Severity
Medium
Location
src/message/command.rs
Attacker
A malicious or compromised RTMP server (or MITM on misconfigured RTMPS) that the embedder connects to for connect / publish / play.
Controlled input
An onStatus AMF0 command whose info object contains thousands of key/value pairs (cheap boolean values), delivered as a complete RTMP message up to DEFAULT_MAX_MSG_LENGTH (4 MiB).
Attack path
- Victim application calls
Client::connect(), Client::publish(), or Client::play() against an attacker-controlled rtmp:// / rtmps:// endpoint.
- During the AMF handshake,
wait_for_command("onStatus") receives the malicious response and calls command::read_onstatus().
read_onstatus() iterates every object key with no MAX_OBJECT_KEYS cap (unlike read_connect() and amf0::skip_value() nested-object parsing).
- Each non-
level key triggers amf0::skip_value(), burning CPU proportional to key count (~40k+ keys fit in a single max-size message).
Impact
CPU exhaustion / event-loop monopolization on the embedder thread handling the client handshake. A server can force expensive parsing before the client reaches publish/play, enabling denial of service against applications that connect to untrusted RTMP endpoints.
Remediation
Apply amf0::MAX_OBJECT_KEYS (256) to the read_onstatus() object-key loop, consistent with other AMF command decoders.
Severity
Medium
Location
src/message/command.rsAttacker
A malicious or compromised RTMP server (or MITM on misconfigured RTMPS) that the embedder connects to for
connect/publish/play.Controlled input
An
onStatusAMF0 command whose info object contains thousands of key/value pairs (cheap boolean values), delivered as a complete RTMP message up toDEFAULT_MAX_MSG_LENGTH(4 MiB).Attack path
Client::connect(),Client::publish(), orClient::play()against an attacker-controlledrtmp:///rtmps://endpoint.wait_for_command("onStatus")receives the malicious response and callscommand::read_onstatus().read_onstatus()iterates every object key with noMAX_OBJECT_KEYScap (unlikeread_connect()andamf0::skip_value()nested-object parsing).levelkey triggersamf0::skip_value(), burning CPU proportional to key count (~40k+ keys fit in a single max-size message).Impact
CPU exhaustion / event-loop monopolization on the embedder thread handling the client handshake. A server can force expensive parsing before the client reaches publish/play, enabling denial of service against applications that connect to untrusted RTMP endpoints.
Remediation
Apply
amf0::MAX_OBJECT_KEYS(256) to theread_onstatus()object-key loop, consistent with other AMF command decoders.