Matthew Jordan [Wed, 2 Jan 2013 18:17:26 +0000 (18:17 +0000)]
Prevent exhaustion of system resources through exploitation of event cache
Asterisk maintains an internal cache for devices in the event subsystem. The
device state cache holds the state of each device known to Asterisk, such that
consumers of device state information can query for the last known state for
a particular device, even if it is not part of an active call. The concept of
a device in Asterisk can include entities that do not have a physical
representation. One way that this occurred was when anonymous calls are allowed
in Asterisk. A device was automatically created and stored in the cache for
each anonymous call that occurred; this was possible in the SIP and IAX2
channel drivers and through channel drivers that utilized the
res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). These devices
are never removed from the system, allowing anonymous calls to potentially
exhaust a system's resources.
This patch changes the event cache subsystem and device state management to
no longer cache devices that are not associated with a physical entity.
Matthew Jordan [Wed, 2 Jan 2013 15:47:10 +0000 (15:47 +0000)]
Resolve crashes due to large stack allocations when using TCP
Asterisk had several places where messages received over various network
transports may be copied in a single stack allocation. In the case of TCP,
since multiple packets in a stream may be concatenated together, this can
lead to large allocations that overflow the stack.
This patch modifies those portions of Asterisk using TCP to either
favor heap allocations or use an upper bound to ensure that the stack will not
overflow:
* For HTTP, the allocation is now a heap allocation instead of a stack
allocation
* For XMPP (in res_jabber), the allocation has been eliminated since it was
unnecesary.
Note that the HTTP portion of this issue was independently found by Brandon
Edwards of Exodus Intelligence.
Jonathan Rose [Thu, 15 Nov 2012 21:48:33 +0000 (21:48 +0000)]
app_queue: Fix a lock that was being held forever caused by a merging mistake
r375591 merged with conflicts and an oversight resulted in an unlock being
missed which resulted in a deadlock when updating realtime members in queues.
This patch adds that unlock back in.
(closes issue AST-1035)
Reported by: Steve Pitts
Patches:
certified_1.8.11_oops_missed_an_unlock.diff uploaded by Jonathan Rose (license 6182)
chan_misdn: Timer primitives must be handled first.
The frm->addr is a different "address space" than the stack/instance
address of other Lx primitives. The test for B channel instance address
could fail.
Patches:
patch01_timers.diff (license #6372) patch uploaded by Guenther Kelleter
* An NT-PTMP cannot de/establish L2 since it doesn't know the TEIs.
* On NT-PTP L2 is started when L1 is finally active in handle_l1.
* L2 deactivation logging cleanup.
* L2 aggregate link status is unknown for NT-PTMP, show as "UNKN".
* Removed unused functions and code for L2 handling.
Patches:
patch03_L2estab.diff (license #6372) patch uploaded by Guenther Kelleter
Modified
Sending PH prim via lower_id layer (3 or 1) simply does not work. For TE
(3) it returns an error (len=-6) which is not evaluated by handle_l1(), so
the L1 layer status ends up wrong. Instead PH must be sent via L4, only
then does it reach L1 without an error message.
And NT PH prims only reach L1 when they are sent to layer 2 id.
--> use upper_id to send PH primitives.
* Check for errors in PH_(DE)ACTIVATE | CONFIRM.
* Debug messages are improved.
* The lower_id is now not used for anything, except: Why is lower_id layer
deleted when it wasn't created? I removed this code since it looks very
wrong.
Patches:
patch04_l1activation.diff (license #6372) patch uploaded by Guenther Kelleter
If you make 2 calls out an NT PTMP port which is not connected to any
phone, the B channel associated with that call becomes unusable until
Asterisk is restarted.
