Matthew Jordan [Mon, 23 Apr 2012 14:07:29 +0000 (14:07 +0000)]
AST-2012-006: Fix crash in UPDATE handling when no channel owner exists
If Asterisk receives a SIP UPDATE request after a call has been terminated and
the channel has been destroyed but before the SIP dialog has been destroyed, a
condition exists where a connected line update would be attempted on a
non-existing channel. This would cause Asterisk to crash. The patch resolves
this by first ensuring that the SIP dialog has an owning channel before
attempting a connected line update. If an UPDATE request is received and no
channel is associated with the dialog, a 481 response is sent.
(closes issue ASTERISK-19770)
Reported by: Thomas Arimont
Tested by: Matt Jordan
Patches:
ASTERISK-19278-2012-04-16.diff uploaded by Matt Jordan (license 6283)
........
Merged revisions 363106 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Mon, 23 Apr 2012 13:48:48 +0000 (13:48 +0000)]
Reference skinny_subchannel object instead of skinny_device for r363103
The check-in to resolve ASTERISK-19592 (r363103) failed to switch to the
skinny_subchannel object instead of the skinny_device when attempting to
reference the buffer for the keypad digits. This patch fixes that.
(issue ASTERISK-19592)
Reported by: Russell Bryant
Matthew Jordan [Mon, 23 Apr 2012 13:40:23 +0000 (13:40 +0000)]
AST-2012-005: Fix remotely exploitable heap overflow in keypad button handling
When handling a keypad button message event, the received digit is placed into
a fixed length buffer that acts as a queue. When a new message event is
received, the length of that buffer is not checked before placing the new digit
on the end of the queue. The situation exists where sufficient keypad button
message events would occur that would cause the buffer to be overrun. This
patch explicitly checks that there is sufficient room in the buffer before
appending a new digit.
(closes issue ASTERISK-19592)
Reported by: Russell Bryant
........
Merged revisions 363100 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
Merged revisions 363102 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Michael L. Young [Fri, 20 Apr 2012 16:47:51 +0000 (16:47 +0000)]
Add missing payload type to events API
The Security Events Framework API was changed while adding the generation of
security events in chan_sip. A payload type and name was missed from being
added to struct ie_maps.
(closes issue ASTERISK-19759)
Reported by: Michael L. Young
Patches:
issue-asterisk-19759.diff uploaded by Michael L. Young (license 5026)
Terry Wilson [Fri, 20 Apr 2012 14:49:42 +0000 (14:49 +0000)]
Document Speech* apps hangup on failure and suggest TryExec
The Speech API apps return -1 on failure, which will hang up the channel. This
may not be desirable behavior for some, but it isn't something that can be
changed without breaking people's dialplans or writing an option to all of the
Speech apps that does what TryExec already does. This patch documents the
hangup behavior of the apps, and suggests TryExec as the solution.
(closes issue AST-813)
........
Merged revisions 362815 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Michael L. Young [Thu, 19 Apr 2012 21:11:35 +0000 (21:11 +0000)]
Add leading and trailing backslashes
A couple of unit tests did not have have leading or trailing backslashes when
setting their test category resulting in a warning message being displayed.
Added the backslash where needed.
........
Merged revisions 362680 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Sean Bright [Thu, 19 Apr 2012 16:04:21 +0000 (16:04 +0000)]
Prevent a crash in ExternalIVR when the 'S' command is sent first.
If the first command sent from an ExternalIVR client is an 'S' command, we were
blindly removing the first element from the play list and deferencing it, even
if it was NULL. This corrects that and also locks appropriately in one place.
(issue ASTERISK-17889)
Reported by: Chris Maciejewski
........
Merged revisions 362586 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Terry Wilson [Thu, 19 Apr 2012 14:31:59 +0000 (14:31 +0000)]
Handle multiple commands per connection via netconsole
Asterisk would accept multiple NULL-delimited CLI commands via the
netconsole socket, but would occasionally miss a command due to the
command not being completely read into the buffer. This patch ensures
that any partial commands get moved to the front of the read buffer,
appended to, and properly sent.
Matthew Jordan [Thu, 19 Apr 2012 02:27:08 +0000 (02:27 +0000)]
Fix a variety of potential buffer overflows
* chan_mobile: Fixed an overrun where the cind_state buffer (an integer array
of size 16) would be overrun due to improper bounds checking. At worst, the
buffer can be overrun by a total of 48 bytes (assuming 4-byte integers),
which would still leave it within the allocated memory of struct hfp. This
would corrupt other elements in that struct but not necessarily cause any
further issues.
* app_sms: The array imsg is of size 250, while the array (ud) that the data
is copied into is of size 160. If the size of the inbound message is
greater then 160, up to 90 bytes could be overrun in ud. This would corrupt
the user data header (array udh) adjacent to ud.
