]> git.ipfire.org Git - thirdparty/asterisk.git/commitdiff
projects / thirdparty / asterisk.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a780386)
AST-2018-005: res_pjsip_transport_management: Move to core
authorGeorge Joseph <gjoseph@digium.com>
Tue, 6 Feb 2018 18:07:18 +0000 (11:07 -0700)
committerGeorge Joseph <gjoseph@digium.com>
Wed, 21 Feb 2018 14:40:10 +0000 (07:40 -0700)
Since res_pjsip_transport_management provides several attack
mitigation features, its functionality moved to res_pjsip and
this module has been removed.  This way the features will always
be available if res_pjsip is loaded.

ASTERISK-27618
Reported By: Sandro Gauci

Change-Id: I21a2d33d9dda001452ea040d350d7a075f9acf0d

CHANGES patch | blob | blame | history
UPGRADE.txt patch | blob | blame | history
res/res_pjsip.c patch | blob | blame | history
res/res_pjsip/include/res_pjsip_private.h patch | blob | blame | history
res/res_pjsip/pjsip_transport_management.c [moved from res/res_pjsip_transport_management.c with 94% similarity] patch | blob | blame | history

diff --git a/CHANGES b/CHANGES
index 27cc326046e017fbec6ad1be06646575a8c77d6a..b03398e0334cddcb8fffae7d0d56f61067a48479 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -76,6 +76,13 @@ res_pjsip_pubsub
    need to run the "alembic upgrade head" process to add the column to
    the schema.
 
+res_pjsip_transport_management
+------------------
+ * Since res_pjsip_transport_management provides several attack
+   mitigation features, its functionality moved to res_pjsip and
+   this module has been removed.  This way the features will always
+   be available if res_pjsip is loaded.
+
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 13.18.0 to Asterisk 13.19.0 ----------
 ------------------------------------------------------------------------------
diff --git a/UPGRADE.txt b/UPGRADE.txt
index 630c69690f72dbecd7930228ad9caa9c8f718df2..bbb083e962231822028a1dc8b73c9171008e051d 100644 (file)
--- a/UPGRADE.txt
+++ b/UPGRADE.txt
@@ -56,6 +56,13 @@ res_pjsip_endpoint_identifier_ip
    you can now predict which endpoint is matched when a request comes in that
    matches both.
 
+res_pjsip_transport_management
+------------------
+ * Since res_pjsip_transport_management provides several attack
+   mitigation features, its functionality moved to res_pjsip and
+   this module has been removed.  This way the features will always
+   be available if res_pjsip is loaded.
+
 From 13.17.0 to 13.18.0:
 
 Core:
diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index 47221f8097fb48ba6be0c796a3793fa496d80955..414e16e3b8e5b91538392d0aaf3fc5716474ab3a 100644 (file)
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -4727,6 +4727,7 @@ static int unload_pjsip(void *data)
                internal_sip_destroy_outbound_authentication();
                ast_res_pjsip_cleanup_message_filter();
                ast_sip_destroy_distributor();
+               ast_sip_destroy_transport_management();
                ast_res_pjsip_destroy_configuration();
                ast_sip_destroy_system();
                ast_sip_destroy_global_headers();
@@ -4889,6 +4890,11 @@ static int load_module(void)
                goto error;
        }
 
+       if (ast_sip_initialize_transport_management()) {
+               ast_log(LOG_ERROR, "Failed to initialize SIP transport management. Aborting load\n");
+               goto error;
+       }
+
        if (ast_sip_initialize_distributor()) {
                ast_log(LOG_ERROR, "Failed to register distributor module. Aborting load\n");
                goto error;
diff --git a/res/res_pjsip/include/res_pjsip_private.h b/res/res_pjsip/include/res_pjsip_private.h
index 7bffd2b6f58a1bf06ff0acc02d7f2973f6432b6d..8c271eb695b0e8e9e0641fdb4a807413ac90a066 100644 (file)
--- a/res/res_pjsip/include/res_pjsip_private.h
+++ b/res/res_pjsip/include/res_pjsip_private.h
@@ -433,4 +433,32 @@ void internal_res_pjsip_unref(void);
 int ast_sip_will_uri_survive_restart(pjsip_sip_uri *uri, struct ast_sip_endpoint *endpoint,
        pjsip_rx_data *rdata);
 
