[FFmpeg-devel] [PATCH] Avoid sending packets to network when multicast ttl is 0 in udp
Omid Ghaffarinia
omid.ghaffarinia at gmail.com
Wed Jul 20 16:08:10 EEST 2016
Thanks for testing in mingw
New patch attached, which should work now.
On Wed, Jul 20, 2016 at 1:25 PM, Michael Niedermayer
<michael at niedermayer.cc> wrote:
> On Wed, Jul 13, 2016 at 03:09:28PM +0430, Omid Ghaffarinia wrote:
>> I attached the patch.
>>
>> The actual bug is, when creating a local multicast stream (i.e. giving
>> "rtp://224.1.1.1:10000?ttl=0" to avio_open), then you can see the
>> packets on the network and not just on local machine (despite setting
>> multicast ttl to 0) which was a security bug in my purpose of usage
>> (it also made a lot of unused traffic on network)
>>
>> The user does not choose to enable/disable the kernel hack, that is
>> how it is designed.
>>
>> This behavior does NOT happen in Windows machines, but the patch given
>> does no harm at all (it does nothing in Windows)
>>
>> On Wed, Jul 13, 2016 at 3:12 AM, Moritz Barsnick <barsnick at gmx.net> wrote:
>> > On Tue, Jul 12, 2016 at 18:31:36 +0430, Omid Ghaffarinia wrote:
>> >
>> > Your mailer has broken the patch by inserting line breaks. You should
>> > try attaching the patch as a file, or directly using "git send-email".
>> >
>> >> Bug is due to kernel handling multicast ttl 0 differently (as noted in
>> >> kernel code net/ipv4/route.c:2191 see:
>> >
>> > ffmpeg is not a Linux-only tool/library, so comments should point out
>> > which "kernel" more precisely (and possibly which versions this applies
>> > to). Admitted, the link to github contains the string "linux". ;-)
>> >
>> > Furthermore: Please explain what the actual bug (i.e. misbehavior) is,
>> > and what this fix changes (or how it fixes it).
>> >
>> > Are you allowing ffmpeg to work when the user is making use of the
>> > kernel hack?
>> >
>> > What does this patch achieve on non-Linux operating systems?
>> >
>> > (Sorry for the stupid questions, all this isn't obvious to me, and I do
>> > have at least some understanding of network stuff.)
>> >
>> > Moritz
>> > _______________________________________________
>> > ffmpeg-devel mailing list
>> > ffmpeg-devel at ffmpeg.org
>> > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
>> sdp.c | 2 +-
>> udp.c | 28 ++++++++++++++++++++++++++++
>> 2 files changed, 29 insertions(+), 1 deletion(-)
>> 697cb044e811d35b10a74ad9ca9181b372affc40 0001-Avoid-sending-packets-to-network-when-multicast-ttl-.patch
>> From aab1658d011f5b3eabd22ddc30f40107c6311c92 Mon Sep 17 00:00:00 2001
>> From: Omid Ghaffarinia <omid.ghaffarinia at gmail.com>
>> Date: Tue, 12 Jul 2016 18:23:57 +0430
>> Subject: [PATCH] Avoid sending packets to network when multicast ttl is 0 in
>> udp
>>
>> Signed-off-by: Omid Ghaffarinia <omid.ghaffarinia at gmail.com>
>> ---
>> libavformat/sdp.c | 2 +-
>> libavformat/udp.c | 28 ++++++++++++++++++++++++++++
>> 2 files changed, 29 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavformat/sdp.c b/libavformat/sdp.c
>> index 01b564b..0401f7a 100644
>> --- a/libavformat/sdp.c
>> +++ b/libavformat/sdp.c
>> @@ -61,7 +61,7 @@ static void sdp_write_address(char *buff, int size, const char *dest_addr,
>> if (dest_addr) {
>> if (!dest_type)
>> dest_type = "IP4";
>> - if (ttl > 0 && !strcmp(dest_type, "IP4")) {
>> + if (ttl >= 0 && !strcmp(dest_type, "IP4")) {
>> /* The TTL should only be specified for IPv4 multicast addresses,
>> * not for IPv6. */
>> av_strlcatf(buff, size, "c=IN %s %s/%d\r\n", dest_type, dest_addr, ttl);
>> diff --git a/libavformat/udp.c b/libavformat/udp.c
>> index 8699c1c..fe46ba5 100644
>> --- a/libavformat/udp.c
>> +++ b/libavformat/udp.c
>> @@ -176,6 +176,28 @@ static int udp_set_multicast_ttl(int sockfd, int mcastTTL,
>> }
>> }
>> #endif
>> + if (mcastTTL == 0) {
>> +#ifdef IP_MULTICAST_IF
>> + if (addr->sa_family == AF_INET) {
>> + struct in_addr localhost_addr;
>> + inet_pton(AF_INET, "127.0.0.1", &localhost_addr);
>> + if (setsockopt(sockfd, IPPROTO_IP, IP_MULTICAST_IF, &localhost_addr, sizeof(localhost_addr)) < 0) {
>> + log_net_error(NULL, AV_LOG_ERROR, "setsockopt(IP_MULTICAST_IF)");
>> + return -1;
>> + }
>> + }
>> +#endif
>> +#if defined(IPPROTO_IPV6) && defined(IPV6_MULTICAST_IF)
>> + if (addr->sa_family == AF_INET6) {
>> + struct in6_addr localhost_addr;
>> + inet_pton(AF_INET6, "::1", &localhost_addr);
>> + if (setsockopt(sockfd, IPPROTO_IPV6, IPV6_MULTICAST_IF, &localhost_addr, sizeof(localhost_addr)) < 0) {
>> + log_net_error(NULL, AV_LOG_ERROR, "setsockopt(IPV6_MULTICAST_IF)");
>> + return -1;
>> + }
>> + }
>> +#endif
>
> breaks build with mingw64
> libavformat/udp.c:183:13: error: implicit declaration of function ‘inet_pton’ [-Werror=implicit-function-declaration]
>
>
>> + }
>> return 0;
>> }
>>
>> @@ -882,6 +904,12 @@ static int udp_open(URLContext *h, const char *uri, int flags)
>> }
>> if (h->flags & AVIO_FLAG_READ) {
>> /* input */
>> + if (s->ttl == 0) {
>> + if (s->dest_addr.ss_family == AF_INET)
>> + inet_pton(AF_INET, "127.0.0.1", &((struct sockaddr_in *)&s->local_addr_storage)->sin_addr);
>> + else
>> + inet_pton(AF_INET6, "::1", &((struct sockaddr_in6 *)&s->local_addr_storage)->sin6_addr);
>> + }
>
> tabs are not allowed in ffmpeg git
>
> [...]
>
> --
> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> Let us carefully observe those good qualities wherein our enemies excel us
> and endeavor to excel them, by avoiding what is faulty, and imitating what
> is excellent in them. -- Plutarch
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Avoid-sending-packets-to-network-when-multicast-ttl-.patch
Type: text/x-patch
Size: 4759 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160720/f8998287/attachment.bin>
More information about the ffmpeg-devel
mailing list