When using the basic authentication scheme, we wouldn't validate that
the authorization field of the credentials is not NULL and pass it on
to g_hash_table_lookup(). g_str_hash() however is not NULL-safe and will
dereference the NULL pointer and crash.
A specially crafted (read: invalid) RTSP header can cause this to
happen.
As a solution, check for the authorization to be not NULL before
continuing processing it and if it is simply fail authentication.
This fixes CVE-2020-6095 and TALOS-2020-1018.
Discovered by Peter Wang of Cisco ASIG.
Move the usage of priv->watch_context to beginning of function
gst_rtsp_client_finalize. Instead of use it after
g_main_context_unref (priv->watch_context).
We cannot take the RTSPStream lock while holding a transport backlog
lock, as remove_transport may be called externally, which will
take first the RTSPStream lock then the transport backlog lock.
This ensures we don't end up calling any of transports' callbacks
with a potentially unreffed user_data (in practice, a client that
may have been removed)
In order to address the race condition pointed out at
https://gitlab.freedesktop.org/gstreamer/gst-rtsp-server/merge_requests/108#note_403579
we get rid of the send thread pool, and instead spawn and manage
a single thread to pull samples from app sinks and add them to
the transport's backlogs.
Additionally, we now also always go through the backlogs in order
to simplify the logic.
Fixes#97
We cannot hold stream->lock while pushing data, but need
to consistently check the state of the backlog both from
the send_tcp_message function and the on_message_sent function,
which may or may not be called from the same thread.
This commit introduces internal API to allow for potentially
recursive locking of transport streams, addressing a race
condition where the RTSP stream could push items out of order
when popping them from the backlog.
It's taken ownership of by the media, and returned with `transfer none`
from the GstRTSPMedia::create_pipeline() vfunc. If we don't sink it
first then any bindings will wrongly take ownership of the pipeline once
it arrives in bindings code.
+ Take the watch lock prior to using priv->watch
+ Flush both the watch and connection before closing / unreffing
gst_rtsp_connection_close() is not threadsafe on its own, this is
a workaround at the client level, where we control both the watch
and the connection
This is a TCP connection timeout for client connections, in seconds.
If a positive value is set for this property, the client connection
will be kept alive for this amount of seconds after the last session
timeout. For negative values of this property the connection timeout
handling is delegated to the system (just as it was before).
Fixes#83
The internal index of our appsinks, while it can be used to
determine whether a message is RTP or RTCP, is not necessarily
the same as the interleaved channel. Let the stream-transport
determine the channel to check backpressure for, the same way
it determines the channel according to whether it is sending
RTP or RTCP.
The commit "rtsp-client: define all seek accuracy flags from
setup_play_mode" changed the behaviour of when doing a seek.
Before that commit, having the flush flag set would result in a seek
(forced seek).
Even if no seek was needed. One reason to force seek is to flush old buffers
created in Describe requests.
Thus adding force seek also for flush flag will result in play request
with fresh buffers.
Only attempt to use the various timing values iif gst_rtsp_stream_get_info()
returns TRUE. Also avoid the whole clock signalling block if we're not
dealing with senders.
CID: 1439524
CID: 1439536
CID: 1439520
When removing transports an assertion was that the transports passed in
for removal are present in the list, however that can't be assumed.
As an example if a transport was removed from a thread running
send_tcp_message, the main thread can try to remove the same transport
again if it gets a handle_pause_request. This will not effect the
transport list but it will effect n_tcp_transports as it will be
decrement and then have the wrong value.
By passing NULL to `g_signal_new` instead of a marshaller, GLib will
actually internally optimize the signal (if the marshaller is available
in GLib itself) by also setting the valist marshaller. This makes the
signal emission a bit more performant than the regular marshalling,
which still needs to box into `GValue` and call libffi in case of a
generic marshaller.
Note that for custom marshallers, one would use
`g_signal_set_va_marshaller()` with the valist marshaller instead.
The documentation of gst_rtsp_mount_points_add_factory() says "Any
previous mount point will be freed" which was true when it was
implemented using a GHashTable. But in 2012 it got rewrote using a
GSequence and since then it could have 2 factories for the same path.
Which one gets used is random, depending on the sorting order of 2
identical items.
The previous implementation stopped sending TCP messages to
all clients when a single one stopped consuming them, which
obviously created problems for shared media.
Instead, we now manage a backlog in stream-transport, and slow
clients are removed once this backlog exceeds a maximum duration,
currently hardcoded.
Fixes#80
For shared media we got race conditions. Concurrently rtsp clients might
suspend or unsuspend the shared media and thus change the state without
the clients expecting that.