+/*!
+ * \internal
+ * \brief Initialize the transport management module
+ * \since 13.20.0
+ *
+ * The transport management module is responsible for 3 things...
+ * 1.  It automatically destroys any reliable transport that does not
+ * receive a valid request within system/timer_b milliseconds of the
+ * connection being opened. (Attack mitigation)
+ * 2.  Since it increments the reliable transport's reference count
+ * for that period of time, it also prevents issues if the transport
+ * disconnects while we're still trying to process a response.
+ *  (Attack mitigation)
+ * 3.  If enabled by global/keep_alive_interval, it sends '\r\n'
+ * keepalives on reliable transports at the interval specified.
+ *
+ * \retval -1 Failure
+ * \retval 0 Success
+ */
+int ast_sip_initialize_transport_management(void);
+
+/*!
+ * \internal
+ * \brief Destruct the transport management module.
+ * \since 13.20.0
+ */
+void ast_sip_destroy_transport_management(void);
+
 #endif /* RES_PJSIP_PRIVATE_H_ */
diff --git a/res/res_pjsip_transport_management.c b/res/res_pjsip/pjsip_transport_management.c
similarity index 94%
rename from res/res_pjsip_transport_management.c
rename to res/res_pjsip/pjsip_transport_management.c
index eb92eb7a519ca8dd233cd41f7b3e30157c7e401f..efda37d7cbd30141e48f89b7be3562dbc69822c3 100644 (file)
--- a/res/res_pjsip_transport_management.c
+++ b/res/res_pjsip/pjsip_transport_management.c
@@ -16,12 +16,6 @@
  * at the top of the source tree.
  */
 
-/*** MODULEINFO
-       <depend>pjproject</depend>
-       <depend>res_pjsip</depend>
-       <support_level>core</support_level>
- ***/
-
 #include "asterisk.h"
 
 #include <signal.h>
@@ -32,6 +26,7 @@
 #include "asterisk/res_pjsip.h"
 #include "asterisk/module.h"
 #include "asterisk/astobj2.h"
+#include "include/res_pjsip_private.h"
 
 /*! \brief Number of buckets for monitored transports */
 #define TRANSPORTS_BUCKETS 127
@@ -319,12 +314,10 @@ static pjsip_module idle_monitor_module = {
        .on_rx_request = idle_monitor_on_rx_request,
 };
 
-static int load_module(void)
+int ast_sip_initialize_transport_management(void)
 {
        struct ao2_container *transports;
 
-       CHECK_PJSIP_MODULE_LOADED();
-
        transports = ao2_container_alloc(TRANSPORTS_BUCKETS, monitored_transport_hash_fn,
                monitored_transport_cmp_fn);
        if (!transports) {
@@ -356,11 +349,10 @@ static int load_module(void)
        ast_sorcery_observer_add(ast_sip_get_sorcery(), "global", &keepalive_global_observer);
        ast_sorcery_reload_object(ast_sip_get_sorcery(), "global");
 
-       ast_module_shutdown_ref(ast_module_info->self);
        return AST_MODULE_LOAD_SUCCESS;
 }
 
-static int unload_module(void)
+void ast_sip_destroy_transport_management(void)
 {
        if (keepalive_interval) {
                keepalive_interval = 0;
@@ -381,20 +373,4 @@ static int unload_module(void)
        sched = NULL;
 
        ao2_global_obj_release(monitored_transports);
-
-       return 0;
-}
-
-static int reload_module(void)
-{
-       ast_sorcery_reload_object(ast_sip_get_sorcery(), "global");
-       return 0;
 }
-
-AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP Reliable Transport Management",
-       .support_level = AST_MODULE_SUPPORT_CORE,
-       .load = load_module,
-       .reload = reload_module,
-       .unload = unload_module,
-       .load_pri = AST_MODPRI_CHANNEL_DEPEND - 4,
-);
Mirror of https://github.com/asterisk/asterisk.git