fix(security): cap built-in relay fan-out per poll tick#130
Closed
cursor[bot] wants to merge 1 commit into
Closed
Conversation
Add MAX_RELAY_SENDS_PER_POLL so one publisher relaying to many players cannot issue hundreds of thousands of send_frame/chunk_write calls in a single process_connections pass. Frames deferred by the budget are re-queued on the publisher connection for the next poll. Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>
AlexanderWagnerDev
added a commit
that referenced
this pull request
Jul 15, 2026
Contributor
|
Applied the security fix to #128 with the conflict resolved against its multitrack relay changes. Integrated commit: 4965475 The resolved implementation preserves pause, receiveAudio/receiveVideo, metadata, and multitrack player gating while enforcing the per-poll relay-send budget. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security fix
Fixes medium-severity CPU exhaustion DoS in the built-in server relay (issue #129).
Vulnerability
An attacker opens one publisher plus many
playconnections on the same(app, stream_name)(up tomax_connections, default 256). Each publisher frame queued inpending_relay(up to 1024 frames) is fanned out to every matching player on eachServer::process_connections()poll tick. Worst case: 1024 × 255 ≈ 261,120send_frame/chunk-encode calls per poll, monopolizing the single-threaded poll loop.Distinct from #41 (publisher-side
pending_relaymemory cap).Fix
MAX_RELAY_SENDS_PER_POLL = 4096budget insrc/server/mod.rsrequeue_relay_frame()relay_send_budget_limits_worst_case_player_fan_outVerification
cargo test— all tests pass.Need help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.