The problem is the EVENT_SETUP is queued when L1 is not up in
misdn_lib_send_event(). If L1 cannot be activated the event won't be
dequeued. It gets even worse when the call is hung up. The queued
EVENT_SETUP will be overwritten by an EVENT_DISCONNECT. The reserved B
channel then will never be freed. If later someone connects a phone to
the port, L1 will eventually activate and the queued EVENT_DISCONNECT is
sent down the stack. However, it is ignored because it is the wrong call
state.
The real fix would be that activation and queueing for a new SETUP is done
by the NT stack. But since it doesn't, the workaround must be removed
because it doesn't always work.
Fix: The event is no longer queued but immediately sent to the stack. If
L1 cannot be activated, the L3 state machine that was started by the
EVENT_SETUP will do its work, i.e. a timeout will release the B channel
properly. The SETUP possibly cannot be sent the first time but is resent
by T303 in case L1 could be activated.
Patches:
patch05_bchan-loss.diff (license #6372) patch uploaded by Guenther Kelleter
Modified
Matthew Jordan [Wed, 31 Oct 2012 20:25:00 +0000 (20:25 +0000)]
app_queue: Make ordering of rrmemory/rrordered persist over add/remove members
Prior to this patch, adding, removing or reloading members to rrmemory would
cause the order to become completely jumbled. Now it behaves more or less like
rrordered other than the fact that it stores the members on a hash table rather
than a linked list. This patch also prevents removal of members and member
reloads from jumbling rrordered queues.
(issue AST-989)
Reported by: Thomas Arimont
Review: https://reviewboard.asterisk.org/r/2164/
........
Merged revisions 375216 from http://svn.asterisk.org/svn/asterisk/branches/1.8
AST-2012-010: Clean up after a reinvite that never gets a final response
The basic problem is that if a re-INVITE is sent by Asterisk and it receives a
provisional response, but no final response, then the dialog is never torn
down. In addition to leaking memory, this also leaks file descriptors and will
eventually lead to Asterisk no longer being able to process calls.
This patch just keeps track of whether there is an outstanding re-INVITE, and if
there is goes ahead and cleans up everything as though there was no outstanding
reinvite.
Review: https://reviewboard.asterisk.org/r/2009/
(closes issue ASTERISK-19992)
Reported by: Steve Davies
Tested by: Steve Davies, Terry Wilson
........
r369557 | twilson | 2012-07-03 09:27:02 -0500 (Tue, 03 Jul 2012) | 11 lines
Better handle re-INVITEs with provisional but no final repsonses
A previous attempt at fixing this issue had negative side effects related
to attended transfers which this patch should resolve. Many thanks to
Steve Davies for all of the good suggestions and testing.
(closes issue ASTERISK-19992)
Reported by: Steve Davies
Tested by: Steve Davies, Terry Wilson
Review: https://reviewboard.asterisk.org/r/2009/
........
r369579 | twilson | 2012-07-03 11:58:16 -0500 (Tue, 03 Jul 2012) | 8 lines
More improvements to re-INVITEs timing out after a provisional response
There is no need to call check_pendings() on a final response to an INVITE
when destroying the scheduler entry as it will be done later during normal
processing.
Do not send a BYE when a provisional response arrives during a re-INVITE
Commits r369557 and r369579 were done to improve handling of re-INVITEs
when the UA that was supposed to receive the re-INVITE fails to respond.
A limitation of those patches occurred when a UA sent a provisional
response to the re-INVITE. This triggered a sending of a BYE in
check_pending. This patch tweaks the handling of the re-INVITE such that
a BYE is not sent in response to those messages.
(issue ASTERISK-19992)
Reported by: Steve Davies
Tested by: Steve Davies
patches:
(reinvite_tweak.diff license #5012 by Steve Davies)
........
r369652 | kmoore | 2012-07-05 14:01:52 -0500 (Thu, 05 Jul 2012) | 22 lines
AST-2012-011: Resolve heap corruption issue with voicemail
The heard and deleted arrays in the voicemail state structure were not
handled properly following the memory leak fix in r354890 and a fix for
an invalid free in r356797. This could result in accessing and writing
into freed memory. The allocation for these arrays has been reworked
to avoid the possibility of invalid frees, access of freed memory, and
crashes that were occurring as a result of this.