By introducing a lock that can be taken by callers such as rtsp_client
one can force rtsp clients calling, eg. PLAY, SETUP and that uses shared media,
to handle the media sequentially thus allowing one client to finish its
rtsp call before another client calls on the same media.
https://gitlab.freedesktop.org/gstreamer/gst-rtsp-server/issues/86Fixes#86
Extra time to add to the timeout, in seconds. This only
affects the time until a session is considered timed out
and is not signalled in the RTSP request responses.
Only the value of the timeout property is signalled in the
request responses.
If one thread is inside the send_tcp_message function and are done
sending rtp or rtcp messages so the n_outstanding variable is zero
however have not exit the loop sending the messages. While sending its
messages, transports have been added or removed to the transport list,
so the cache should be updated. If now an additional thread comes to
the function send_tcp_message and trying to send rtp messages it will
first destroy the rtp cache that is still being iterated trough by the
first thread.
Fixes#81
When unsuspending and going to PLAYING, unblock all streams instead of
only those that are linked (the linked streams are the ones for which
SETUP has been called). GST_FLOW_NOT_LINKED will be returned when
pushing buffers on unlinked streams.
This change is because playback using single-threaded demuxers like
matroska-demux could be blocked if SETUP was not called for all media.
Demuxers that use GstFlowCombiner (including gstoggdemux, gstavidemux,
gstflvdemux, qtdemux, and matroska-demux) will handle
GST_FLOW_NOT_LINKED automatically.
Fixes#39
Wait on asyn-done when needed in gst_rtsp_media_seek_trickmode.
In the unit test the pause from adjust_play_mode will cause a preroll
and after that async-done will be produced.
Without this patch there are no one consuming this async-done and when
later when seek fluch is done in gst_rtsp_media_seek_trickmode then it
wait for async-done. But then it wrongly find the async-done prodused by
adjus_play_mode and continue executing without waiting for the preroll
to finish.
Change condition that should be fulfilled regarding RTPInfo.
Replace !gst_rtsp_media_is_receive_only with
gst_rtsp_media_has_completed_sender. It is more correct to actually look
for a sender pipeline that is complete. Only then a RTPInfo should
exist.
gst_rtsp_media_is_receive_only gives different answears depending on
state of server.
If Describe is called wth URL+options for backchannel SDP will give only
audio and only backchannel a=sendonly
If Describe is called on URL+options that gives both audio and video
direction from server to client, pipelines are created. Thus
receive_only will return false, even though Setup only would setup
backchannel.
RTP-Info is only for outgoing streams. Thus one should look if outgoing
streams are complete.
If RTP Info is missing and it is not a receiver only, eg. audio
backchannel. Then return GST_RTSP_STS_INTERNAL_SERVER_ERROR.
In rfc2326 it says RTP-info is req. but in RFC7826 it is conditional.
Since 1.14 there is audio backchannel support. Thus RTP-info is
conditional now. When audio backchannel only mode, there is no RTP-info.
Fixes#82
Without this patch it's always stream0 that is used to get segment event
that is used to set scale and speed. This even if client not doing SETUP
for stream0. At least in suspend mode reset this not working since then
it's just random if send_rtp_sink have got any segment event. There are
no check if send_rtp_sink for stream0 got any data before media is
prerolled after PLAY request.
We then pass those to adjust_play_mode, which needs to operate
on the "final" seek flags, as previously the code in rtsp-media
was assuming that accuracy seek flags (accurate / key_unit) should
not be set if the flags passed to the seek method were already set.
First try "pay", then "pay_%s" (where %s == pad name). And only then
fall back to the code that simply takes the first payloader that is
found.
The current code usually works (but is racy) because it will always take
the payloader that was last added (due to g_list_prepend() when adding
elements) in pad-added and that's usually the correct one. But if a new
payloader is added between pad-added and us trying to get it, we would
get the wrong payloader.
Without this patch there are problem pre-rolling when using audio back
channel.
Without this patch a probe will be created for all streams including
the stream for audio backchannel. To pre-roll all this pads have to
receive data. Since the stream for audio backchannel is a receiver this
will never happen.
The solution is to never create any probes for streams that are for
incomming data and instead set them as blocking already from beginning.
The recent ONVIF work exposed a race condition when dealing with
multiple streams: one of the sinks may preroll before other streams
have started flushing. This led to the pipeline posting async-done
prematurely, when some streams were actually still in the middle
of performing a flushing seek. The newly-added code looks up a
sticky segment event on the first stream in order to respond to
the PLAY request with accurate Scale and Speed headers. In the
failure condition, the first stream was flushing, and thus had
no sticky segment event, leading to the PLAY request failing,
and in turn the test.
This will be used in the onvif tests in order to validate the
data transmitted over TCP: for streaming to continue after a
data message has been provided to client->send_func, the client
is responsible for marking the message as sent on the relevant
stream transport.