[rtmpdump] add packet size check in ServeInvoke() for rtmpsuck
fcicq
fcicq at fcicq.net
Tue Jan 12 22:54:46 CET 2016
Thank you!
The two issues found by me are now combined in to one pull request: https://github.com/thatguystone/rtmpdump/pull/4
Consider to create a pull request on github, check the project name in this conversation:
http://lists.mplayerhq.hu/pipermail/rtmpdump/2015-August/002475.html
There's no better option to track patches at the moment.
On Tue, Jan 12, 2016 at 8:43 AM, fcicq <fcicq at fcicq.net> wrote:
The caller of ServeInvoke() is ServePacket().
case RTMP_PACKET_TYPE_FLEX_MESSAGE: // flex message { ret = ServeInvoke(server, which, packet, packet->m_body + 1); break; } case RTMP_PACKET_TYPE_INVOKE: // invoke ret = ServeInvoke(server, which, packet, packet->m_body); break;
but sadly, if nBodySize is 0, packet->m_body or body in ServeInvoke() which will also become null, would you expect AMF_Decode() to output an usable command?
Maybe this empty packet should trigger a warning type log, but as long as the return value is 0, that is not so critical.
The Video.DimensionChange event is a courtesy event from the player and does not exist on the wire. Empty packets are valid part of the spec. They have a number of uses in RTMP.
Sent from my iPhone
> On Jan 11, 2016, at 12:20 PM, fcicq <fcicq at fcicq.net> wrote:
>
> Without the nBodySize check, the later (body[0] != 0x02) check will trigger a null pointer deference and cause a crash.
> This kind of empty packet may have some relationship with NetStream.Video.DimensionChange event.
>
> diff --git a/rtmpsuck.c b/rtmpsuck.c
> index e886179..633a1f3 100644
> --- a/rtmpsuck.c
> +++ b/rtmpsuck.c
> @@ -160,6 +160,12 @@ ServeInvoke(STREAMING_SERVER *server, int which, RTMPPacket *pack, const char *b
> int ret = 0, nRes;
> int nBodySize = pack->m_nBodySize;
>
> + if (!nBodySize)
> + {
> + RTMP_Log(RTMP_LOGERROR, "%s, empty packet from %s", __FUNCTION__, cst[which]);
> + return 0;
> + }
> +
> if (body > pack->m_body)
> nBodySize--;
>
>
> _______________________________________________
> rtmpdump mailing list
> rtmpdump at mplayerhq.hu
> https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump
_______________________________________________
rtmpdump mailing list
rtmpdump at mplayerhq.hu
https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump
_______________________________________________
rtmpdump mailing list
rtmpdump at mplayerhq.hu
https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump
_______________________________________________
rtmpdump mailing list
rtmpdump at mplayerhq.hu
https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mplayerhq.hu/pipermail/rtmpdump/attachments/20160113/ef4bdefe/attachment-0001.html>
More information about the rtmpdump
mailing list