File and Resource Handling: High
The pipe-tunnel module creates FIFOs and then adjusts their
permissions using chmod() on the path. Between mkfifo() and
chmod(), an attacker with write access to the directory (e.g.,
/tmp with the default hardcoded paths) can delete the FIFO and
replace it with a symlink to a target file. The chmod(0666) then
changes permissions on the symlink target, allowing the attacker
to make arbitrary files world-readable/writable.
Fix by:
1. Adding O_NOFOLLOW to the open() call so symlinks are rejected
at open time rather than followed.
2. Moving the permission change from chmod() (path-based, follows
symlinks) to fchmod() (fd-based, operates on the already-opened
and validated file descriptor), and doing it after the fstat
S_ISFIFO check confirms we opened an actual FIFO.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
In both module-netjack2-driver.c and module-netjack2-manager.c, the
socket buffer size is computed as:
NETWORK_MAX_LATENCY * (mtu + period_size * sizeof(float) * n_ports)
This arithmetic is performed in int (signed 32-bit) but the
intermediate values can exceed INT_MAX with large but valid network
parameters. Signed integer overflow is undefined behavior in C,
and the resulting negative value passed to setsockopt would set an
incorrect socket buffer size.
Fix by widening the intermediate computation to size_t and clamping
the result to INT_MAX before storing in the int variable.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
In update_delay(), the delay compensation size is computed as
delay * sizeof(float) where delay is int64_t but size is uint32_t.
When the delay value is very large, the multiplication result
truncates to a small uint32_t value. This causes an undersized
buffer allocation in resize_delay(), while compensate_samples
retains the original large value. Subsequent use of
compensate_samples could then write past the end of the buffer.
A negative delay (possible if delay_samples overflows) would also
produce a large unsigned size due to implicit conversion.
Fix by clamping the delay to be non-negative and within the maximum
delay buffer size before the multiplication, ensuring the size
cannot truncate or wrap.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
In recalculate_buffer(), the buffer size computation
(delay + (1u<<15)) * 4 can overflow uint32_t when delay is large.
Additionally, the subsequent multiplication buffer_size * channels
for the realloc size can also overflow uint32_t, wrapping to a
small value and causing an undersized allocation. Later writes to
the buffer using the logical buffer_size would then overflow the
heap.
The delay value derives from rate * target_delay where both values
come from stream negotiation properties.
Fix by adding an overflow check on the delay computation and
widening the allocation size to size_t to prevent the second
overflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In netjack2_init(), several buffer sizes are computed by multiplying
network-provided session parameters (period_size, channel counts,
kbps) without overflow checks. A malicious network peer can send
crafted session parameters that cause these multiplications to
overflow, resulting in undersized buffer allocations. Subsequent
writes to these buffers then overflow the heap.
Specific issues fixed:
1. midi_size = period_size * sizeof(float) * max_midi_channels can
overflow, causing calloc to allocate a small buffer.
2. encoded_size = max_encoded_size * max_audio_channels can overflow
for both INT and OPUS encoders.
3. OPUS kbps * period_size * 1024 numerator can overflow uint32_t;
widen to uint64_t for the intermediate calculation.
4. Division by zero if sample_rate is 0 in OPUS encoder path.
5. Missing NULL checks on calloc for empty and midi_data buffers.
6. Channel counts not capped to MAX_CHANNELS before use.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In vban_midi_receive(), the received buffer is cast to struct
vban_header and its n_frames field is accessed before validating
that the packet is large enough to contain the header. A truncated
packet shorter than VBAN_HEADER_SIZE would cause an out-of-bounds
read.
Fix by checking that len >= VBAN_HEADER_SIZE before accessing the
header, matching the fix applied to vban_audio_receive().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In vban_audio_receive(), the received buffer is cast to struct
vban_header and its fields are accessed before validating that the
packet is large enough to contain the header. If a truncated packet
shorter than VBAN_HEADER_SIZE is received, this reads past the end
of the buffer.
Additionally, when len < hlen, the plen calculation (len - hlen)
produces a negative ssize_t value which, when used in the unsigned
division plen / stride, gets implicitly converted to a very large
value, potentially causing further out-of-bounds reads.
Fix by checking that len >= VBAN_HEADER_SIZE before accessing the
header.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Information Disclosure: Medium
The MD5_hash() function formats password material into a 1024-byte
stack buffer for hashing but never clears it afterward. Similarly,
the Basic auth path in rtsp_add_raop_auth_header() formats
username:password into a stack buffer without clearing it.
These buffers remain on the stack after the functions return, and
could be exposed through memory disclosure vulnerabilities, core
dumps, or memory inspection.
Clear the buffers with explicit_bzero() immediately after they are
no longer needed, consistent with the existing practice of clearing
the password before freeing in impl_destroy().