* chan_unistim: A number of invalid memmoves are corrected. These would move
data (which may or may not be valid) into the ends of these buffers.
* asterisk: ast_console_toggle_loglevel does not check that the console log
level being set is less then or equal to the allowed log levels of 32.
* format_pref: In ast_codec_pref_prepend, if any occurrence of the specified
codec is not found, the value used to index into the array pref->order
would be one greater then the maximum size of the array.
* jitterbuf: If the element being placed into the jitter buffer lands in the
last available slot in the jitter history buffer, the insertion sort attempts
to move the last entry in the buffer into one slot past the maximum length
of the buffer. Note that this occurred for both the min and max jitter
history buffers.
* tdd: If a read from fsk_serial returns a character that is greater then 32,
an attempt to read past one of the statically defined arrays containing the
values that character maps to would occur.
* localtime: struct ast_time and tm are not the same size - ast_time is larger,
although it contains the elements of tm within it in the same layout. Hence,
when using memcpy to copy the contents of tm into ast_time, the size of tm
should be used, as opposed to the size of ast_time.
* extconf: this treats ast_timing's minmask array as if it had a length of 48,
when it has defined the size of the array as 24. pbx.h defines minmask as
having a size of 48.
(issue ASTERISK-19668)
Reported by: Matt Jordan
........
Merged revisions 362485 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Richard Mudgett [Wed, 18 Apr 2012 16:27:51 +0000 (16:27 +0000)]
Add ability to ignore layer 1 alarms for BRI PTMP lines.
Several telcos bring the BRI PTMP layer 1 down when the line is idle.
When layer 1 goes down, Asterisk cannot make outgoing calls. Incoming
calls could fail as well because the alarm processing is handled by a
different code path than the Q.931 messages.
* Add the layer1_presence configuration option to ignore layer 1 alarms
when the telco brings layer 1 down. This option can be configured by span
while the similar DAHDI driver teignorered=1 option is system wide. This
option unlike layer2_persistence does not require libpri v1.4.13 or newer.
Related to JIRA AST-598
JIRA ABE-2845
........
Merged revisions 362428 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Tue, 17 Apr 2012 21:22:37 +0000 (21:22 +0000)]
Handle case where an unknown format is used to get the preferred codec size
In ast_codec_pref_getsize, if an unknown format is passed to the method,
no preferred codec will be selected and a negative number will be used to
index into the format list. The method now logs an unknown format as a
warning, and returns an empty format list.
Matthew Jordan [Tue, 17 Apr 2012 21:11:25 +0000 (21:11 +0000)]
Fix places in resources where a negative return value could impact execution
This patch addresses a number of modules in resources that did not handle the
negative return value from function calls adequately. This includes:
* res_agi.c: if the result of the read function is a negative number,
indicating some failure, the result would instead be treated as the number
of bytes read. This patch now treats negative results in the same manner
as an end of file condition, with the exception that it also logs the
error code indicated by the return.
* res_musiconhold.c: if spawn_mp3 fails to assign a file descriptor to srcfd,
and instead assigns a negative value, that file descriptor could later be
passed to functions that require a valid file descriptor. If spawn_mp3 fails,
we now immediately retry instead of continuing in the logic.
* res_rtp_asterisk.c: if no codec can be matched between two RTP instances
in a peer to peer bridge, we immediately return instead of attempting to
use the codec payload type as an index to determine the appropriate negotiated
codec.
Matthew Jordan [Tue, 17 Apr 2012 21:07:29 +0000 (21:07 +0000)]
Fix places in main where a negative return value could impact execution
This patch addresses a number of modules in main that did not handle the
negative return value from function calls adequately, or were not sufficiently
clear that the conditions leading to improper handling of the return values
could not occur. This includes:
* asterisk.c: A negative return value from the read function would be used
directly as an index into a buffer. We now check for success of the read
function prior to using its result as an index.
* manager.c: Check for failures in mkstemp and lseek when handling the
temporary file created for processing data returned from a CLI command in
action_command. Also check that the result of an lseek is sanitized prior
to using it as the size of a memory map to allocate.
Jonathan Rose [Tue, 17 Apr 2012 20:57:36 +0000 (20:57 +0000)]
Make use of va_args more appropriate to form in various res_config modules plus utils.
A number of va_copy operations weren't matched with a corresponding va_end in res_config_odbc. Also, there was a potential for va_end to be invoked twice on the same va_arg in utils, which would mean invoking va_end on an undefined variable... which is bad.
va_end is removed from various functions in config_pgsql and config_curl since they aren't making their own copy. The invokers of those functions are responsible for calling va_end on them.
(issue ASTERISK-19451)
Reported by: Walter Doekes
Review: https://reviewboard.asterisk.org/r/1848/
........
