsing the information sent by the client, if it is still about creating a stream, it will call Identify_create_stream_client again. If the client continuously sends requests to create a stream, it will recursively call Identify_create_stream_client, causing a loop and eventually causing a core dump.

Changes made: After receiving the message, the basic header, message header, and payload are parsed. Previously, when parsing the message header, a 31-bit timestamp was used in the timestamp section. According to the RTMP (Real-Time Messaging Protocol) protocol, the extended timestamp is an absolute timestamp when fmt=0, and it is a delta value when fmt=1 or 2. Referring to the ngx_rtmp_recv function in the ngx_rtmp_module, the original timestamp parsing logic was modified as follows: for fmt=0, the original absolute timestamp is maintained, and for fmt=1 or 2, the delta value is used. After the modification, the aforementioned core dump issue occurred. Currently, it is not certain whether modifying the timestamp caused the continuous occurrence of the create_stream problem. This is because the core dump may be caused by modifying the timestamp, or it may be due to abnormal behavior of the client, continuously sending requests to create a stream.

TRANS_BY_GPT3

commented

It has nothing to do with the timestamp and has already limited the maximum recursion to 3 times. Refer to: 4f29813

Unit test verification:

VOID TEST(ProtoStackTest, ServerRecursiveDepth)
{
    srs_error_t err;

    // For N*CreateStream and N>3, it should fail.
    if (true) {
        MockBufferIO io;
        SrsRtmpServer r(&io);

        if (true) {
            MockBufferIO tio;
            SrsProtocol p(&tio);

            for (int i = 0; i < 4; i++) {
                SrsCreateStreamPacket* call = new SrsCreateStreamPacket();
                HELPER_EXPECT_SUCCESS(p.send_and_free_packet(call, 0));
            }

            io.in_buffer.append(&tio.out_buffer);
        }

        string stream_name;
        SrsRtmpConnType tp;
        srs_utime_t duration = 0;
        HELPER_EXPECT_FAILED(r.identify_client(1, tp, stream_name, duration));
    }
}

TRANS_BY_GPT3