You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A malicious or compromised RTMP server that the embedder connects to for playback or during the AMF command wait in connect / publish / play.
Controlled input
Sustained inbound TCP data delivered faster than the client drains complete messages from recv_buffer, especially when per-poll message budgets defer processing.
Attack path
Victim application connects to an attacker-controlled RTMP server and enters Client::poll() (playing) or recv_message() during AMF command wait.
Inbound bytes append to recv_buffer via Buffer::write on each socket read.
A server that keeps the kernel recv queue full across many poll iterations can retain up to 64 MiB of incomplete wire data per client connection.
Impact
Memory exhaustion against embedder processes: each targeted client connection can hold up to 64 MiB in staging buffers. An attacker operating a malicious RTMP server can multiply this across reconnecting clients.
Remediation
Mirror the server-side MAX_RECV_BUFFER_BYTES staging cap (2 * DEFAULT_MAX_MSG_LENGTH) in Client::poll() and recv_message() before appending new socket data to recv_buffer.
Severity
Medium
Location
src/client/mod.rsAttacker
A malicious or compromised RTMP server that the embedder connects to for playback or during the AMF command wait in
connect/publish/play.Controlled input
Sustained inbound TCP data delivered faster than the client drains complete messages from
recv_buffer, especially when per-poll message budgets defer processing.Attack path
Client::poll()(playing) orrecv_message()during AMF command wait.recv_bufferviaBuffer::writeon each socket read.Conn::recv()on the server (capped at2 * DEFAULT_MAX_MSG_LENGTH= 8 MiB after issue Per-connection recv_buffer can grow to 64 MiB when message budget exhausts before draining #97), the client had no staging cap beyond the globalBUFFER_MAX_SIZE(64 MiB).Impact
Memory exhaustion against embedder processes: each targeted client connection can hold up to 64 MiB in staging buffers. An attacker operating a malicious RTMP server can multiply this across reconnecting clients.
Remediation
Mirror the server-side
MAX_RECV_BUFFER_BYTESstaging cap (2 * DEFAULT_MAX_MSG_LENGTH) inClient::poll()andrecv_message()before appending new socket data torecv_buffer.