Merged revisions 362354 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Tue, 17 Apr 2012 20:56:05 +0000 (20:56 +0000)]
Fix places where a negative return from ftello could be used as invalid input
In a variety of locations in both reading and writing a file, the result
from the C library function ftello is used as input to other functions. For
the parameters and functions in question, a negative value is invalid input.
This patch checks the return value from the ftello function to determine if
we were able to determine the current position in the file stream and, if not,
fail gracefully.
Matthew Jordan [Tue, 17 Apr 2012 18:27:44 +0000 (18:27 +0000)]
Fix error that caused seek format operations to set max file size to '1' or '0'
A very inappropriate placement of a ')' (introduced in r362151) caused the
maximum size of a file to be set as the result of a comparison operation, as
opposed to the result of the ftello operation. This resulted in seeking being
restricted to the beginning of the file, or 1 byte into the file. Thanks to
the Asterisk Test Suite for properly freaking out about this on at least one
test.
(issue ASTERISK-19655)
Reported by: Matt Jordan
........
Merged revisions 362304 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Michael L. Young [Tue, 17 Apr 2012 14:53:04 +0000 (14:53 +0000)]
Turn off warning message when bind address is set to any.
When a bind address is set to an ANY address (udpbindport=::), a warning message
is displayed stating that "Address remapping activated in sip.conf but we're
using IPv6, which doesn't need it. Please remove 'localnet' and/or 'externaddr'
settings." But if one is running dual stack, we shouldn't be told to turn those
settings off.
This patch checks if the bind address is an ANY address or not. The warning
message will now only be displayed if the bind address is NOT an ANY address and
IPv6 is being used.
Also, updated the copyright year.
(closes issue ASTERISK-19456)
Reported by: Michael L. Young
Tested by: Michael L. Young
Patches:
chan_sip_ipv6_message.diff uploaded by Michael L. Young (license 5026)
........
Merged revisions 362253 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Mon, 16 Apr 2012 21:57:19 +0000 (21:57 +0000)]
Fix negative return handling in channel drivers
In chan_agent, while handling a channel indicate, the agent channel driver
must obtain a lock on both the agent channel, as well as the channel the
agent channel is using. To do so, it attempts to lock the other channel
first, then unlock the agent channel which is locked prior to entry into
the indicate handler. If this unlock fails with a negative return value,
which can occur if the object passed to agent_indicate is an invalid ao2
object or is NULL, the return value is passed directly to strerror, which
can only accept positive integer values.
In chan_dahdi, the return value of dahdi_get_index is used to directly
index into the sub-channel array. If dahd_get_index returns a negative
value, it would use that value to index into the array, which could cause
an invalid memory access. If dahdi_get_index returns a negative number,
we now default to SUB_REAL.
Matthew Jordan [Mon, 16 Apr 2012 21:40:29 +0000 (21:40 +0000)]
Fix handling of negative return code when storing voicemails in ODBC storage
When storing a voicemail message using an ODBC connection to a database, the
voicemail message is first stored on disk. The sound file associated with
the message is read into memory before being transmitted to the database.
When this occurs, a failure in the C library's lseek function would cause a
negative value to be passed to the mmap as the size of the memory map to
create. This would almost certainly cause the creation of the memory map to
fail, resulting in the message being lost.
Matthew Jordan [Mon, 16 Apr 2012 19:39:32 +0000 (19:39 +0000)]
Check for IO stream failures in various format's truncate/seek operations
For the formats that support seek and/or truncate operations, many of
the C library calls used to determine or set the current position indicator
in the file stream were not being checked. In some situations, if an error
occurred, a negative value would be returned from the library call. This
could then be interpreted inappropriately as positional data.
This patch checks the return values from these library calls before
using them in subsequent operations.
Jonathan Rose [Fri, 13 Apr 2012 16:04:22 +0000 (16:04 +0000)]
Make ForkCDR e option not set end time of the newly forked CDR log
Prior to this patch, ForkCDR's e option would immediately set the end time of the forked
CDR to that of the CDR that is being terminated. This resulted in the new CDR's end time
being roughly the same as it's beginning time (which is in turn roughly the same as the
original's end time).
(closes issue ASTERISK-19164)
Reported by: Steve Davies
Patches:
cdr_fork_end.v10.patch uploaded by Steve Davies (license 5012)
........
Merged revisions 362082 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Kinsey Moore [Thu, 12 Apr 2012 16:22:28 +0000 (16:22 +0000)]
Make trunkfreq take effect when set
Previously, setting trunkfreq had no effect on initial load or on reload and
only ever used the default value. This causes trunkfreq to be used
appropriately on initial load and reload.
Kinsey Moore [Thu, 12 Apr 2012 15:01:13 +0000 (15:01 +0000)]
Simplify build system architecture optimization
This change to the build system rips out any usage of PROC along with
architecture-specific optimizations in favor of using -march=native where it is
supported. This fixes broken builds on 64bit Intel systems and results in
better optimized code on systems running GCC 4.2+.
