[Live-devel] [vlc] RTSP client in vlc 2.1

Sat Dec 14 13:02:13 PST 2013

On 12/14/2013 05:40 PM, Ross Finlayson wrote:
>> - RTP/RTCP use the "feedface"/first receiver report to fix the
>> client ports if NAT is running without "conntrack_rtsp";
> 
> This seems like a security risk - i.e., it would allow an attacker to
> send the server a bogus initial packet, in order to 'hijack' the
> stream's traffic.

I have checked (and changed a bit the RTCP part of the implementation),
and I believe the security risk only exists if a client is on a NAT
without conntrack_rtsp. Which means that in the case where it did not
work up to now, it now works, but the streams can be hijacked, but I
would say, it is better than nothing.

What I implemented is: between setup and play, the addresses and ports
of the packets received on the RTP socket are noted (the "feedface"
packets). At play time, we check if a packet was received for the
original address and port, if not, we look for a packet from the
original address but a different port, and if found, we use that new port.

For the RTCP, when creating RRHandlerRecord structure, we record what is
the original port for that RRHandler. When we receive a RR, we look for
the RRHandlerRecord, if found, we mark the fact that this
RRHandlerRecord was seen. If not found, it means that we got the port
wrong, so we iterate the lookup table, and look for a record with the
same address and a different port, which has either not be seen, or has
be seen but with a port different from the original port. If we find
such a record, we change the RTCP port number.

This all sounds a bit complicated, but it is not that much, and it seems
to work, and a session can not be hijacked if the ports used are the
negotiated ones.

Are you interested by this code or not?

-- 
                                                                Gilles.