nginx-rtmp-module

nginx-rtmp-module copied to clipboard

I'm running nginx-rtmp with the following configuration (abridged):

worker_processes  2;
rtmp_auto_push on;

rtmp {
    server {
        listen [::]:1935 ipv6only=off;

        application stream {
            live on;

            allow publish 127.0.0.1;
            deny publish all;

            allow play all;
        }
    }
}

Second worker segfaults from time to time. I've looked into the issue, and believe the following is happening:

• When the second worker is created, it inherits the parents' list of listening sockets.
• In ngx_rtmp_auto_push_init_process, this ngx_listening_t is cloned and partially replaced by the UNIX domain socket for auto_push. ls->servers, however, remains the same, containing a ngx_rtmp_port_t and in turn a ngx_rtmp_in6_addr_t, which then contains both a struct in6_addr and a ngx_rtmp_addr_conf_t.
• When the first worker connects to the second worker via this socket, ngx_rtmp_init_connection is called. As c->local_sockaddr->sa_family is AF_UNIX, unix_socket is set and execution then falls through to the AF_INET case, which causes the ngx_rtmp_in6_addr_t to be reinterpreted as a ngx_rtmp_in_addr_t. (this is the bug)
• addr_conf is now read from an incorrect offset inside the structure, which causes an invalid memory access (a null pointer dereference in my case, because in6_addr contains a lot of zeros) later in ngx_rtmp_init_session (in addr_conf->ctx).

Additionally, the code in ngx_rtmp_init_connection handling the port->naddrs > 1-case for AF_UNIX connections does not make any sense, because sa won't be a struct sockaddr_in. But this is unrelated to the main problem.