Jonathan Rose [Wed, 11 Apr 2012 16:07:50 +0000 (16:07 +0000)]
Change default value of 'ignorebusy' on Queue members so that behavior is more like 1.8
Prior to this patch, in order to restore that behavior, a function would have
to be used on the QueueMember to make the ringinuse option do anything, which
is pretty unreasonable.
(closes issue ASTERISK-19536)
reported by: Philippe Lindheimer
Review: https://reviewboard.asterisk.org/r/1860/
Richard Mudgett [Tue, 10 Apr 2012 21:47:42 +0000 (21:47 +0000)]
Prevent invalid access of free'd memory if DAHDI channel during an MWI event
In the MWI processing loop, when a valid event occurs the temporary caller ID
information is deallocated. If a new DAHDI channel is successfully created,
the event is passed up to the analog_ss_thread without error and the loop
exits. If, however, the DAHDI channel is not created, then the caller ID
struct has been free'd, and the gains reset to their previous level. This
will almost certainly cause an invalid access to the free'd memory, either
in subsequent calls to callerid_free or calls to callerid_feed.
* Rework the -r361705 patch to better manage the cs and mtd allocated
resources.
* Fixed use of mwimonitoractive flag to be correct if the mwi_thread()
fails to start.
........
Merged revisions 361854 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Tue, 10 Apr 2012 19:57:30 +0000 (19:57 +0000)]
Fix crash caused by unloading or reloading of res_http_post
When unlinking itself from the registered HTTP URIs, res_http_post could
inadvertently free all URIs registered with the HTTP server. This patch
modifies the unregister method to only free the URI that is actually
being unregistered, as opposed to all of them.
........
Merged revisions 361803 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Mon, 9 Apr 2012 21:44:30 +0000 (21:44 +0000)]
Allow func_curl to exit gracefully if list allocation fails during write
If the global_curl_info data structure could not be allocated, the
datastore associated with the operation would be free'd, but the function
would not return. This would later dereference the datastore, almost
certainly causing Asterisk to crash. With this patch, if the data
structure is not allocated the method will return an error code, and
not attempt any further operation.
........
Merged revisions 361753 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Mon, 9 Apr 2012 20:54:55 +0000 (20:54 +0000)]
Prevent invalid access of free'd memory if DAHDI channel during an MWI event
In the MWI processing loop, when a valid event occurs the temporary caller ID
information is deallocated. If a new DAHDI channel is successfully created,
the event is passed up to the analog_ss_thread without error and the loop
exits. If, however, the DAHDI channel is not created, then the caller ID
struct has been free'd, and the gains reset to their previous level. This
will almost certainly cause an invalid access to the free'd memory, either
in subsequent calls to callerid_free or calls to callerid_feed.
This patch makes it so that we only free the caller ID structure if a
DAHDI channel is successfully created, and we bump the gains back up
if we fail to make a DAHDI channel.
........
Merged revisions 361705 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Mon, 9 Apr 2012 19:42:53 +0000 (19:42 +0000)]
Change SHARED function to use a safe traversal when modifying a variable
When the SHARED function modifies a variable, it removes it from its list of
variables and reinserts the new value at the head of the list of variables.
Doing this inside a standard list traversal can be dangerous, as the
standard list traversal does not account for the list being changed. While
the code in question should not cause a use after free violation due to its
breaking out of the loop after freeing the variable, it could lead to a
maintenance issue if the loop was modified. This also fixes a violation
reported by a static analysis tool, which also makes this code easier to
maintain in the future.
........
Merged revisions 361657 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Fri, 6 Apr 2012 22:00:11 +0000 (22:00 +0000)]
Fix memory leak in res_calendar_ews when event email address node is empty
If the XML calendar data returned by a Microsoft Exchange Web Service
specifies an XML Event E-Mail Address ("EmailAddress"), and no e-mail address
is provided, a condition existed where an ast_calendar_attendee struct would
be allocated but not appended to the list of attendees. Because of that,
the memory associated with the attendee would never be freed. This patch
frees the memory if no e-mail address is provided.
........
Merged revisions 361606 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Fri, 6 Apr 2012 20:32:13 +0000 (20:32 +0000)]
Fix memory leak when using MeetMeAdmin 'e' option with user specified
A memory leak/reference counting leak occurs if the MeetMeAdmin 'e' command
(eject last user that joined) is used in conjunction with a specified user.
Regardless of the command being executed, if a user is specified for the
command, MeetMeAdmin will look up that user. Because the 'e' option kicks
the last user that joined, as opposed to the one specified, the reference to
the user specified by the command would be leaked when the user variable
was assigned to the last user that joined.
........
