Icecast-Server issueshttps://gitlab.xiph.org/xiph/icecast-server/-/issues2024-01-14T14:15:37Zhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2472Locking issue with logging2024-01-14T14:15:37ZPhilipp SchafftLocking issue with loggingCurrently the signal handlers as well as the event subsystem's exec backend logs messages. Those seem to be subject to restrictions on the logging code's locking. This can result in the process hanging. It is unclear whether or not this ...Currently the signal handlers as well as the event subsystem's exec backend logs messages. Those seem to be subject to restrictions on the logging code's locking. This can result in the process hanging. It is unclear whether or not this may also corrupt the process in any way.
See also (likely unrelated): #2231https://gitlab.xiph.org/xiph/icecast-server/-/issues/2450a potential bug of NPD2022-09-06T00:08:21Zash1852a potential bug of NPDHi, I found a potential null pointer dereference bug in the project source code of icecast-Server, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps th...Hi, I found a potential null pointer dereference bug in the project source code of icecast-Server, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps that generate the bug, the red arrows represent the control flow,the file path can be seen in the blue framed section.
![image](/uploads/92074055051bc53bda3046f7bc09838d/image.png)
Although the code shown is for the latest but is still exist in current version. (https://gitlab.xiph.org/xiph/icecast-server/-/blob/master/src/format_ogg.c#L452-L454)
would you can help to check if this bug is true?thank you for your effort and patience!Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2438Segfault when public is "True"2022-11-09T10:21:58ZAlexey ParamonovSegfault when public is "True"[icecast_3.conf](/uploads/6b3b69fb7077a4dc5364951670846a74/icecast_3.conf)
Icecast 2.5 (Icecast 2.4.99.3) dies with a segfault if there are the following lines in the config file:
```
<public>1</public>
<stream-name>Click Yo...[icecast_3.conf](/uploads/6b3b69fb7077a4dc5364951670846a74/icecast_3.conf)
Icecast 2.5 (Icecast 2.4.99.3) dies with a segfault if there are the following lines in the config file:
```
<public>1</public>
<stream-name>Click Your Radio Dutch</stream-name>
<stream-description>The best in Dutch Music and Comedy</stream-description>
<stream-url>www.clickyourradio.com</stream-url>
<genre>Music &amp; Comedy</genre>
```
Complete config file is attachedPhilipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2433Icecast2.5 beta3 crash with FLAC relay2023-06-07T13:00:21ZSySERRIcecast2.5 beta3 crash with FLAC relayOne of Icecast2 servers is playing a stream in FLAC format in an OGG container. If I configure this as a relay on another Icecast2 2.5 beta3 server, it crashes immediately after Icecast2 2.5 beta3 startup.
The stream with the problem, wh...One of Icecast2 servers is playing a stream in FLAC format in an OGG container. If I configure this as a relay on another Icecast2 2.5 beta3 server, it crashes immediately after Icecast2 2.5 beta3 startup.
The stream with the problem, which plays without any problems.
The configuration for the relay is as follows:
```
<mount>
<mount-name>/oxygenmusic_flac</mount-name>
<relay>
<upstream type="normal">
<uri>http://oxygenmusic.hu:8000/oxygenmusic_flac</uri>
</upstream>
</relay>
</mount>
```
error.log:
```
[2022-03-20 08:46:24] INFO stats/_stats_thread stats thread started
[2022-03-20 08:46:24] INFO fserve/fserve_initialize file serving started
[2022-03-20 08:46:24] INFO main/main Icecast 2.4.99.3 server started
[2022-03-20 08:46:24] INFO main/main Server's PID is 13519
[2022-03-20 08:46:24] INFO main/__log_system_name Running on mscppro-dev; OS: Linux 4.9.0-15-amd64, mscppro-dev, #1 SMP Debian 4.9.258-1 (2021-03-08), x86_64; Address Bits: 64
[2022-03-20 08:46:24] INFO main/__log_system_name From configuration: Our hostname is "dev2.mscp.pro", located "MSCP", with admin contact "mscp@localhost"
[2022-03-20 08:46:24] DBUG yp/yp_recheck_config Updating YP configuration
[2022-03-20 08:46:24] INFO yp/yp_update_thread YP update thread started
[2022-03-20 08:46:24] INFO connection/get_tls_certificate No TLS capability on any configured ports
[2022-03-20 08:46:24] DBUG listensocket/listensocket_accept Client (sock=8, ip="::ffff:127.0.0.1") on socket 0x5556491a7fc0 (-).
