I'm running nginx-rtmp with the following configuration (abridged):
worker_processes 2;
rtmp_auto_push on;
rtmp {
server {
listen [::]:1935 ipv6only=off;
application stream {
live on;
allow publish 127.0.0.1;
deny publish all;
allow play all;
}
}
}
Second worker segfaults from time to time. I've looked into the issue, and believe the following is happening:
When the second worker is created, it inherits the parents' list of listening sockets.
In ngx_rtmp_auto_push_init_process, this ngx_listening_t is cloned and partially replaced by the UNIX domain socket for auto_push. ls->servers, however, remains the same, containing a ngx_rtmp_port_t and in turn a ngx_rtmp_in6_addr_t, which then contains both a struct in6_addr and a ngx_rtmp_addr_conf_t.
When the first worker connects to the second worker via this socket, ngx_rtmp_init_connection is called. As c->local_sockaddr->sa_family is AF_UNIX, unix_socket is set and execution then falls through to the AF_INET case, which causes the ngx_rtmp_in6_addr_t to be reinterpreted as a ngx_rtmp_in_addr_t. (this is the bug)
addr_conf is now read from an incorrect offset inside the structure, which causes an invalid memory access (a null pointer dereference in my case, because in6_addr contains a lot of zeros) later in ngx_rtmp_init_session (in addr_conf->ctx).
Additionally, the code in ngx_rtmp_init_connection handling the port->naddrs > 1-case for AF_UNIX connections does not make any sense, because sa won't be a struct sockaddr_in. But this is unrelated to the main problem.
I'm running nginx-rtmp with the following configuration (abridged):
Second worker segfaults from time to time. I've looked into the issue, and believe the following is happening:
ngx_rtmp_auto_push_init_process
, thisngx_listening_t
is cloned and partially replaced by the UNIX domain socket for auto_push.ls->servers
, however, remains the same, containing angx_rtmp_port_t
and in turn angx_rtmp_in6_addr_t
, which then contains both astruct in6_addr
and angx_rtmp_addr_conf_t
.ngx_rtmp_init_connection
is called. Asc->local_sockaddr->sa_family
isAF_UNIX
,unix_socket
is set and execution then falls through to theAF_INET
case, which causes thengx_rtmp_in6_addr_t
to be reinterpreted as angx_rtmp_in_addr_t
. (this is the bug)addr_conf
is now read from an incorrect offset inside the structure, which causes an invalid memory access (a null pointer dereference in my case, becausein6_addr
contains a lot of zeros) later inngx_rtmp_init_session
(inaddr_conf->ctx
).Additionally, the code in
ngx_rtmp_init_connection
handling theport->naddrs > 1
-case for AF_UNIX connections does not make any sense, becausesa
won't be astruct sockaddr_in
. But this is unrelated to the main problem.