Merged revisions 361558 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Kinsey Moore [Fri, 6 Apr 2012 13:31:51 +0000 (13:31 +0000)]
Remove unnecessary error message in app_dial.c
The error message for failure to stop autoservice after a gosub or macro call
during a dial was removed for macro while Asterisk 1.4 was still being actively
developed. The corresponding gosub error message was never removed.
(closes issue ASTERISK-19551)
........
Merged revisions 361329 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Jonathan Rose [Thu, 5 Apr 2012 16:53:35 +0000 (16:53 +0000)]
Fix MusicOnHold in MeetMe so that it always uses the class if it's been defined
There were a few instances of restarting music on hold in meetme that would cause
Asterisk to revert to the default class of music on hold for no adequate reason.
Jonathan Rose [Wed, 4 Apr 2012 16:38:12 +0000 (16:38 +0000)]
Replace GNU old-style field designator extensions to fix clang warnings
(issue ASTERISK-19540)
Reported by: Makoto Dei
Patches:
clang-gnu-designator.patch uploaded by Makoto Dei (license 5027)
........
Also add from the patch the portion in res_fax_spandsp that didn't apply to 1.8
Merged revisions 361142 from http://svn.asterisk.org/svn/asterisk/branches/1.8
(closes issue ASTERISK-19540)
Kinsey Moore [Tue, 3 Apr 2012 20:08:47 +0000 (20:08 +0000)]
Fix the display of documentation for Transfer
This came up while fixing documentation generation for many other cases where
the argument separator was not being displayed properly. Now that it is
displayed properly, it shows up in the wrong place for Transfer since the '/'
is only required if Tech is present.
(related to issue ASTERISK-18168)
........
Merged revisions 361040 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Kinsey Moore [Mon, 2 Apr 2012 22:22:07 +0000 (22:22 +0000)]
Stop sending out RTCP if RTP is inactive
This change prevents Asterisk from sending RTCP receiver reports during a
remote bridge since it is no longer receiving media and should not be
reporting anything.
(related to ASTERISK-19366)
........
Merged revisions 360987 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Mark Michelson [Thu, 29 Mar 2012 23:33:59 +0000 (23:33 +0000)]
Fix potential race condition during call pickup.
Prior to this patch, a connected line update was queued during
call pickup and then an answer frame was queued. The original
caller would presumably then have his connected line updated
and then the call would be answered.
In actuality, the answer frame was not how the call ended up
being answered. Rather, an odd section in app_dial that checks
if the called channel's state is up.
The result is that the order of the connected line update and
the answer were variable. In most cases, this wasn't actually
a bad thing. However, if the 'I' option was passed to dial, the
connected line update would be inhibited.
The fix is to queued the connected line after the answer frame is
queued. This way the race in app_dial is between two
conditions resulting in an answer. This way the connected line
update occurs after the answer every time.
(closes issue ASTERISK-19183)
Reported by: Thomas Arimont
Tested by: Thomas Arimont
Mark Michelson
Patches:
ASTERISK-19183.patch uploaded by Mark Michelson (license 5049)
........
Merged revisions 360884 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Mark Michelson [Thu, 29 Mar 2012 23:05:42 +0000 (23:05 +0000)]
Improve accuracy of identifying information sent in dialog-info SIP NOTIFY requests.
This change makes use of connected party information in addition to caller ID in order
to populate local and remote XML elements in the dialog-info NOTIFYs.
(closes issue ASTERISK-16735)
Reported by: Maciej Krajewski
Tested by: Maciej Krajewski
Patches:
local_remote_hint2.diff uploaded by Mark Michelson (license 5049)
........
Merged revisions 360862 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Mark Michelson [Tue, 27 Mar 2012 18:23:11 +0000 (18:23 +0000)]
Make a debug message regarding subscription changes more accurate.
I was getting confused during some testing why Asterisk was saying that
a subscription was being added when it was clearly being removed. This
fixes that confusion.
........
Merged revisions 360625 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Paul Belanger [Mon, 26 Mar 2012 18:26:51 +0000 (18:26 +0000)]
Increase verbosity level for ast_verb messages
While this does not fix the issue of the CLI being flooded by 'doing
dnsmgr_lookup' messages, increasing the verbosity level above 5 should help
minimize it.
........
Merged revisions 360471 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Russell Bryant [Sat, 24 Mar 2012 03:10:22 +0000 (03:10 +0000)]
app_page: Fix a memory leak on every Page().
dial_list is a dynamically allocated array that is allocated at the beginning
of Page() based on how many devices will be dialed. This was never being freed.
........
Merged revisions 360363 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Russell Bryant [Sat, 24 Mar 2012 02:38:59 +0000 (02:38 +0000)]
Multiple revisions 360356-360357
........
r360356 | russell | 2012-03-23 22:33:36 -0400 (Fri, 23 Mar 2012) | 6 lines
expression parser: Fix (theoretical) memory leak.
