Skip to content

fix(security): cap client recv budgets and default FFI max_connections#90

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-47d4
Draft

fix(security): cap client recv budgets and default FFI max_connections#90
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-47d4

Conversation

@cursor

@cursor cursor Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Security review fixes

Scheduled scan found two new medium-severity issues; this PR remediates both.

1. Client recv paths lack per-call byte budgets (Medium) — src/client/mod.rs

  • Issue: #88
  • Impact: A malicious RTMP server can monopolize the embedder event loop during Client::poll() or force up to ~256 MiB through the AMF connect handshake (wait_for_command × 64 max-size messages).
  • Fix: Add MAX_RECV_BYTES_PER_POLL (256 KiB) and MAX_RECV_BYTES_PER_COMMAND_WAIT (256 KiB) caps mirroring the server-side fairness limits.

2. Zero-initialized FFI ServerConfig disables connection limits (Medium) — src/lib.rs

  • Issue: #89
  • Impact: C embedders using calloc/{0} for ServerConfig get max_connections == 0, which disables all connection limiting and enables trivial memory-exhaustion DoS.
  • Fix: lrtmp2_server_create substitutes DEFAULT_FFI_MAX_CONNECTIONS (256) when max_connections <= 0; idiomatic Rust Server::new behavior is unchanged.

Tests

  • Client recv budget regression tests
  • FFI default max_connections test
  • Server max_connections enforcement test

cargo test --no-default-features passes.

Open in Web View Automation 

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

- Add per-poll and per-command-wait byte caps on the RTMP client recv path
  so a malicious server cannot monopolize the embedder thread or force
  hundreds of megabytes through the AMF connect handshake.
- Apply DEFAULT_FFI_MAX_CONNECTIONS (256) when lrtmp2_server_create receives
  a zero-initialized ServerConfig, preserving unlimited semantics for the
  idiomatic Rust Server::new API.

Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f41f8e11-d275-4b20-80eb-11505cfd25ef

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/application-security-review-47d4

Comment @coderabbitai help to get the list of available commands.

Comment thread src/lib.rs
let server = unsafe { lrtmp2_server_create(&config) };
assert!(!server.is_null());
unsafe {
let s = &*server;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants