From d41469cdbf6f597502d1f581d24359b59257db9b Mon Sep 17 00:00:00 2001
From: Ingo Oppermann <ingo@datarhei.com>
Date: Fri, 5 May 2023 10:04:18 +0200
Subject: [PATCH] Upgrade rtmp library dependency

This fixes a bug in the rtmp library where an error has been left
unchecked caused by a malformed app or playPath. This led to a nil
value for the URL of the publish or play request. However, this
URL should never be nil and accessing this URL caused a panic and
finally shutting the core down, resulting in a DoS.

Thanks to Johannes Frank
---
 go.mod                                        |  4 +--
 go.sum                                        |  4 +--
 .../datarhei/joy4/format/rtmp/rtmp.go         | 29 +++++++++++++++----
 vendor/modules.txt                            |  2 +-
 4 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/go.mod b/go.mod
index 454d2310..8f577246 100644
--- a/go.mod
+++ b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/atrox/haikunatorgo/v2 v2.0.1
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/datarhei/gosrt v0.3.1
-	github.com/datarhei/joy4 v0.0.0-20220914170649-23c70d207759
+	github.com/datarhei/joy4 v0.0.0-20230505074825-fde05957445a
 	github.com/go-playground/validator/v10 v10.11.1
 	github.com/gobwas/glob v0.2.3
 	github.com/golang-jwt/jwt/v4 v4.4.3
@@ -29,7 +29,6 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0
 	go.uber.org/zap v1.24.0
 	golang.org/x/mod v0.7.0
-	golang.org/x/net v0.7.0
 )
 
 require (
@@ -96,6 +95,7 @@ require (
 	go.uber.org/goleak v1.1.12 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/crypto v0.5.0 // indirect
+	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/sys v0.6.0 // indirect
 	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
diff --git a/go.sum b/go.sum
index dd05bdd5..9742f4a3 100644
--- a/go.sum
+++ b/go.sum
@@ -34,8 +34,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/datarhei/gosrt v0.3.1 h1:9A75hIvnY74IUFyeguqYXh1lsGF8Qt8fjxJS2Ewr12Q=
 github.com/datarhei/gosrt v0.3.1/go.mod h1:M2nl2WPrawncUc1FtUBK6gZX4tpZRC7FqL8NjOdBZV0=
-github.com/datarhei/joy4 v0.0.0-20220914170649-23c70d207759 h1:h8NyekuQSDvLIsZVTV172m5/RVArXkEM/cnHaUzszQU=
-github.com/datarhei/joy4 v0.0.0-20220914170649-23c70d207759/go.mod h1:Jcw/6jZDQQmPx8A7INEkXmuEF7E9jjBbSTfVSLwmiQw=
+github.com/datarhei/joy4 v0.0.0-20230505074825-fde05957445a h1:Tf4DSHY1xruBglr+yYP5Wct7czM86GKMYgbXH8a7OFo=
+github.com/datarhei/joy4 v0.0.0-20230505074825-fde05957445a/go.mod h1:Jcw/6jZDQQmPx8A7INEkXmuEF7E9jjBbSTfVSLwmiQw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
diff --git a/vendor/github.com/datarhei/joy4/format/rtmp/rtmp.go b/vendor/github.com/datarhei/joy4/format/rtmp/rtmp.go
index e9c0d66b..8d9dc745 100644
--- a/vendor/github.com/datarhei/joy4/format/rtmp/rtmp.go
+++ b/vendor/github.com/datarhei/joy4/format/rtmp/rtmp.go
@@ -178,6 +178,7 @@ func (self *Server) Serve(listener net.Listener) error {
 			if Debug {
 				fmt.Println("rtmp: server: client closed err:", err)
 			}
+			conn.Close()
 		}()
 	}
 }
@@ -190,6 +191,7 @@ func (self *Server) Close() {
 	close(self.doneChan)
 
 	self.listener.Close()
+	self.listener = nil
 }
 
 const (
@@ -398,7 +400,7 @@ func getTcUrl(u *url.URL) string {
 	return nu.String()
 }
 
-func createURL(tcurl, app, play string) (u *url.URL) {
+func createURL(tcurl, app, play string) (*url.URL, error) {
 	ps := strings.Split(app+"/"+play, "/")
 	out := []string{""}
 	for _, s := range ps {
@@ -410,7 +412,11 @@ func createURL(tcurl, app, play string) (u *url.URL) {
 		out = append(out, "")
 	}
 	path := strings.Join(out, "/")
-	u, _ = url.ParseRequestURI(path)
+
+	u, err := url.ParseRequestURI(path)
+	if err != nil {
+		return nil, err
+	}
 
 	if tcurl != "" {
 		tu, _ := url.Parse(tcurl)
@@ -419,7 +425,8 @@ func createURL(tcurl, app, play string) (u *url.URL) {
 			u.Scheme = tu.Scheme
 		}
 	}
-	return
+
+	return u, nil
 }
 
 var CodecTypes = flv.CodecTypes
@@ -553,7 +560,13 @@ func (self *Conn) readConnect() (err error) {
 					return
 				}
 
-				self.URL = createURL(tcurl, connectpath, publishpath)
+				u, uerr := createURL(tcurl, connectpath, publishpath)
+				if uerr != nil {
+					err = fmt.Errorf("invalid URL: %w", uerr)
+					return
+				}
+
+				self.URL = u
 				self.publishing = true
 				self.reading = true
 				self.stage++
@@ -599,7 +612,13 @@ func (self *Conn) readConnect() (err error) {
 					return
 				}
 
-				self.URL = createURL(tcurl, connectpath, playpath)
+				u, uerr := createURL(tcurl, connectpath, playpath)
+				if uerr != nil {
+					err = fmt.Errorf("invalid URL: %w", uerr)
+					return
+				}
+
+				self.URL = u
 				self.playing = true
 				self.writing = true
 				self.stage++
diff --git a/vendor/modules.txt b/vendor/modules.txt
index ae5f8026..fb3247d0 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -59,7 +59,7 @@ github.com/datarhei/gosrt/internal/congestion
 github.com/datarhei/gosrt/internal/crypto
 github.com/datarhei/gosrt/internal/net
 github.com/datarhei/gosrt/internal/packet
-# github.com/datarhei/joy4 v0.0.0-20220914170649-23c70d207759
+# github.com/datarhei/joy4 v0.0.0-20230505074825-fde05957445a
 ## explicit; go 1.14
 github.com/datarhei/joy4/av
 github.com/datarhei/joy4/av/avutil