[rtmpdump] add packet size check in ServeInvoke() for rtmpsuck

fcicq fcicq at fcicq.net
Tue Jan 12 22:54:46 CET 2016 

Thank you!
The two issues found by me are now combined in to one pull request: https://github.com/thatguystone/rtmpdump/pull/4 



Consider to create a pull request on github, check the project name in this conversation:
http://lists.mplayerhq.hu/pipermail/rtmpdump/2015-August/002475.html
There's no better option to track patches at the moment.
On Tue, Jan 12, 2016 at 8:43 AM, fcicq <fcicq at fcicq.net> wrote:
The caller of ServeInvoke() is ServePacket().

    case RTMP_PACKET_TYPE_FLEX_MESSAGE:      // flex message      {        ret = ServeInvoke(server, which, packet, packet->m_body + 1);        break;      }    case RTMP_PACKET_TYPE_INVOKE:      // invoke      ret = ServeInvoke(server, which, packet, packet->m_body);      break;

but sadly, if nBodySize is 0, packet->m_body or body in ServeInvoke() which will also become null, would you expect AMF_Decode() to output an usable command?








Maybe this empty packet should trigger a warning type log, but as long as the return value is 0, that is not so critical.




The Video.DimensionChange event is a courtesy event from the player and does not exist on the wire. Empty packets are valid part of the spec. They have a number of uses in RTMP. 

Sent from my iPhone

> On Jan 11, 2016, at 12:20 PM, fcicq <fcicq at fcicq.net> wrote:
> 
> Without the nBodySize check, the later (body[0] != 0x02) check will trigger a null pointer deference and cause a crash.
> This kind of empty packet may have some relationship with NetStream.Video.DimensionChange event.
> 
> diff --git a/rtmpsuck.c b/rtmpsuck.c
> index e886179..633a1f3 100644
> --- a/rtmpsuck.c
> +++ b/rtmpsuck.c
> @@ -160,6 +160,12 @@ ServeInvoke(STREAMING_SERVER *server, int which, RTMPPacket *pack, const char *b
>   int ret = 0, nRes;
>   int nBodySize = pack->m_nBodySize;
> 
> +  if (!nBodySize)
> +    {
> +      RTMP_Log(RTMP_LOGERROR, "%s, empty packet from %s", __FUNCTION__, cst[which]);
> +      return 0;
> +    }
> +
>   if (body > pack->m_body)
>     nBodySize--;
> 
> 
> _______________________________________________
> rtmpdump mailing list
> rtmpdump at mplayerhq.hu
> https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump
_______________________________________________
rtmpdump mailing list
rtmpdump at mplayerhq.hu
https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump

_______________________________________________

rtmpdump mailing list

rtmpdump at mplayerhq.hu

https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump




_______________________________________________
rtmpdump mailing list
rtmpdump at mplayerhq.hu
https://lists.mplayerhq.hu/mailman/listinfo/rtmpdump
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mplayerhq.hu/pipermail/rtmpdump/attachments/20160113/ef4bdefe/attachment-0001.html>

More information about the rtmpdump mailing list