Locking around accesses and modifications of the voicemail state
structure members dh_arraysize, heard, and deleted has been added to
prevent simultaneous modification and access when IMAP storage is in
use. If IMAP storage is not in use, this locking is not compiled in.
Matthew Jordan [Mon, 15 Oct 2012 14:11:46 +0000 (14:11 +0000)]
Properly handle UAC/UAS roles for SIP session timers
The SIP session timer mechanism contains a mandatory 'refresher' parameter
(included in the Session-Expires header) which is used in the session timer
offer/answer signaling within a SIP Invite dialog. It looks like asterisk is
interpreting the uac resp. uas role only as the initial role of client and
server (caller is uac, callee is uas). The standard rfc 4028 however assigns
the client role to the ((RE)-Invite) requester, the server role to the
((RE)-Invite) responder.
This patch has Asterisk track the actual refresher as "us" or "them" as opposed
to relying on just the configured "uas" or "uac" properties.
(closes issue AST-922)
Reported by: Thomas Airmont
Matthew Jordan [Thu, 11 Oct 2012 15:46:29 +0000 (15:46 +0000)]
Fix incorrect billing duration reported when batch mode is enabled
Similar to r369351, the billing duration can be skewed when batch mode is
enabled. This happened much more rarely than the duration, as it only
occured when the call was answered (thereby indicating an actual answer
time) and immediately hung up on (indicating a billsec of 0). Since
a billing time of '0' can either mean that the call immediately ended
or that the CDR was improperly answered, we have to use additional information
to know whether or not we can trust the CDR billsec value. Prior to this
patch, we looked to see if we had a valid answer time. If we did, and
billsec was zero, we used the current time to calculate what billsec value
we could from the CDR being written. If batch mode is enabled, this will
incorrectly report a billsec value being much greater than the actual
duration of the call.
Instead of relying on the presence of an answer time to know whether or not
we can re-calculate the billsec for the CDR, we now also use the presence
of the CDR's end time to know if we need to re-calculate or whether we can
trust the billsec value that we have. This prevents erroneous jumps in the
billsec value, while still making sure that in the worst case, some billing
time will be calculated.
(closes issue AST-1016)
Reported by: Thomas Arimont
Tested by: Thomas Arimont
........
Merged revisions 374843 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Richard Mudgett [Wed, 10 Oct 2012 21:12:20 +0000 (21:12 +0000)]
app_queue: Made pass connected line updates from the caller to ringing queue members.
Party A calls Party B
Party B puts Party A on hold.
Party B calls a queue.
Ringing queue member D sees Party B identification.
Party B transfers Party A to the queue.
Queue member D does not get a connected line update for Party A.
Queue member D answers the call and still sees Party B information.
However, if Party A later transfers the call to Party C then queue member
D gets a connected line update for Party C.
* Made pass connected line updates from the caller to queue members while
the queue members are ringing.
(closes issue AST-1017)
Reported by: Thomas Arimont
(closes issue ABE-2886)
Reported by: Thomas Arimont
Tested by: rmudgett
........
Merged revisions 374801 from https://origsvn.digium.com/svn/asterisk/be/branches/C.3-bier
........
Merged revisions 374802 from http://svn.asterisk.org/svn/asterisk/branches/1.8
In handle_frm_te() after calling misdn_lib_send_event(bc,
EVENT_RELEASE_COMPLETE) bc is emptied, cleaned and set not in use,
although misdn_lib_send_event() already did the same. This is bad. When
it's not in use we are not allowed to touch it.
* Moved log message in front of the resulting actions and fixed it to
match the case.
Patches:
patch5_bccleanup.diff (license #6372) patch uploaded by Guenther Kelleter
chan_misdn: We must initialize cause on sending a DISCONNECT.
