search

karlheyes / icecast-kh

KH branch of icecast
GNU General Public License v2.0
297 stars 105 forks source link

kh22 (rev ea3554b) crashes (segfault) when serving XSL files protected using htpasswd authentication. #445

Open patphobos opened 4 months ago

patphobos commented 4 months ago

Hi Karl,

I encountered a bug that crashes the current icecast2-kh (revision ea3554b) icecast.xml.txt

Authentication is functioning properly for streams and static files, but it causes icecast to crash when attempting to protect xslt files: status.xsl / status2.xsl.

Below is the backtrace of the crash that occurs when requesting an XSLT file.

(gdb) backtrace full
#0  0x000055555557edf1 in _xslt_transform (doc=0x7fffdc002770, xslfilename=0x7fffdc0011c0 "/home/patrice/icecast-kh/web/status2.xsl", client=0x7fffe0000fa0, admin=<optimized out>) at xslt.c:661
        x = 0x7fffdc006f80
#1  0x000055555557f789 in xslt_transform (doc=<optimized out>, xslfilename=<optimized out>, client=<optimized out>) at xslt.c:671
No locals.
#2  0x000055555557988b in stats_transform_xslt (client=client@entry=0x7fffe0000fa0, uri=0x7fffe8021370 "/status2.xsl") at stats.c:1157
        doc = <optimized out>
        mount = 0x0
        ret = <optimized out>
        xslpath = 0x7fffdc0011c0 "/home/patrice/icecast-kh/web/status2.xsl"
#3  0x000055555558d417 in add_authenticated_listener (mount=<optimized out>, mount@entry=0x7fffe8021370 "/status2.xsl", mountinfo=<optimized out>, client=client@entry=0x7fffe0000fa0) at auth.c:537
        ret = 0
        __func__ = "add_authenticated_listener"
#4  0x000055555558dfd0 in auth_postprocess_listener (auth_user=0x7fffe8021320) at auth.c:585
        ret = <optimized out>
        auth = <optimized out>
        mountinfo = <optimized out>
        mount = 0x7fffe8021370 "/status2.xsl"
        client = 0x7fffe0000fa0
        ret = <optimized out>
        client = <optimized out>
        auth = <optimized out>
        mountinfo = <optimized out>
        mount = <optimized out>
        __func__ = "auth_postprocess_listener"
#5  auth_new_listener (auth_user=0x7fffe8021320) at auth.c:274
        client = <optimized out>
        client = <optimized out>
        __func__ = "auth_new_listener"
#6  auth_new_listener (auth_user=0x7fffe8021320) at auth.c:251
        client = <optimized out>
        __func__ = "auth_new_listener"
#7  0x000055555558e15d in auth_run_thread (arg=arg@entry=0x555555612090) at auth.c:397
        auth_user = 0x7fffe8021320
        pending = <optimized out>
        handler = 0x555555612090
        auth = 0x555555611510
        id = 5
        __func__ = "auth_run_thread"
#8  0x000055555559c871 in _start_routine (arg=0x7fffe8010a70) at thread.c:768
        start = 0x7fffe8010a70
        start_routine = 0x55555558e060 <auth_run_thread>
        real_arg = 0x555555612090
        thread = 0x7fffe80213b0
#9  0x00007ffff75ccac3 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#10 0x00007ffff765e850 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.

My environnent : Ubuntu 22 LTS x86_64

root@ice03:~/icecast-kh/web# dpkg -l | grep xslt
ii  libnginx-mod-http-xslt-filter          1.18.0-6ubuntu14.4                           amd64        XSLT Transformation module for Nginx
ii  libxslt1-dev:amd64                     1.1.34-4ubuntu0.22.04.1                      amd64        XSLT 1.0 processing library - development kit
ii  libxslt1.1:amd64                       1.1.34-4ubuntu0.22.04.1                      amd64        XSLT 1.0 processing library - runtime library
ii  xsltproc                               1.1.34-4ubuntu0.22.04.1                      amd64        XSLT 1.0 command line processor
patphobos commented 4 months ago

Also, here is the valgrind output valgrind.txt

patphobos commented 4 months ago

it seem that _xslt_transform expect the request to be attached to a worker, but since it's authenticated, the request seem to be threaded. client->worker is empty when authenticated.

# manually triggered backtrace when the xslt_transform is not protected by authentication : 
#0  _xslt_transform (doc=0x7fffe8007af0, xslfilename=xslfilename@entry=0x7fffe8006540 "/home/patrice/icecast-kh/web/status2.xsl", client=client@entry=0x7fffe0000e40, admin=0) at xslt.c:662
#1  0x000055555557f75f in xslt_transform (doc=<optimized out>, xslfilename=xslfilename@entry=0x7fffe8006540 "/home/patrice/icecast-kh/web/status2.xsl", client=client@entry=0x7fffe0000e40) at xslt.c:673
#2  0x000055555557988b in stats_transform_xslt (client=client@entry=0x7fffe0000e40, uri=0x7fffe80033f0 "/status2.xsl") at stats.c:1157
#3  0x000055555558d3e7 in add_authenticated_listener (mount=<optimized out>, mount@entry=0x7fffe80033f0 "/status2.xsl", mountinfo=<optimized out>, client=client@entry=0x7fffe0000e40) at auth.c:537
#4  0x000055555558e774 in auth_add_listener (mount=mount@entry=0x7fffe80033f0 "/status2.xsl", client=client@entry=0x7fffe0000e40) at auth.c:741
#5  0x0000555555564c49 in _handle_get_request (client=0x7fffe0000e40) at connection.c:1898
#6  0x000055555557c49a in worker (arg=arg@entry=0x555555642b80) at client.c:876
#7  0x000055555559c841 in _start_routine (arg=0x555555642c70) at thread.c:768
#8  0x00007ffff75ccac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#9  0x00007ffff765e850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

# backtrace of an xslt protected with htpasswd auth :
#0  _xslt_transform (doc=0x7fffdc000ba0, xslfilename=xslfilename@entry=0x7fffe8001870 "/home/patrice/icecast-kh/web/status.xsl", client=client@entry=0x7fffe0000ba0, admin=0) at xslt.c:662
#1  0x000055555557f75f in xslt_transform (doc=<optimized out>, xslfilename=xslfilename@entry=0x7fffe8001870 "/home/patrice/icecast-kh/web/status.xsl", client=client@entry=0x7fffe0000ba0) at xslt.c:673
#2  0x000055555557988b in stats_transform_xslt (client=client@entry=0x7fffe0000ba0, uri=0x555555608020 "/status.xsl") at stats.c:1157
#3  0x000055555558d3e7 in add_authenticated_listener (mount=<optimized out>, mount@entry=0x555555608020 "/status.xsl", mountinfo=<optimized out>, client=client@entry=0x7fffe0000ba0) at auth.c:537
#4  0x000055555558dfa0 in auth_postprocess_listener (auth_user=0x7fffe80017c0) at auth.c:585
#5  auth_new_listener (auth_user=0x7fffe80017c0) at auth.c:274
#6  auth_new_listener (auth_user=0x7fffe80017c0) at auth.c:251
#7  0x000055555558e12d in auth_run_thread (arg=arg@entry=0x55555560fb20) at auth.c:397
#8  0x000055555559c841 in _start_routine (arg=0x7fffe8001870) at thread.c:768
#9  0x00007ffff75ccac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#10 0x00007ffff765e850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81