[2022-03-20 08:46:24] DBUG client/client_create Client 0x5556491b7bc0 created on connection 0x5556491b7b40 (connection ID: 0, sock=8, socket real: 0x5556491a7fc0 (-), socket effective: 0x5556491a7fc0 (-); global: 1 of 2000)
[2022-03-20 08:46:24] DBUG listensocket/listensocket_accept Client (sock=9, ip="::ffff:127.0.0.1") on socket 0x5556491a7fc0 (-).
[2022-03-20 08:46:24] DBUG client/client_create Client 0x5556491b7ff0 created on connection 0x5556491b7f70 (connection ID: 1, sock=9, socket real: 0x5556491a7fc0 (-), socket effective: 0x5556491a7fc0 (-); global: 2 of 2000)
[2022-03-20 08:46:24] DBUG client/client_destroy Called to destroy client 0x5556491b7bc0 on connection 0x5556491b7b40 (connection ID: 0, sock=8)
[2022-03-20 08:46:24] DBUG connection/connection_close Closing connection 0x5556491b7b40 (connection ID: 0, sock=8)
[2022-03-20 08:46:24] DBUG client/client_destroy Called to destroy client 0x5556491b7ff0 on connection 0x5556491b7f70 (connection ID: 1, sock=9)
[2022-03-20 08:46:24] DBUG connection/connection_close Closing connection 0x5556491b7f70 (connection ID: 1, sock=9)
[2022-03-20 08:46:25] DBUG stats/modify_node_event update global clients (1)
[2022-03-20 08:46:25] DBUG stats/modify_node_event update global connections (1)
[2022-03-20 08:46:25] DBUG stats/modify_node_event update global clients (2)
[2022-03-20 08:46:25] DBUG stats/modify_node_event update global connections (2)
[2022-03-20 08:46:25] DBUG stats/modify_node_event update global clients (1)
[2022-03-20 08:46:25] DBUG stats/modify_node_event update global clients (0)
[2022-03-20 08:46:25] DBUG slave/_slave_thread checking master stream list
[2022-03-20 08:46:25] DBUG slave/check_relay_stream Adding relay source at mountpoint "/oxygenmusic_flac"
[2022-03-20 08:46:25] INFO slave/start_relay_stream Starting relayed source at mountpoint "/oxygenmusic_flac"
[2022-03-20 08:46:25] DBUG slave/start_relay_stream For relay on mount "/oxygenmusic_flac", trying upstream #0
[2022-03-20 08:46:25] INFO slave/open_relay_connection connecting to oxygenmusic.hu:8000
[2022-03-20 08:46:25] DBUG client/client_create Client 0x7fac880015b0 created on connection 0x7fac88001340 (connection ID: 2, sock=8, socket real: (nil) (-), socket effective: (nil) (-); global: 1 of 2000)
[2022-03-20 08:46:25] DBUG client/client_complete Client 0x7fac880015b0 has request_body_length=-1
[2022-03-20 08:46:25] DBUG connection/connection_complete_source sources count is 0
[2022-03-20 08:46:25] DBUG source/source_apply_mount Applying mount information for "/oxygenmusic_flac"
[2022-03-20 08:46:25] DBUG source/source_apply_mount YP changed to 1
[2022-03-20 08:46:25] DBUG source/source_update_settings public set to 1
[2022-03-20 08:46:25] DBUG source/source_update_settings max listeners to -1
[2022-03-20 08:46:25] DBUG source/source_update_settings queue size to 524288
[2022-03-20 08:46:25] DBUG source/source_update_settings burst size to 196608
[2022-03-20 08:46:25] DBUG source/source_update_settings source timeout to 2
[2022-03-20 08:46:25] DBUG source/source_update_settings fallback_when_full to 0
[2022-03-20 08:46:25] DBUG connection/connection_complete_source source is ready to start
[2022-03-20 08:46:25] DBUG source/source_init Source creation complete
[2022-03-20 08:46:25] DBUG format-vorbis/initial_vorbis_page checking for vorbis codec
[2022-03-20 08:46:25] DBUG format-theora/initial_theora_page checking for theora codec
[2022-03-20 08:46:25] DBUG format-midi/initial_midi_page checking for MIDI codec
[2022-03-20 08:46:25] DBUG format-flac/initial_flac_page checking for FLAC codec
[2022-03-20 08:46:25] INFO format-flac/initial_flac_page seen initial FLAC header
[2022-03-20 08:46:25] DBUG format-ogg/format_ogg_attach_header attaching BOS page
[2022-03-20 08:46:25] DBUG format-ogg/format_ogg_attach_header attaching header page
```Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2410URL auth does not work with HTTP/2 servers2023-01-03T10:21:48ZMarvin ScholzURL auth does not work with HTTP/2 serversUsing URL auth with a HTTP/2 capable sever does not work properly:
```text
[2021-04-25 13:40:34] DBUG auth_url/handle_returned_header Got header: "HTTP/2 200 .."
[2021-04-25 13:40:34] DBUG auth_url/handle_returned_header Got header: "...Using URL auth with a HTTP/2 capable sever does not work properly:
```text
[2021-04-25 13:40:34] DBUG auth_url/handle_returned_header Got header: "HTTP/2 200 .."
[2021-04-25 13:40:34] DBUG auth_url/handle_returned_header Got header: "date: Sun, 25 Apr 2021 11:40:34 GMT.."
[2021-04-25 13:40:34] DBUG auth_url/handle_returned_header Got header: "server: Apache.."
[2021-04-25 13:40:34] DBUG auth_url/handle_returned_header Got header: "x-icecast-auth-result: ok.."
[2021-04-25 13:40:34] DBUG auth_url/handle_returned_header Got header: "x-icecast-auth-alter-action: redirect_permanent.."
[2021-04-25 13:40:34] DBUG auth_url/handle_returned_header Got header: "x-icecast-auth-alter-argument: https://stream.example.com/hits/highquality.."
[2021-04-25 13:40:34] DBUG auth_url/handle_returned_header Got header: "content-type: application/json.."
[2021-04-25 13:40:34] DBUG auth_url/handle_returned_header Got header: ".."
[2021-04-25 13:40:34] EROR auth_url/handle_returned_header__complete Can not parse auth backend reply.
```https://gitlab.xiph.org/xiph/icecast-server/-/issues/2400global stats key listeners incorrect after client got dropped from pending_tr...2021-03-22T23:22:29ZPhilipp Schafftglobal stats key listeners incorrect after client got dropped from pending_tree for max_listenersThe global stats key `listeners` is incorrect after a client is dropped from the `pending_tree` as the mount is full. this happens on client move (as per admin request or fallback).
The code can be found looking in source.c for:
```
...The global stats key `listeners` is incorrect after a client is dropped from the `pending_tree` as the mount is full. this happens on client move (as per admin request or fallback).
The code can be found looking in source.c for:
```
ICECAST_LOG_INFO("Client deleted, exceeding maximum listeners for this "
"mountpoint (%s).", source->mount);
```https://gitlab.xiph.org/xiph/icecast-server/-/issues/2396Unifiy <xsl:output>-settings for web/ and admin/2020-10-09T16:38:28ZPhilipp SchafftUnifiy <xsl:output>-settings for web/ and admin/`<xsl:output>`-settings must match web/ and admin/ as they share some templates.`<xsl:output>`-settings must match web/ and admin/ as they share some templates.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2377Icecast leaks memory in speex module when probing for codecs2019-06-28T08:06:23ZPhilipp SchafftIcecast leaks memory in speex module when probing for codecsIcecast currently leaks memory in codec probing within the speex module. This happens if the initial packet has less then 80 bytes.Icecast currently leaks memory in codec probing within the speex module. This happens if the initial packet has less then 80 bytes.Philipp SchafftPhilipp Schafft2019-06-28https://gitlab.xiph.org/xiph/icecast-server/-/issues/2373Incorrect status code2020-10-15T16:20:55ZPhilipp SchafftIncorrect status codeIn case of 'mountpoint will not accept URL updates' and other admin errors Icecast might send incorrect HTTP status headers.
This happens at least in branch ph3-mdoule-client-tests.In case of 'mountpoint will not accept URL updates' and other admin errors Icecast might send incorrect HTTP status headers.
This happens at least in branch ph3-mdoule-client-tests.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2372Icecast 'locks up' on SIGHUP if there are duplicate listener-sockets in the c...2020-10-10T10:13:32ZThomas B. RückerIcecast 'locks up' on SIGHUP if there are duplicate listener-sockets in the configAs reported by 'szett' on IRC.
Excerp of the offending config file:
<listen-socket>
<port>8000</port>
<!-- <bind-address>127.0.0.1</bind-address> -->
<!-- <shoutcast-mount>/stream</shoutcast-mount> -->
</li...As reported by 'szett' on IRC.