Fix a memory leak that is very unlikely to actually happen. If a malloc()
succeeded, but the following strdup() failed, the memory from the original
malloc() would be leaked.
........
r360357 | russell | 2012-03-23 22:34:39 -0400 (Fri, 23 Mar 2012) | 6 lines
Rebuild parsers.
This is needed to include the last fix to main/ast_expr2.y. The changes look
much bigger as this regeneration of the code was done with newer versions of
flex and bison.
........
Merged revisions 360356-360357 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Richard Mudgett [Sat, 24 Mar 2012 00:37:13 +0000 (00:37 +0000)]
Make number not available presentation also set screening to network provided.
Q.951 indicates that when the presentation indicator is "Number not
available due to interworking" for a number then the screening indicator
field should be "Network provided".
* Made ast_party_id_presentation() return AST_PRES_NUMBER_NOT_AVAILABLE
when the presentation is "Number not available due to interworking". This
fix makes Asterisk consistent and it also makes it consistent with earlier
branches as far as this presentation value is concerned.
* Made pri_to_ast_presentation() and ast_to_pri_presentation() conversions
handle the "Number not available due to interworking" case better in
sig_pri.c. This change is possible because the minimum required libpri
version (v1.4.11) has the necessary defines in libpri.h.
........
Merged revisions 360309 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Wed, 21 Mar 2012 13:28:17 +0000 (13:28 +0000)]
Ensure Asterisk sends a BYE when pending on the final response to a re-INVITE
When Asterisk detects a hangup and cannot send a BYE due to a pending
INVITE, it sets the pendingbye flag and waits for the final response to that
INVITE. When the response is received, it transmits the BYE. If, however,
that INVITE request is a pending re-INVITE, it needs to first send a CANCEL
request to terminate the pending re-INVITE. In that circumstance, Asterisk
was, in some scenarios, clearing the pendingbye flag after processing the
CANCEL request and not checking for a pending BYE when receiving the final
487 response to the INVITE.
This patch ensures that if the pendingbye flag is set, it is honored
regardless of the nature of the INVITE request currently in flight.
(closes issue ASTERISK-19365)
Reported by: Thomas Arimont
Tested by: Thomas Arimont
Patches:
bugASTERISK-19365_2012_03_08.patch uploaded by mjordan (license 6283)
Kinsey Moore [Tue, 20 Mar 2012 20:37:46 +0000 (20:37 +0000)]
Prevent Echo() from relaying control, null, and modem frames
Echo()'s description states that it echoes audio, video, and DTMF except for #
while it actually echoes any frame that it receives other than DTMF #. This
was causing frame storms in the test suite in some circumstances where Echo()
was attached to both ends of a pair of local channels and control frames
were being periodically generated. Echo()'s behavior and description have
been modifed so that it only echoes media and non-# DTMF frames.
........
Merged revisions 360033 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Sean Bright [Tue, 20 Mar 2012 18:11:41 +0000 (18:11 +0000)]
chan_iax2: Emit Port alongside Post in PeerStatus AMI Event.
The PeerStatus event for IAX2 channels currently includes a header named Post
which should have been Port. So include Port along with Post when emitting the
event. We'll remove Post in trunk.
Richard Mudgett [Tue, 20 Mar 2012 17:25:44 +0000 (17:25 +0000)]
Allow AMI action callback to be reentrant.
Fix AMI module reload deadlock regression from ASTERISK-18479 when it
tried to fix the race between calling an AMI action callback and
unregistering that action. Refixes ASTERISK-13784 broken by
ASTERISK-17785 change.
Locking the ao2 object guaranteed that there were no active callbacks that
mattered when ast_manager_unregister() was called. Unfortunately, this
causes the deadlock situation. The patch stops locking the ao2 object to
allow multiple threads to invoke the callback re-entrantly. There is no
way to guarantee a module unload will not crash because of an active
callback. The code attempts to minimize the chance with the registered
flag and the maximum 5 second delay before ast_manager_unregister()
returns.
The trunk version of the patch changes the API to fix the race condition
correctly to prevent the module code from unloading from memory while an
action callback is active.
* Don't hold the lock while calling the AMI action callback.
(closes issue ASTERISK-19487)
Reported by: Philippe Lindheimer
Jonathan Rose [Fri, 16 Mar 2012 20:20:25 +0000 (20:20 +0000)]
Prevent chanspy from binding to zombie channels
This patch addresses a bug with chanspy on local channels which roughly 50% of the time
would create a situation where chanspy can latch onto a zombie channel, keeping the zombie
alive forever and causing the channel doing the spying to never be able to hang up.
Matthew Jordan [Thu, 15 Mar 2012 19:06:09 +0000 (19:06 +0000)]
Fix remotely exploitable stack overflow in HTTP manager
There exists a remotely exploitable stack buffer overflow in HTTP digest
authentication handling in Asterisk. The particular method in question
is only utilized by HTTP AMI. When parsing the digest information, the
length of the string is not checked when it is copied into temporary buffers
allocated on the stack.
