thr3ads.net - Icecast dev - [Icecast-dev] Bug in icecast 2.3.2 (not in stable release but a little later and in trunk) : Null pointer in auth_remove

If this information is useful, please help other people find it:
Share via:

Bruno Nieuwenhuys

2010-Apr-05 10:51 UTC

[Icecast-dev] Bug in icecast 2.3.2 (not in stable release but a little later and in trunk) : Null pointer in auth_remove_listener

Hello,

We believe we have found a bug in Icecast in version 2.3.2 (not the the 
released code but a version that was taken from a tag 
icecast2-svn-20090324.tar.gz) and it looks that it also affects the last 
version in the trunk.

We studied a core dump generated by icecast.
We found that the crash occurred in the following icecast code:
static void auth_remove_listener (auth_t *auth, auth_client *auth_user)
{
    client_t *client = auth_user->client;
 
    if (client->auth->release_listener)
        client->auth->release_listener (auth_user);
    auth_release (client->auth);
    client->auth = NULL;
    /* client is going, so auth is not an issue at this point */
    client->authenticated = 0;
}
 
Because client->auth was NULL and so it tried to dereference a NULL 
pointer:
(gdb) p client->auth->release_listener
Cannot access memory at address 0x10
(gdb) p client->auth
$3 = (struct auth_tag *) 0x0
(gdb) p auth_user
$4 = (auth_client *) 0x7f10d2126b80
(gdb) p auth_user->client
$6 = (client_t *) 0x7f1123690f00
 
 we compare the sources of icecast we used with the 'mainstream' version
(icecast-2.3.2) and found that the authentication functionality in 
question has some significant changes, in particular icecast-2.3.2 has a 
few more checks for client->auth being not NULL, and the version we used 
has some functions added that reset this pointer to NULL under some 
circumstances. This is what probably caused the crash. We have checked 
in trunk and the situation is similar.
 
We would recommend adding a check to the code above for that pointer 
being not NULL;
Hope this is clear, and helps.
Please keep me updated on the way you plan to fix the problem.
Best Regards
Bruno Nieuwenhuys
Adswizz



-- 
Bruno Nieuwenhuys
CTO Adswizz
+43 699 19058565
skype : brunonieuwenhuys
www.adswizz.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.xiph.org/pipermail/icecast-dev/attachments/20100405/cd304e87/attachment.htm

Possibly Parallel Threads

No Duplicate Users - Patch

Icecast dev - Apr 2010 - Bug in icecast 2.3.2 (not in stable release but a little later and in trunk) : Null pointer in auth_remove_listener

[Icecast-dev] Bug in icecast 2.3.2 (not in stable release but a little later and in trunk) : Null pointer in auth_remove_listener

Possibly Parallel Threads

Wisdom of the Ancients