Excerp of the offending config file:
<listen-socket>
<port>8000</port>
<!-- <bind-address>127.0.0.1</bind-address> -->
<!-- <shoutcast-mount>/stream</shoutcast-mount> -->
</listen-socket>
<!-- SOCKET FOR SOURCES -->
<listen-socket>
<port>8000</port>
<!-- <bind-address>127.0.0.1</bind-address> -->
<!-- <shoutcast-mount>/stream</shoutcast-mount> -->
</listen-socket>Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2370Url events don't work when an "action" option is configured2019-02-02T04:30:49Zspr0cketeerUrl events don't work when an "action" option is configured```
<event-bindings>
<event type="url" trigger="source-connect">
...
...
<option name="action" value="mount_add" />
```
Bug is in event_url.c:event_get_url()
https://gitlab.xiph.org/xiph/icecast-server/blob/master/s...```
<event-bindings>
<event type="url" trigger="source-connect">
...
...
<option name="action" value="mount_add" />
```
Bug is in event_url.c:event_get_url()
https://gitlab.xiph.org/xiph/icecast-server/blob/master/src/event_url.c#L134
Should be `free(self->action)` not `free(self->url)`https://gitlab.xiph.org/xiph/icecast-server/-/issues/2366Icecast does list POST support for Admin interface but has it disabled for le...2019-02-02T04:30:49ZPhilipp SchafftIcecast does list POST support for Admin interface but has it disabled for legacy-global-sourceIcecast lists POST support in it's Allow. However it is by default disabled for legacy-global-source on admin/. POST should be allowed as well.Icecast lists POST support in it's Allow. However it is by default disabled for legacy-global-source on admin/. POST should be allowed as well.Philipp SchafftPhilipp Schafft2018-12-14https://gitlab.xiph.org/xiph/icecast-server/-/issues/2356Icecast does not handle HTTP Upgrade as to RFC2018-12-14T03:48:15ZPhilipp SchafftIcecast does not handle HTTP Upgrade as to RFCCurrently Icecast 2.5.x does not handle HTTP upgrades correctly. It does not send the final reply to the request doing the upgrade.Currently Icecast 2.5.x does not handle HTTP upgrades correctly. It does not send the final reply to the request doing the upgrade.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2355DoS vector using incorrect TLS teardown2018-12-07T13:48:18ZPhilipp SchafftDoS vector using incorrect TLS teardownWhen in a TLS SOURCE connection the socket is closed without TLS teardown Icecast will read from the socket in a tight endless loop. This locks up the corresponding thread.
Affected at least: Icecast 2.4.4, Icecast 2.5 beta 2.
May be re...When in a TLS SOURCE connection the socket is closed without TLS teardown Icecast will read from the socket in a tight endless loop. This locks up the corresponding thread.
Affected at least: Icecast 2.4.4, Icecast 2.5 beta 2.
May be related to OpenSSL version. Tested with version 1.0.1t.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2346Icecast does not support absolute-form, and authority-form requests2018-11-06T08:33:24ZPhilipp SchafftIcecast does not support absolute-form, and authority-form requestsIcecast currently does not support absolute-form, and authority-form requests as per Section 5.3.2/5.3.3 of RFC7230. This is a "MUST" requirement as per RFC.Icecast currently does not support absolute-form, and authority-form requests as per Section 5.3.2/5.3.3 of RFC7230. This is a "MUST" requirement as per RFC.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2342Security vulnerability: buffer overflow in URL authentication allows remote c...2018-11-05T08:00:08ZNick RolfeSecurity vulnerability: buffer overflow in URL authentication allows remote code executionHello,
I would like to report a security vulnerability in the Icecast server.
## The bug
`url_add_client` in `auth_url.c` contains this call inside a loop:
```
post_offset += snprintf(post + post_offset,
sizeo...Hello,
I would like to report a security vulnerability in the Icecast server.
## The bug
`url_add_client` in `auth_url.c` contains this call inside a loop:
```
post_offset += snprintf(post + post_offset,
sizeof(post) - post_offset,
"&%s%s=%s",
url->prefix_headers ? url->prefix_headers : "",
cur_header, header_valesc);
```
If the string to be written is longer than `sizeof(post) - post_offset`, `snprintf` will truncate the string, but will return *the number of bytes it would have written if the buffer were large enough*. This means that `post_offset` is incremented to be larger than `sizeof(post)`, and any subsequent iteration of the loop will write beyond the end of the buffer.
## Proof of concept
I configured a mount using URL authentication that forwards two headers:
```
<mount type="normal">
<mount-name>/auth_url.ogg</mount-name>
<authentication type="url">
<option name="headers" value="x-foo,x-bar"/>
...
</authentication>
</mount>
```
My Icecast server was running on localhost, port 8000, and then I ran the following Bash script:
```
foo=$(python -c "print('a' * 3950)")
bar=123456789123456789
curl -H "x-foo: $foo" -H "x-bar: $bar" http://localhost:8000/auth_url.ogg
```
The `x-foo` header was truncated, but it caused `postoffset` to be incremented beyond the size of the buffer, as described above. The subsequent handling of the `x-bar` header overwrote other stack contents, causing my Icecast server to crash:
```
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)
```
By controlling the length of the `x-foo` header, and the contents of the `x-bar` header, it seems likely that remote code execution would be possible.
## Related bug
Our automated analysis highlighted this bug, and another similar misuse of `snprintf` in `format_prepare_headers` in `format.c`, but I did not investigate whether that one would be exploitable.
Those analysis results are visible here: https://lgtm.com/projects/g/xiph/Icecast-Server/alerts/?mode=tree&ruleFocus=1505913226124
## Disclosure
Please let me know when you have fixed the vulnerability, so that we can coordinate our disclosure with yours. For reference, here is a link to our vulnerability disclosure policy: https://lgtm.com/security
Thanks!
--Nick Rolfe, Semmle Security Research TeamThomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2336Icecast 2.5.x relays not working2018-07-26T10:19:39ZPhilipp SchafftIcecast 2.5.x relays not workingRelays do not work.
In master since 4a10d7e74422b7c3a31d4677e12f5aa3ce52474f.
client->request_body_length is not correctly set up leading to body read limit (client->request_body_length=0). client generally may not be in correct state.Relays do not work.
In master since 4a10d7e74422b7c3a31d4677e12f5aa3ce52474f.
client->request_body_length is not correctly set up leading to body read limit (client->request_body_length=0). client generally may not be in correct state.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2335`<no-mount>` (`<mount>`'s child) is noop in 2.5.x2021-04-14T10:51:43ZPhilipp Schafft`<no-mount>` (`<mount>`'s child) is noop in 2.5.xThe tag `<no-mount>` (which is a child element of `<mount>`) doesn't seem to do anything in 2.5.x. However according to source code comment it should disallow direct access to the mount.
This may interact with the ACL system.The tag `<no-mount>` (which is a child element of `<mount>`) doesn't seem to do anything in 2.5.x. However according to source code comment it should disallow direct access to the mount.
This may interact with the ACL system.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2328When configuration file is invalid, icecast hangs indefinitely2018-06-16T20:30:29ZMarcin LewandowskiWhen configuration file is invalid, icecast hangs indefinitelyI am running icecast 2.4.3 on ubuntu 16.04, compiled from sources.
I have found out that if given XML config has invalid syntax, it outputs error but do not terminate the process. It is quite painful as it is not easily possible to chec...I am running icecast 2.4.3 on ubuntu 16.04, compiled from sources.
I have found out that if given XML config has invalid syntax, it outputs error but do not terminate the process. It is quite painful as it is not easily possible to check if service is running or not, as process exists.
```
/usr/bin/icecast -c /etc/icecast/icecast.xml
/etc/icecast/icecast.xml:1: parser error : Document is empty
FATAL: error parsing config file (/etc/icecast/icecast.xml)
XML config parsing error
```https://gitlab.xiph.org/xiph/icecast-server/-/issues/2056On-demand relay mount vanishes shortly right after last player disconnects2023-02-27T11:40:50ZMarvin ScholzOn-demand relay mount vanishes shortly right after last player disconnectsIf a on demand relay is configured, and the last listener disconnects, it vanishes from the stats for a short period of time.
This is because in `source.c` the `source_shutdown()` function deletes the source stats:
```
stats_event(so...If a on demand relay is configured, and the last listener disconnects, it vanishes from the stats for a short period of time.
This is because in `source.c` the `source_shutdown()` function deletes the source stats:
```
stats_event(source->mount, NULL, NULL);
```
There would be different approaches to fix this:
1. Do not fix it at all
2. If it is a on-demand mount, only remove the data that will probably change
3. Remove all data and trigger immediate refresh of mount data (inefficient?)Thomas B. RückerThomas B. Rücker