Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Race condition between RTSP server and the PAUSE command causing a crash. #689

Closed
jean343 opened this issue Feb 3, 2025 · 1 comment · Fixed by #692
Closed

Race condition between RTSP server and the PAUSE command causing a crash. #689

jean343 opened this issue Feb 3, 2025 · 1 comment · Fixed by #692

Comments

@jean343
Copy link

jean343 commented Feb 3, 2025

A race condition exists between the RTSP server and the PAUSE command, leading to a crash with a nil pointer dereference. The crash occurs when writePacketRTPInQueueTCP attempts to access tcpConn after it has been set to nil by the PAUSE command.

Stack trace:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x85bcd7]

goroutine 3932 [running]:
github.com/bluenviron/gortsplib/v4.(*serverSessionFormat).writePacketRTPInQueueTCP(0xc0124ae300, {0xc000b61800?, 0x5c0, 0x5bca6e?})
        /go/pkg/mod/github.com/bluenviron/gortsplib/v4@v4.12.2/server_session_format.go:142 +0x97
github.com/bluenviron/gortsplib/v4.(*ServerSession).writePacketRTP.func1()
        /go/pkg/mod/github.com/bluenviron/gortsplib/v4@v4.12.2/server_session.go:1478 +0x27
github.com/bluenviron/gortsplib/v4.(*asyncProcessor).runInner(0xc008d38090)
        /go/pkg/mod/github.com/bluenviron/gortsplib/v4@v4.12.2/async_processor.go:49 +0x3e
github.com/bluenviron/gortsplib/v4.(*asyncProcessor).run(...)
        /go/pkg/mod/github.com/bluenviron/gortsplib/v4@v4.12.2/async_processor.go:38
created by github.com/bluenviron/gortsplib/v4.(*asyncProcessor).start in goroutine 3970
        /go/pkg/mod/github.com/bluenviron/gortsplib/v4@v4.12.2/async_processor.go:34 +0x8e

Root Cause

The lock in writePacketRTP does not guard writePacketRTPInQueue as it's running in an async process. Additionally, the lock is not acquired during the pause command.
The PAUSE command sets ss.tcpConn = nil.
The async writePacketRTPInQueueTCP attempts to use tcpConn.nconn.SetWriteDeadline, leading to a nil pointer dereference.

Testing

Simulated rapid PAUSE and RESUME calls to verify stability.

In our case,
Launch ffplay -i rtsp://localhost:8554/a
Play and pause repeatability by holding the p key.
@jean343 jean343 mentioned this issue Feb 4, 2025
Closed
aler9 added a commit that referenced this issue Feb 7, 2025
@aler9
server: fix panic during PAUSE due to race condition (#689)
b53d829
@aler9 aler9 mentioned this issue Feb 7, 2025
Merged
@aler9
Copy link
Member

aler9 commented Feb 7, 2025

Thank you very much for reporting the issue and providing a patch. This is fixed in a more efficient way by #692

@aler9 aler9 closed this as completed in #692 Feb 7, 2025
aler9 added a commit that referenced this issue Feb 7, 2025
@aler9
server: fix panic during PAUSE due to race condition (#689) (#692)
6430912
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@jean343 @aler9