We must initialize cause on sending a DISCONNECT, so it is later correctly
indicated to ast_channel in case the answer (RELEASE/RELEASE_COMPLETE)
does not include one.
Patches:
patch7_hangupcause.diff (license #6372) patch uploaded by Guenther Kelleter
chan_misdn: setup_bc() is called too early for an incoming SETUP on TE.
This prevents the B channel from being setup for HDLC mode when requested
by the bearer capability and config option hdlc=yes. It violates
ETS300102 Ch.5.2.3.2: "The user, in any case, must not connect to the
channel until a CONNECT ACKNOWLEDGE message has been received."
* Call setup_bc() on receipt of CONNECT_ACKNOWLEGDE for PTMP, and on first
response to SETUP for PTP.
Patches:
abe-2881-2.diff (license #6372) patch uploaded by Guenther Kelleter
Modified.
Close the proper tcptls_session when session creation fails.
(issue AST-998)
Reported by: Thomas Arimont
Tested by: Thomas Arimont
........
r367002 | mmichelson | 2012-05-18 11:53:47 -0500 (Fri, 18 May 2012) | 17 lines
Fix memory leak of SSL_CTX structures in TLS core.
SSL_CTX structures were allocated but never freed. This was a bigger
issue for clients than servers since new SSL_CTX structures could be
allocated for each connection. Servers, on the other hand, typically
set up a single SSL_CTX for their lifetime.
This is solved in two ways:
1. In __ssl_setup(), if a tcptls_cfg has an ssl_ctx on it, it is
freed so that a new one can take its place.
2. A companion to ast_ssl_setup() called ast_ssl_teardown() has
been added so that servers can properly free their SSL_CTXs.
Thanks to Paul Belanger for pointing out this error.
........
r369731 | mmichelson | 2012-07-06 13:40:06 -0500 (Fri, 06 Jul 2012) | 19 lines
Remove a superfluous and dangerous freeing of an SSL_CTX.
The problem here is that multiple server sessions share
a SSL_CTX. When one session ended, the SSL_CTX would be
freed and set NULL, leaving the other sessions unable to
function.
The code being removed is superfluous because the SSL_CTX
structures for servers will be properly freed when ast_ssl_teardown
is called.
Resolve memory leaks in TLS initialization and TLS client connections
This patch resolves two sources of memory leaks when using TLS in Asterisk:
1) It removes improper initialization (and multiple re-initializations) of
portions of the SSL library. Asterisk calls SSL_library_init and
SSL_load_error_strings during SSL initialization; collectively this
obviates the need for calling any of the following during initialization
or client connection handling:
* ERR_load_crypto_strings (handled by SSL_load_error_strings)
* OpenSSL_add_all_algorithms (synonym for SSL_library_init)
* SSLeay_add_ssl_algorithms (synonym for SSL_library_init)
2) Failure to completely clean up all memory allocated by Asterisk and by
the SSL library for TLS clients. This included not freeing the SSL_CTX
object in the SIP channel driver, as well as not clearing the error
stack when the TLS client exited.
Note that these memory leaks were found by Thomas Arimont, and this patch
was essentially written by him with some minor tweaks.
(closes issue AST-889)
Reported by: Thomas Arimont
Tested by: Thomas Arimont
patches:
(bugAST-889.patch) by Thomas Arimont (license 5525)
Matthew Jordan [Thu, 30 Aug 2012 16:28:49 +0000 (16:28 +0000)]
AST-2012-012: Resolve AMI User Unauthorized Shell Access through ExternalIVR
The AMI Originate action can allow a remote user to specify information that can
be used to execute shell commands on the system hosting Asterisk. This can
result in an unwanted escalation of permissions, as the Originate action, which
requires the "originate" class authorization, can be used to perform actions
that would typically require the "system" class authorization. Previous attempts
to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought
to do so by inspecting the names of applications and functions passed in with
the Originate action and, if those applications/functions matched a predefined
set of values, rejecting the command if the user lacked the "system" class
authorization. As reported by IBM X-Force Research, the "ExternalIVR"
application is not listed in the predefined set of values. The solution for
this particular vulnerability is to include the "ExternalIVR" application in the
set of defined applications/functions that require "system" class authorization.
Unfortunately, the approach of inspecting fields in the Originate action against
known applications/functions has a significant flaw. The predefined set of
values can be bypassed by creative use of the Originate action or by certain
dialplan configurations, which is beyond the ability of Asterisk to analyze at
run-time. Attempting to work around these scenarios would result in severely
restricting the applications or functions and prevent their usage for legitimate
means. As such, any additional security vulnerabilities, where an
application/function that would normally require the "system" class
authorization can be executed by users with the "originate" class authorization,
will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has
been updated to reflect that the AMI Originate action can result in commands
requiring the "system" class authorization to be executed. Proper system
configuration can limit the impact of such scenarios.
(closes issue ASTERISK-20132)
Reported by: Zubair Ashraf of IBM X-Force Research
AST-2012-013: Resolve ACL rules being ignored during calls by some IAX2 peers
When an IAX2 call is made using the credentials of a peer defined in a dynamic
Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are
not applied to the call attempt. This allows for a remote attacker who is aware
of a peer's credentials to bypass the ACL rules set for that peer.
This patch ensures that the ACLs are applied for all peers, regardless of their
storage mechanism.
(closes issue ASTERISK-20186)
Reported by: Alan Frisch
Tested by: mjordan, Alan Frisch
Matthew Jordan [Fri, 24 Aug 2012 13:55:18 +0000 (13:55 +0000)]
Merge patches for 1.8.11-cert6
This includes the following
* r369351 for AST-883
* r368807 for AST-884
* r356604, r356650, r364203 for AST-890
* r370618 for AST-896
* r370205, r370273, r370360 for AST-916
* r371469 for AST-932
Mark Michelson [Tue, 7 Aug 2012 15:40:46 +0000 (15:40 +0000)]
Fix error in the "IPorHost" section of a SIP dialstring.
This is based on the review request posted by Walter Doekes
(referenced lower in the commit message)
The main fix here is to treat the IPorHost portion of the dial
string as a temporary outbound proxy. This ensures requests
get sent to the proper location.
Due to the age of the request, some parts were no longer relevant.
For instance, the request moved outbound proxy parsing code into
a single method. This is done in a previous commit, so it was not
necessary to do again.
Also, the review request fixed some errors with regards to request
routing for CANCEL and ACK requests. This has also been fixed in
more recent commits.
(closes issue ASTERISK-19677)
reported by Walter Doekes
Terry Wilson [Wed, 25 Jul 2012 03:37:08 +0000 (03:37 +0000)]
Revert a change that broke compilation
1) There is no such function as ast_ref()
2) The patch was originally credited as the one uploaded by Guenther
Kelleter (license 6372) via issue AST-921, but the patch committed
was not the patch referenced on the issue.
3) Guenther Kelleter's patch was actually correct. It moved the
ast_free above the presencechange_cleanup label. I am not
committing his change as it is not technically necesary--calling
ast_free(NULL) is perfectly safe and I worry that moving the
ast_free outside of the label could lead to future bugs if
someone ever adds another failure conditional and expects
'goto presencechange_cleanup;' to clean up after everything.
Matthew Jordan [Wed, 11 Jul 2012 19:44:51 +0000 (19:44 +0000)]
Fix bad merge of r368759 in sig_analog
The patch for r368759 in Asterisk 1.8 relied upon the methods
analog_unlock_private/analog_lock_private. In earlier versions of 1.8,
including the Certified Asterisk 1.8.11 branch, those two methods were
unused, and hence were undefined out of the source. When the patch was made
for 1.8.11-cert5, those two functions were not re-defined back in. This caused
linking errors when sig_analog was loaded.
