Skip to content

fix(security): cap built-in relay fan-out per poll tick#130

Closed
cursor[bot] wants to merge 1 commit into
feat/ertmp-v2-multitrack-0.4.0from
cursor/application-security-review-a58c
Closed

fix(security): cap built-in relay fan-out per poll tick#130
cursor[bot] wants to merge 1 commit into
feat/ertmp-v2-multitrack-0.4.0from
cursor/application-security-review-a58c

Conversation

@cursor

@cursor cursor Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Security fix

Fixes medium-severity CPU exhaustion DoS in the built-in server relay (issue #129).

Vulnerability

An attacker opens one publisher plus many play connections on the same (app, stream_name) (up to max_connections, default 256). Each publisher frame queued in pending_relay (up to 1024 frames) is fanned out to every matching player on each Server::process_connections() poll tick. Worst case: 1024 × 255 ≈ 261,120 send_frame/chunk-encode calls per poll, monopolizing the single-threaded poll loop.

Distinct from #41 (publisher-side pending_relay memory cap).

Fix

  • Add MAX_RELAY_SENDS_PER_POLL = 4096 budget in src/server/mod.rs
  • Count players per frame before sending; stop when budget exceeded
  • Re-queue unprocessed frames on the publisher via requeue_relay_frame()
  • Unit test relay_send_budget_limits_worst_case_player_fan_out

Verification

cargo test — all tests pass.

Open in Web View Automation 

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

Add MAX_RELAY_SENDS_PER_POLL so one publisher relaying to many players
cannot issue hundreds of thousands of send_frame/chunk_write calls in a
single process_connections pass. Frames deferred by the budget are
re-queued on the publisher connection for the next poll.

Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>
@AlexanderWagnerDev AlexanderWagnerDev changed the base branch from main to feat/ertmp-v2-multitrack-0.4.0 July 15, 2026 13:32
AlexanderWagnerDev added a commit that referenced this pull request Jul 15, 2026

Copy link
Copy Markdown
Contributor

Applied the security fix to #128 with the conflict resolved against its multitrack relay changes.

Integrated commit: 4965475

The resolved implementation preserves pause, receiveAudio/receiveVideo, metadata, and multitrack player gating while enforcing the per-poll relay-send budget. cargo fmt and cargo test completed before the commit was pushed.

@AlexanderWagnerDev AlexanderWagnerDev deleted the cursor/application-security-review-a58c branch July 15, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants