Information Disclosure: Medium
The RAOP authentication header construction leaves sensitive material
on the stack after the function returns: Base64-encoded credentials in
enc[], MD5 password-derived hashes in h1/h2/resp[], and the assembled
Authorization header in auth[]. These persist in stack memory and can
be recovered via core dumps, memory disclosure vulnerabilities, or
cold boot attacks.
The plaintext password buffer (buf[]) was already properly cleared with
explicit_bzero, but the derived credential buffers were not. Apply
explicit_bzero to enc, h1, h2, resp, and auth before returning.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Information Disclosure: High
The RTSP client logs all HTTP headers and full RTSP request messages
at INFO level, which includes Authorization headers containing
credentials (Base64-encoded for Basic auth, hash responses for Digest
auth). The WWW-Authenticate challenge header with realm and nonce
values is also logged at INFO level.
INFO-level logs are commonly collected by system logging daemons and
may be stored in world-readable log files, exposing credentials.
Downgrade all three logging calls to DEBUG level, which is only
enabled during explicit debugging sessions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Information Disclosure: Medium
The MD5_hash() function formats password material into a 1024-byte
stack buffer for hashing but never clears it afterward. Similarly,
the Basic auth path in rtsp_add_raop_auth_header() formats
username:password into a stack buffer without clearing it.
These buffers remain on the stack after the functions return, and
could be exposed through memory disclosure vulnerabilities, core
dumps, or memory inspection.
Clear the buffers with explicit_bzero() immediately after they are
no longer needed, consistent with the existing practice of clearing
the password before freeing in impl_destroy().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Information Disclosure: Medium
The RAOP authentication password was freed without first clearing the
memory contents. This leaves the plaintext password in freed heap
memory where it could be recovered by an attacker with access to
process memory (e.g. via /proc/pid/mem, core dumps, or a separate
memory safety vulnerability).
Use explicit_bzero() to securely clear the password before freeing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In rtsp_do_options_auth(), the return values of strdup() for
auth_method, realm, and nonce were not checked for NULL. If strdup()
fails due to memory exhaustion, spa_streq() on auth_method will
dereference NULL, and the realm/nonce pointers will be used later in
MD5_hash() causing NULL pointer dereferences.
Add NULL checks after each strdup() call, returning -ENOMEM on failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Low
sprintf was used to format MD5 hex digest bytes into a fixed-size
buffer without explicit bounds. While the output is bounded by the
fixed MD5 digest length (16 bytes = 32 hex chars), using snprintf
with an explicit size of 3 (2 hex chars + null) ensures correctness
even if the surrounding code changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a function that accepts the size of the position array when reading
the audio positions. This makes it possible to decouple the position
array size from SPA_AUDIO_MAX_CHANNELS.
Also use SPA_N_ELEMENTS to pass the number of array elements to
functions instead of a fixed constant. This makes it easier to change
the array size later to a different constant without having to patch up
all the places where the size is used.
Instead of using timerfd, use the context timer-queue to schedule
timeouts. This saves fds and removes some redundant code.
Make the rtp-source timeout and standby code a bit better by using
atomic operations.
pw_stream now handles the other (output) latency for us, it will keep
the param and report it. If we are not interested in upstream latency we
don't have to parse and store it and we can just be concerned with the
latency we report on our input port (input latency).
The state_changed callbacks fulfill multiple roles, which is both a problem
regarding separation of concerns and regarding code clarity. De facto,
these callbacks cover error reporting, opening connections, and closing
connection, all in one, depending on a state that is arguably an internal
stream detail. The code in these callbacks tie these internal states to
assumptions that opening/closing callbacks is directly tied to specific
state changes in a common way, which is not always true. For example,
stopping the stream may not _actually_ stop it if a background send timer
is still running.
The notion of a "state_changed" callback is also problematic because the
pw_streams that are used in rtp-sink and rtp-source also have a callback
for state changes, causing confusion.
Solve this by replacing state_changed with three new callbacks:
1. report_error : Used for reporting nonrecoverable errors to the caller.
Note that currently, no one does such error reporting, but the feature
does exist, so this callback is introduced to preserve said feature.
2. open_connection : Used for opening a connection. Its optional return
value informs about success or failure.
3. close_connection : Used for opening a connection. Its optional return
value informs about success or failure.
Importantly, these callbacks do not export any internal stream state. This
improves encapsulation, and also makes it possible to invoke these
callbacks in situations that may not neatly map to a state change. One
example could be to close the connection as part of a stream_start call
to close any connection(s) left over from a previous run. (Followup commits
will in fact introduce such measures.)
config.h needs to be consistently included before any standard headers
if we ever want to set feature test macros (like _GNU_SOURCE or whatever)
inside. It can lead to hard-to-debug issues without that.
It can also be problematic just for our own HAVE_* that it may define
if it's not consistently made available before our own headers. Just
always include it first, before everything.
We already did this in many files, just not consistently.
Add support for FairPlay SAP v2.5 (encryption type 5) type devices such as Apple Home Pod Minis.
Apparently only these devices require the `POST /feedback` heartbeat, so fix that.
Initialize the byte array with bytes instead of a string because the 0
byte at the end of the string does not fit in the array and causes a
compiler warning.
Intercept the Output Latency paran and parse it for later.
Use the computed latency as the ProcessLatency and expose this
as the ProcessLatency param and the updated Input latency.
Accept updates to ProcessLatency to modify the latency, which then also
updates the Input Latency param.
See #4270
32 bits are enough, and additionally this also fixes an incorrect
format string, which caused the default `audio.rate` to be
incorrectly set on some platforms, such as 32-bit arm ones.
Fixes#4080
Since `spa/utils/cleanup.h` is not a private header anymore, there is
no need for a separate `pipewire/cleanup.h` since the definitions of
the cleanup routines can now be moved into the respective headers.
As part of LibreSSL's cleanup of removed ENGINE support, <openssl/x509.h> is no longer included in <openssl/engine.h>. <openssl/evp.h> was transiently included in <openssl/x509.h>, compared to <openssl/rand.h> for OpenSSL.
We first need to do the setup, which we start when setting the Format
param.
This causes the module to unload when starting pavucontrol because it
tries to start the record in the wrong state.
See #3778
The Pro Link 1 replies with Audio-latency=0, patch that up to
1500ms to make it work again.
Previously it configured 1500ms as the default latency but that seems
unnecessary in the usual case.
Fixes#3698
The RTSP FLUSH request does not seem to be required.
This change also fixes an issue where another RECORD request is
erroneously sent when the stream switches back from paused to streaming
by only setting `impl->streaming = false` in `rtsp_do_teardown()`.
Use both the volume and mute to decide what volume to send.
Don't let the mute state overwrite the volume. Also never mute the
stream.
Pressing mute and unmute restores the previous volume this way.
The volume interval that RAOP devices understand is [-30,0],
where -30.0 equals min vol, and 0.0 equals max. vol.
The local system volume is represented as a cubic (volumetric)
value in the [0,1] interval.
So cube root system volume value, scale by 30 and
translate -30 to map to target output range.
The special value -144 denotes volume mute. Send a corresponding RTSP
message when mute is not already toggled on.
