Upgrade rtmp library dependency

This fixes a bug in the rtmp library where an error has been left unchecked caused by a malformed app or playPath. This led to a nil value for the URL of the publish or play request. However, this URL should never be nil and accessing this URL caused a panic and finally shutting the core down, resulting in a DoS. Thanks to Johannes Frank
2023-05-05 10:04:18 +02:00 · 2023-05-05 10:04:18 +02:00 · d41469cdbf
commit d41469cdbf
parent 8e2874a456
4 changed files with 29 additions and 10 deletions
--- a/go.mod
+++ b/go.mod
@ -8,7 +8,7 @@ require (
 	github.com/atrox/haikunatorgo/v2 v2.0.1
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/datarhei/gosrt v0.3.1
-	github.com/datarhei/joy4 v0.0.0-20220914170649-23c70d207759
+	github.com/datarhei/joy4 v0.0.0-20230505074825-fde05957445a
 	github.com/go-playground/validator/v10 v10.11.1
 	github.com/gobwas/glob v0.2.3
 	github.com/golang-jwt/jwt/v4 v4.4.3
@ -29,7 +29,6 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0
 	go.uber.org/zap v1.24.0
 	golang.org/x/mod v0.7.0
-	golang.org/x/net v0.7.0
 )

 require (
@ -96,6 +95,7 @@ require (
 	go.uber.org/goleak v1.1.12 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/crypto v0.5.0 // indirect
+	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/sys v0.6.0 // indirect
 	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -34,8 +34,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/datarhei/gosrt v0.3.1 h1:9A75hIvnY74IUFyeguqYXh1lsGF8Qt8fjxJS2Ewr12Q=
 github.com/datarhei/gosrt v0.3.1/go.mod h1:M2nl2WPrawncUc1FtUBK6gZX4tpZRC7FqL8NjOdBZV0=
-github.com/datarhei/joy4 v0.0.0-20220914170649-23c70d207759 h1:h8NyekuQSDvLIsZVTV172m5/RVArXkEM/cnHaUzszQU=
-github.com/datarhei/joy4 v0.0.0-20220914170649-23c70d207759/go.mod h1:Jcw/6jZDQQmPx8A7INEkXmuEF7E9jjBbSTfVSLwmiQw=
+github.com/datarhei/joy4 v0.0.0-20230505074825-fde05957445a h1:Tf4DSHY1xruBglr+yYP5Wct7czM86GKMYgbXH8a7OFo=
+github.com/datarhei/joy4 v0.0.0-20230505074825-fde05957445a/go.mod h1:Jcw/6jZDQQmPx8A7INEkXmuEF7E9jjBbSTfVSLwmiQw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
--- a/vendor/github.com/datarhei/joy4/format/rtmp/rtmp.go
+++ b/vendor/github.com/datarhei/joy4/format/rtmp/rtmp.go
@ -178,6 +178,7 @@ func (self *Server) Serve(listener net.Listener) error {
 			if Debug {
 				fmt.Println("rtmp: server: client closed err:", err)
 			}
+			conn.Close()
 		}()
 	}
 }
@ -190,6 +191,7 @@ func (self *Server) Close() {
 	close(self.doneChan)

 	self.listener.Close()
+	self.listener = nil
 }

 const (
@ -398,7 +400,7 @@ func getTcUrl(u *url.URL) string {
 	return nu.String()
 }

-func createURL(tcurl, app, play string) (u *url.URL) {
+func createURL(tcurl, app, play string) (*url.URL, error) {
 	ps := strings.Split(app+"/"+play, "/")
 	out := []string{""}
 	for _, s := range ps {
@ -410,7 +412,11 @@ func createURL(tcurl, app, play string) (u *url.URL) {
 		out = append(out, "")
 	}
 	path := strings.Join(out, "/")
-	u, _ = url.ParseRequestURI(path)
+
+	u, err := url.ParseRequestURI(path)
+	if err != nil {
+		return nil, err
+	}

 	if tcurl != "" {
 		tu, _ := url.Parse(tcurl)
@ -419,7 +425,8 @@ func createURL(tcurl, app, play string) (u *url.URL) {
 			u.Scheme = tu.Scheme
 		}
 	}
-	return
+
+	return u, nil
 }

 var CodecTypes = flv.CodecTypes
@ -553,7 +560,13 @@ func (self *Conn) readConnect() (err error) {
 					return
 				}

-				self.URL = createURL(tcurl, connectpath, publishpath)
+				u, uerr := createURL(tcurl, connectpath, publishpath)
+				if uerr != nil {
+					err = fmt.Errorf("invalid URL: %w", uerr)
+					return
+				}
+
+				self.URL = u
 				self.publishing = true
 				self.reading = true
 				self.stage++
@ -599,7 +612,13 @@ func (self *Conn) readConnect() (err error) {
 					return
 				}

-				self.URL = createURL(tcurl, connectpath, playpath)
+				u, uerr := createURL(tcurl, connectpath, playpath)
+				if uerr != nil {
+					err = fmt.Errorf("invalid URL: %w", uerr)
+					return
+				}
+
+				self.URL = u
 				self.playing = true
 				self.writing = true
 				self.stage++
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -59,7 +59,7 @@ github.com/datarhei/gosrt/internal/congestion
 github.com/datarhei/gosrt/internal/crypto
 github.com/datarhei/gosrt/internal/net
 github.com/datarhei/gosrt/internal/packet
-# github.com/datarhei/joy4 v0.0.0-20220914170649-23c70d207759
+# github.com/datarhei/joy4 v0.0.0-20230505074825-fde05957445a
 ## explicit; go 1.14
 github.com/datarhei/joy4/av
 github.com/datarhei/joy4/av/avutil