This patch fixes this behavior by parsing out pre-defined key/value pairs
and avoiding unnecessary copies to the stack.
(closes issue ASTERISK-19542)
Reported by: Russell Bryant
Tested by: Matt Jordan
........
Merged revisions 359706 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Thu, 15 Mar 2012 18:50:17 +0000 (18:50 +0000)]
Fix remotely exploitable stack overrun in Milliwatt
Milliwatt is vulnerable to a remotely exploitable stack overrun when using
the 'o' option. This occurs due to the milliwatt_generate function not
accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
samples it can put in the output buffer.
This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
when determining the maximum number of samples allowed. Note that at no
point is remote code execution possible. The data that is written into the
buffer is the pre-defined Milliwatt data, and not custom data.
(closes issue ASTERISK-19541)
Reported by: Russell Bryant
Tested by: Matt Jordan
Patches:
milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
Note that this patch was written by Russell, even though Matt uploaded it
........
Merged revisions 359645 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
Merged revisions 359656 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Richard Mudgett [Thu, 15 Mar 2012 18:22:01 +0000 (18:22 +0000)]
Add missing connected line macro calls to initial dial for Dial and Queue apps.
The connected line interception macros do not get executed when the
outgoing channel is initially created and that channel's caller-id is
implicitly imported into the incoming channel's connected line data. If
you are using the interception macros, you would expect that they get run
for every change to a channel's connected line information outside of
normal dialplan execution.
Russell Bryant [Wed, 14 Mar 2012 23:28:32 +0000 (23:28 +0000)]
app_chanisavail: Fix use of uninitialized variable.
Ensure that status is set before it is used by resetting it during each loop
iteration. This could have resulted in incorrect results from this app.
........
Merged revisions 359486 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Russell Bryant [Wed, 14 Mar 2012 23:02:43 +0000 (23:02 +0000)]
udptl: Ensure fec[] in udptl_build_packet() is initialized.
Scan results indicated that this array could be used uninitialized. At a quick
look, it looks correct. In any case, initializing it is a Good Thing (tm).
........
Merged revisions 359457 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Russell Bryant [Wed, 14 Mar 2012 22:37:01 +0000 (22:37 +0000)]
app.h: Always initialize AST_DECLARE_APP_ARGS().
This patch ensures that the struct defined by AST_DECLARE_APP_ARGS() is always
fully initialized. I'm not sure if this fixes any real bugs, but it silences
a bunch of warnings from coverity, and is generally a good thing to do anyway.
........
Merged revisions 359452 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Richard Mudgett [Wed, 14 Mar 2012 22:28:35 +0000 (22:28 +0000)]
Fix deadlock potential with some ast_indicate/ast_indicate_data calls.
Calling ast_indicate()/ast_indicate_data() with the channel lock held can
result in a deadlock with a local channel because of how local channels
need to avoid deadlock.
........
Merged revisions 359451 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Wed, 14 Mar 2012 17:42:16 +0000 (17:42 +0000)]
Fix incorrect jitter buffer overflow due to missed resynchronizations
When a change in time occurs, such that the timestamps associated with frames
being placed into an adaptive jitter buffer (implemented in jitterbuf.c)
are significantly different then the previously inserted frames, the jitter
buffer checks to see if it needs to be resynched to the new time frame. If
three consecutive packets break the threshold, the jitter buffer resynchs
itself to the new timestamps. This currently only occurs when history is
calculated, and hence only on JB_TYPE_VOICE frames.
JB_TYPE_CONTROL frames, on the other hand, are never passed to the history
calculations. Because of this, if the jump in time is greater then the
maximum allowed length of the jitter buffer, the JB_TYPE_CONTROL frames are
dropped and no resynchronization occurs. Alterntively, if the overfill
logic is not triggered, the JB_TYPE_CONTROL frame will be placed into the
buffer, but with a time reference that is not applicable. Subsequent
JB_TYPE_VOICE frames will quickly trigger the overflow logic until reads
from the jitter buffer reach the errant JB_TYPE_CONTROL frame.
This patch allows JB_TYPE_CONTROL frames to resynch the jitter buffer. As
JB_TYPE_CONTROL frames are unlikely to occur in multiples, it perform the
resynchronization on any JB_TYPE_CONTROL frame that breaks the resynch
threshold.
Note that this only impacts chan_iax2, as other consumers of the adaptive
jitter buffer use the abstract jitter buffer API, which does not use
JB_TYPE_CONTROL frames.
Review: https://reviewboard.asterisk.org/r/1814/
(closes issue ASTERISK-18964)
Reported by: Kris Shaw
Tested by: Kris Shaw, Matt Jordan
Patches:
jitterbuffer-2012-2-26.diff uploaded by Kris Shaw (license 5722)
........