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In netjack2_recv_float(), several values from untrusted network packet
headers are used in arithmetic without overflow protection:
1. active_ports from the network header had no upper bound check. A
very large value causes `active_ports * sub_period_bytes` to
overflow uint32_t, producing a small value that passes the length
check, then the loop iterates out of bounds on the receive buffer.
2. The sub_cycle bounds check `sub_cycle * sub_period_size >
quantum_limit` can overflow, allowing a large sub_cycle to pass
the check and cause an out-of-bounds write when computing the
destination offset.
Fix by capping active_ports to MAX_CHANNELS, casting to size_t for the
length check to prevent overflow, and rewriting the sub_cycle check as
a division to avoid overflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In netjack2_recv_midi(), the offset calculation `max_size * sub_cycle`
uses sub_cycle from an untrusted network packet header. A large
sub_cycle value could cause integer overflow, producing a small offset
that passes the subsequent bounds check and leads to an out-of-bounds
write into the MIDI data buffer.
Similarly, the bounds check `offset + len < midi_size` could itself
overflow, and the `used` size calculation from network-controlled
event_count and write_pos fields could overflow to bypass the size
check.
Fix by adding an explicit overflow check before the multiplication,
rewriting the bounds check to use subtraction (which cannot overflow
after the prior check), and adding an underflow check on the `used`
calculation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In ensure_size(), the check `m->length + size <= m->allocated` could
overflow when both m->length and size are large uint32_t values,
wrapping around to a small number and incorrectly passing the bounds
check. This could allow writing past the end of the allocated buffer.
Rewrite the check as `size <= m->allocated - m->length` which cannot
overflow since we already verified m->length <= m->allocated. Also add
an explicit overflow check for the new allocation size calculation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Information Disclosure: Medium
The RAOP authentication password was freed without first clearing the
memory contents. This leaves the plaintext password in freed heap
memory where it could be recovered by an attacker with access to
process memory (e.g. via /proc/pid/mem, core dumps, or a separate
memory safety vulnerability).
Use explicit_bzero() to securely clear the password before freeing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
In rtsp_do_options_auth(), the return values of strdup() for
auth_method, realm, and nonce were not checked for NULL. If strdup()
fails due to memory exhaustion, spa_streq() on auth_method will
dereference NULL, and the realm/nonce pointers will be used later in
MD5_hash() causing NULL pointer dereferences.
Add NULL checks after each strdup() call, returning -ENOMEM on failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: High
Three malloc calls for ring buffers (rec_buffer, play_buffer,
out_buffer) had no NULL checks. If any allocation fails, the
NULL pointers would be passed to memset and ringbuffer
operations in reset_buffers(), causing a NULL pointer
dereference crash.
Additionally, the ring size calculations used uint32_t
arithmetic which could overflow with large user-configurable
buffer.max_size values. Cast to size_t to perform the
multiplication in 64-bit, preventing intermediate overflow.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Low
sprintf was used to format MD5 hex digest bytes into a fixed-size
buffer without explicit bounds. While the output is bounded by the
fixed MD5 digest length (16 bytes = 32 hex chars), using snprintf
with an explicit size of 3 (2 hex chars + null) ensures correctness
even if the surrounding code changes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Memory Safety: Medium
sprintf was used to format a /proc path without bounds checking.
While pid_t values are practically bounded, using snprintf with
sizeof(root_path) ensures the buffer cannot overflow regardless
of the input value, following defense-in-depth principles.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
We don't need 2 convolvers anymore, we can use the same convolver with
2 outputs with the left and right ir.
Add latency option to the sofa plugin. I believe the latency of the
SOFA filters is by default 0, so use that.
Add support for multiple convolver outputs. This makes things more
efficient because we only need to do the input FFT once to produce the N
outputs.
Add convolver2 that can have multiple outputs.
We need to deactivate the graph when the format was cleared on both the
input and output. This means we got suspended and we need to clear. We
can safely do this now because we take the right locks.
1. The period calls were added to handle timeouts.
2. Handle the case where lock must be unlocked after 60s if the
controller owning the locked does not release it.
The object, node, client, factory, module, and link IDs are all uint32_t values but were being formatted with %d.
This would produce incorrect negative values if an ID ever exceeded INT_MAX
When a node is inactive but linked to a driver, the only reason it is
not being scheduled is because it is inactive.
We already set up the links and negotiate the format and buffers to
prepare going to RUNNING. This patch now also make the node go to IDLE,
which makes the adapter negotiate a forma and buffers with the internal
node.
This makes things more symetrical, when linking a node, it becomes IDLE,
when activating it becomes RUNNABLE, when inactive it goes back to IDLE.
The switch to RUNNING will also be faster when things are already set up
in the IDLE state.
