From: George Joseph Date: Tue, 6 Feb 2018 18:07:18 +0000 (-0700) Subject: AST-2018-005: res_pjsip_transport_management: Move to core X-Git-Tag: certified/13.18-cert3~3^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=06acb4405ea083222fe64847451a000269812483;p=thirdparty%2Fasterisk.git AST-2018-005: res_pjsip_transport_management: Move to core Since res_pjsip_transport_management provides several attack mitigation features, its functionality moved to res_pjsip and this module has been removed. This way the features will always be available if res_pjsip is loaded. ASTERISK-27618 Reported By: Sandro Gauci Change-Id: I21a2d33d9dda001452ea040d350d7a075f9acf0d --- diff --git a/CHANGES b/CHANGES index 7df80dab81..eebd750c1f 100644 --- a/CHANGES +++ b/CHANGES @@ -23,6 +23,13 @@ app_confbridge characters like CR, LF, Tab, and a few others escaped. However, an empty CallerIDName is now output as "" instead of "". +res_pjsip_transport_management +------------------ + * Since res_pjsip_transport_management provides several attack + mitigation features, its functionality moved to res_pjsip and + this module has been removed. This way the features will always + be available if res_pjsip is loaded. + ------------------------------------------------------------------------------ --- Functionality changes from Asterisk 13.17.0 to Asterisk 13.18.0 ---------- ------------------------------------------------------------------------------ diff --git a/UPGRADE.txt b/UPGRADE.txt index d677522e48..b6afbeb8de 100644 --- a/UPGRADE.txt +++ b/UPGRADE.txt @@ -31,6 +31,13 @@ app_confbridge characters like CR, LF, Tab, and a few others escaped. However, an empty CallerIDName is now output as "" instead of "". +res_pjsip_transport_management +------------------ + * Since res_pjsip_transport_management provides several attack + mitigation features, its functionality moved to res_pjsip and + this module has been removed. This way the features will always + be available if res_pjsip is loaded. + From 13.17.0 to 13.18.0: Core: diff --git a/res/res_pjsip.c b/res/res_pjsip.c index 70fa497afc..1628749822 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -4655,6 +4655,7 @@ static int unload_pjsip(void *data) internal_sip_destroy_outbound_authentication(); ast_res_pjsip_cleanup_message_filter(); ast_sip_destroy_distributor(); + ast_sip_destroy_transport_management(); ast_res_pjsip_destroy_configuration(); ast_sip_destroy_system(); ast_sip_destroy_global_headers(); @@ -4817,6 +4818,11 @@ static int load_module(void) goto error; } + if (ast_sip_initialize_transport_management()) { + ast_log(LOG_ERROR, "Failed to initialize SIP transport management. Aborting load\n"); + goto error; + } + if (ast_sip_initialize_distributor()) { ast_log(LOG_ERROR, "Failed to register distributor module. Aborting load\n"); goto error; diff --git a/res/res_pjsip/include/res_pjsip_private.h b/res/res_pjsip/include/res_pjsip_private.h index 151f59821a..94e2a373af 100644 --- a/res/res_pjsip/include/res_pjsip_private.h +++ b/res/res_pjsip/include/res_pjsip_private.h @@ -419,4 +419,32 @@ void internal_res_pjsip_ref(void); */ void internal_res_pjsip_unref(void); +/*! + * \internal + * \brief Initialize the transport management module + * \since 13.20.0 + * + * The transport management module is responsible for 3 things... + * 1. It automatically destroys any reliable transport that does not + * receive a valid request within system/timer_b milliseconds of the + * connection being opened. (Attack mitigation) + * 2. Since it increments the reliable transport's reference count + * for that period of time, it also prevents issues if the transport + * disconnects while we're still trying to process a response. + * (Attack mitigation) + * 3. If enabled by global/keep_alive_interval, it sends '\r\n' + * keepalives on reliable transports at the interval specified. + * + * \retval -1 Failure + * \retval 0 Success + */ +int ast_sip_initialize_transport_management(void); + +/*! + * \internal + * \brief Destruct the transport management module. + * \since 13.20.0 + */ +void ast_sip_destroy_transport_management(void); + #endif /* RES_PJSIP_PRIVATE_H_ */ diff --git a/res/res_pjsip_transport_management.c b/res/res_pjsip/pjsip_transport_management.c similarity index 94% rename from res/res_pjsip_transport_management.c rename to res/res_pjsip/pjsip_transport_management.c index eb92eb7a51..efda37d7cb 100644 --- a/res/res_pjsip_transport_management.c +++ b/res/res_pjsip/pjsip_transport_management.c @@ -16,12 +16,6 @@ * at the top of the source tree. */ -/*** MODULEINFO - pjproject - res_pjsip - core - ***/ - #include "asterisk.h" #include @@ -32,6 +26,7 @@ #include "asterisk/res_pjsip.h" #include "asterisk/module.h" #include "asterisk/astobj2.h" +#include "include/res_pjsip_private.h" /*! \brief Number of buckets for monitored transports */ #define TRANSPORTS_BUCKETS 127 @@ -319,12 +314,10 @@ static pjsip_module idle_monitor_module = { .on_rx_request = idle_monitor_on_rx_request, }; -static int load_module(void) +int ast_sip_initialize_transport_management(void) { struct ao2_container *transports; - CHECK_PJSIP_MODULE_LOADED(); - transports = ao2_container_alloc(TRANSPORTS_BUCKETS, monitored_transport_hash_fn, monitored_transport_cmp_fn); if (!transports) { @@ -356,11 +349,10 @@ static int load_module(void) ast_sorcery_observer_add(ast_sip_get_sorcery(), "global", &keepalive_global_observer); ast_sorcery_reload_object(ast_sip_get_sorcery(), "global"); - ast_module_shutdown_ref(ast_module_info->self); return AST_MODULE_LOAD_SUCCESS; } -static int unload_module(void) +void ast_sip_destroy_transport_management(void) { if (keepalive_interval) { keepalive_interval = 0; @@ -381,20 +373,4 @@ static int unload_module(void) sched = NULL; ao2_global_obj_release(monitored_transports); - - return 0; -} - -static int reload_module(void) -{ - ast_sorcery_reload_object(ast_sip_get_sorcery(), "global"); - return 0; } - -AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP Reliable Transport Management", - .support_level = AST_MODULE_SUPPORT_CORE, - .load = load_module, - .reload = reload_module, - .unload = unload_module, - .load_pri = AST_MODPRI_CHANNEL_DEPEND - 4, -);