Joined: 20 Apr 2010
|Posted: Tue Apr 20, 2010 9:10 pm Post subject: core dump linked to authentication
|We believe we have found a bug in Icecast in version 2.3.2 (not the the released code but a version that was taken from a tag around the 2009.03.24 and it looks that it also affects the last version in the trunk.
We studied a core dump generated by icecast.
We found that the crash occurred in the following icecast code:
static void auth_remove_listener (auth_t *auth, auth_client *auth_user)
client_t *client = auth_user->client;
client->auth = NULL;
/* client is going, so auth is not an issue at this point */
client->authenticated = 0;
Because client->auth was NULL and so it tried to dereference a NULL pointer:
(gdb) p client->auth->release_listener
Cannot access memory at address 0x10
(gdb) p client->auth
$3 = (struct auth_tag *) 0x0
(gdb) p auth_user
$4 = (auth_client *) 0x7f10d2126b80
(gdb) p auth_user->client
$6 = (client_t *) 0x7f1123690f00
we compare the sources of icecast we used with the 'mainstream' version (icecast-2.3.2) and found that the authentication functionality in question has some significant changes, in particular icecast-2.3.2 has a few more checks for client->auth being not NULL, and the version we used has some functions added that reset this pointer to NULL under some circumstances. This is what probably caused the crash. We have checked in trunk and the situation is similar.
So we added a check for the pointer not being NULL;
But this triggered another core dump.
#0 auth_run_thread (arg=<value optimized out>) at auth.c:306
#1 0x000000000042039a in _start_routine (arg=0x7fa1f5e66ba0) at thread.c:657
#2 0x00007fa20a9cefc7 in ?? ()
#3 0x0000000000000000 in ?? ()
The code it crashed on is:
auth->head = auth_user->next;
if (auth->head == NULL)
auth->tailp = &auth->head;
We checked the value of auth->pending_count, and it was invalid, and at least auth->tailp was also invalid.
I hope this helps to solve the problem