The main advantage is that it allows us to implement the startup of
corked streams in pulseaudio better. Before this patch we had to set the
stream to active to make it go through the Format and buffer negotiation
and then quickly set it back to inactive, hopefully without skipping a
cycle. After this patch, the corked stream goes all the way to IDLE,
where it then waits to become active.
See #4991
When the search path is /usr/lib/, /usr/lib/foo.so fails to load because
there is no / after the search path. Fix this by requiring that either
the search path end with / or the following char is a /.
Add stream_setup_socket and stream_send ops to avb_transport_ops so the
stream data plane can use the same pluggable transport backend as the
control plane. Move the raw AF_PACKET socket setup from stream.c into
avdecc.c as raw_stream_setup_socket(), and add a raw_stream_send()
wrapper around sendmsg().
Add a stream list (spa_list) to struct server so streams can be iterated
after creation, and add stream_activate_virtual() for lightweight
activation without MRP/MAAP network operations.
Implement loopback stream ops: eventfd-based dummy sockets and no-op
send that discards audio data. This enables virtual AVB nodes that work
without network hardware or privileges.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a test suite for the AVB (Audio Video Bridging) protocol stack that
runs entirely in software, requiring no hardware, root privileges, or
running PipeWire daemon.
The loopback transport (avb-transport-loopback.h) replaces raw AF_PACKET
sockets with in-memory packet capture, using a synthetic MAC address and
eventfd for protocol handlers that need a valid fd.
Test utilities (test-avb-utils.h) provide helpers for creating test
servers, injecting packets, advancing time, and building ADP packets.
Tests cover:
- ADP entity available/departing/discover/timeout
- MRP attribute lifecycle (create, begin, join)
- Milan v1.2 mode server creation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Introduce struct avb_transport_ops vtable with setup/send_packet/
make_socket/destroy callbacks. The existing raw AF_PACKET socket code
becomes the default "raw" transport. avdecc_server_new() defaults to
avb_transport_raw if no transport is set, and avdecc_server_free()
delegates cleanup through the transport ops.
This enables alternative transports (e.g. loopback for testing) without
modifying protocol handler code.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fix two bugs in handle_cmd_lock_entity_milan_v12():
1. When server_find_descriptor() returns NULL, reply_status() was called
with the AEM packet pointer instead of the full ethernet frame,
corrupting the response ethernet header.
2. When refreshing an existing lock, the expire timeout was extended by
raw seconds (60) instead of nanoseconds (60 * SPA_NSEC_PER_SEC),
causing the lock to expire almost immediately after re-lock.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
handle_acquire_entity_avb_legacy() and handle_lock_entity_avb_legacy()
incorrectly treated the full ethernet frame pointer as the AEM packet
pointer, causing p->payload to read descriptor_type and descriptor_id
from the wrong offset. Fix by properly skipping the ethernet header,
matching the pattern used by all other AEM command handlers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
In handle_connect_tx_command() and handle_disconnect_tx_command(),
AVB_PACKET_ACMP_SET_MESSAGE_TYPE() is called after the goto done
target. When find_stream() fails and jumps to done, the response
is sent with the original command message type (e.g., CONNECT_TX_COMMAND)
instead of the correct response type (CONNECT_TX_RESPONSE).
Move the SET_MESSAGE_TYPE call before find_stream() so error responses
are always sent with the correct response message type.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
AVB_MRP_SEND_NEW was defined as 0, making it indistinguishable from
"no pending send" in the MSRP and MVRP event handlers which check
`if (!pending_send)`. This meant that when an attribute was first
declared (applicant state VN or AN), the NEW message was silently
dropped instead of being transmitted on the network.
Fix by shifting all AVB_MRP_SEND_* values to start at 1, so that 0
unambiguously means "no send pending". Update the MSRP and MVRP
encoders to subtract 1 when encoding to the IEEE 802.1Q wire format
(which uses 0-based event values).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The msrp_notify() and mvrp_notify() functions call dispatch table
notify callbacks without checking for NULL. In MSRP, the
TALKER_FAILED attribute type has a NULL notify callback, which would
crash if a talker-failed attribute received a registrar state change
notification (e.g. RX_NEW triggering NOTIFY_NEW).
Add NULL checks before calling the dispatch notify callbacks, matching
the defensive pattern used in the encode path.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
server_add_descriptor() allocates the descriptor and its data in a
single calloc (d->ptr = SPA_PTROFF(d, sizeof(struct descriptor))),
so d->ptr points inside the same allocation as d. Calling free(d->ptr)
frees an interior pointer, corrupting the heap. Only free(d) is needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When we add a Format property after we dereffed all the other params in
the builder, we might relocate the builder memory and invalidate all
previously dereffed params, causing corruption.
Instead, first add all the params to the builder and then deref the
params.
There is a special case when we have both a capture and playback
stream. The capture stream will receive all filter params and the
playback stream will just receive its Format param.
Fixes#5202