Merged revisions 359356 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Richard Mudgett [Wed, 14 Mar 2012 17:24:00 +0000 (17:24 +0000)]
Fix Dial m and r options and forked calls generating warnings for voice frames.
When connected line support was added, the wait_for_answer() variable
single changed its meaning slightly. Unfortunately, the places where
single was used did not necessarily get updated to reflect that change.
Also audio/video frames were sent to all forked calls when the endpoints
were never made compatible.
* Don't pass audio/video media frames when the channels have not been made
compatible.
* Added handling of AST_CONTROL_SRCCHANGE to app_dial.c.
* Fixed app_dial.c passing on AST_CONTROL_HOLD because that frame can also
pass a requested MOH class.
(closes issue ASTERISK-16901)
Reported by: Chris Gentle
Russell Bryant [Wed, 14 Mar 2012 10:54:50 +0000 (10:54 +0000)]
Fix bogus reads/writes of console log levels in asterisk.c
This patch updates the NUMLOGLEVELS define in logger.h to 32, to match the fact
that logger.c implements 32 log levels (because of the custom log level stuff).
asterisk.c uses this define to size an array of levels per remote console.
This array is modified in ast_console_toggle_loglevel(), which is called by the
"logger set level" CLI command. While the documentation for the CLI command
doesn't make it terribly obvious, you can use this CLI command to toggle a
custom log level on a remote console, as well. However, doing so led to an
invalid array index in asterisk.c.
This array is read from any time a log message is written to a console. So,
all custom log level messages resulted in a bogus read if a remote console
was connected.
........
Merged revisions 359259 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Russell Bryant [Wed, 14 Mar 2012 10:04:03 +0000 (10:04 +0000)]
Fix invalid reads/writes due to incorrect sizeof().
These few places in the code used sizeof() on h_addr in struct hostent.
This is sizeof(char *). The correct way to get the size of this address is to
use h_length. This error would result in reads/writes of 8 bytes instead of 4
on 64-bit machines.
........
Merged revisions 359211 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Russell Bryant [Wed, 14 Mar 2012 00:21:18 +0000 (00:21 +0000)]
Fix incorrect sizeof() usage in features.c.
This didn't actually result in a bug anywhere, luckily. The only place
where the result of these memcpys was used is in app_dial, and the only
field that it read out of ast_call_feature was the first one, which is an
int, so these memcpys always copied just enough to avoid a problem.
........
Merged revisions 359069 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Terry Wilson [Tue, 13 Mar 2012 20:36:06 +0000 (20:36 +0000)]
Fix setting CDR variables in the hangup extension
A previous CDR fix for setting CDR variables during a bridge via
custom dialplan features broke setting CDR variables in the
hangup extension. This patch fixes the issue.
Terry Wilson [Tue, 13 Mar 2012 20:00:03 +0000 (20:00 +0000)]
Make hints for invalid SIP devices return Unavail, not idle
This patch drastically simplifies the device state aggegation code.
The old method was not only overly complex, but also made it impossible
to return AST_DEVICE_INVALID from the aggregation code. The unit test
update is as a result of fixing that bug.
The SIP change stems from a bug introduced by removing a DNS lookup
for hostname-based SIP channels.
Tilghman Lesher [Tue, 13 Mar 2012 07:48:01 +0000 (07:48 +0000)]
Enable macros in 1.8 to find the next highest "h" extension in a context, like in 1.4.
This change restores functionality that was present in 1.4, when AEL macros
were implemented with the Macro dialplan application. Macros are fraught with
functionality issues, because they consume a large portion of the underlying
application stack. This limits the ability of AEL users to call many layers
of subroutines, an issue which Gosub does not have (originally tested to
100,000 levels deep). Therefore, starting in 1.6.0, AEL macros were
implemented with Gosub.
However, there were some implicit behaviors of Macro, which were not replicated
at the same time as with the transition to Gosub, one of which is documented in
the related issue. In particular, the "h" extension is designed to execute not
in the Macro context, but in the topmost calling context. Due to legacy issues
with a misapplied bugfix many years ago, when a macro exited in 1.4, it looks
in all calling contexts, bubbling up from the deepest level until it finds an
"h" extension.
Since AEL hides the complexity of the underlying dialplan logic from the AEL
programmer, it's reasonable to assume that this behavior should not change in
the transition from Asterisk 1.4 LTS to Asterisk 1.8 LTS, lest we break
working AEL configurations in the transition to Asterisk 1.8 LTS. This fix
is the result, which implements a search for the "h" extension in all calling
Gosub contexts.
Fixes ASTERISK-19336
Patch: 20120308__ael_bugfix_for_trunk__2.diff (License #5003) by Tilghman Lesher
(with slight modifications for 1.8)
projects / thirdparty / asterisk.git / log