This patch properly restores those two methods, such that the fix for AST-891
works correctly.
Add "send to voicemail" Digium phone functionality to Asterisk.
This change accommodates two methods by which calls can be directed to
a user's voicemail.
* Incoming calls can be redirected to any user's voicemail.
* Established calls can be blind transferred to any user's voicemail.
Digium phones indicate the desire to direct a call to voicemail by using
a Diversion header with a reason parameter of "send_to_vm".
This patch adds the "send_to_vm" reason as a valid redirecting reason. In
addition, chan_sip.c has been modified to update redirecting information
on the transferred channel by reading a Diversion header on a REFER request.
(closes issue AST-871)
Reported by Malcolm Davenport
Fix deadlock in SIP transfers that involve a REFER request
In r367163, "send to voicemail" functionality was added to the SIP channel
driver. This required updating the party redirecting information for the
channel based on the headers provided in the REFER request. When the
redirecting party information is updated on the channel, a call to
ast_indicate_data occurs. Because handle_request_refer still had the sip_pvt
locked, a deadlock could occur between the pbx_thread and the do_monitor thread
servicing the REFER request.
This patch preserves the proper locking order between the channel and the
sip_pvt by ensuring that the sip_pvt is unlocked prior to updating the party
redirecting information on the channel.
(closes issue AST-903)
Reported by: Matt Jordan
patches:
jira_ast_903_trunk.patch by rmudgett (license 5621)
Matthew Jordan [Wed, 13 Jun 2012 20:29:33 +0000 (20:29 +0000)]
Mark res_smdi/res_adsi as 'core' supported modules
Recently, various issues surrounding weak attributes have caused problems with
modules that rely on that feature to be enabled in menuselect. This includes
app_voicemail and chan_dahdi, as they both rely upon res_smdi and res_adsi,
which, in certain circumstances, may not be enabled by default in menuselect.
Because res_smdi/res_adsi are dependencies for chan_dahdi/app_voicemail, this
patch marks both as 'core' supported modules. This will allow both
app_voicemail and chan_dahdi to be enabled as well, regardless of whether or
not that system supports weak attributes.
(issue AST-900)
Reported by: Thomas Arimont
(issue AST-885)
Reported by: Denis Alberto Martinez
........
Merged revisions 368894 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Tue, 12 Jun 2012 13:44:36 +0000 (13:44 +0000)]
Fix deadlock in SIP transfers that involve a REFER request
In r367163, "send to voicemail" functionality was added to the SIP channel
driver. This required updating the party redirecting information for the
channel based on the headers provided in the REFER request. When the
redirecting party information is updated on the channel, a call to
ast_indicate_data occurs. Because handle_request_refer still had the sip_pvt
locked, a deadlock could occur between the pbx_thread and the do_monitor thread
servicing the REFER request.
This patch preserves the proper locking order between the channel and the
sip_pvt by ensuring that the sip_pvt is unlocked prior to updating the party
redirecting information on the channel.
(closes issue AST-903)
Reported by: Matt Jordan
patches:
jira_ast_903_trunk.patch by rmudgett (license 5621)
Matthew Jordan [Wed, 6 Jun 2012 17:32:45 +0000 (17:32 +0000)]
Add feature modifier to versions produced from branches
Certain branches, such as Certified Asterisk, may have a modifier added to
them that specifies the features available in that branch. For branches, this
modifier is expected to be reflected in the location of the branch in
subversion. For example, a subversion of URL of /certified/branches/1.8.11
would have a feature modifier of 'certified'. This is slightly different then
how features are determined for tags, where the feature is part of the actual
tag name, e.g., "10.5.0-digiumphones".
In keeping with the nomenclature used for tags, the feature specifier for
branches is translated and placed after the revision numbers. For the example
given previously, this would result in a branch version of
"Asterisk SVN-branch-1.8.11-cert-rXXXXXX".
Matthew Jordan [Tue, 29 May 2012 18:46:22 +0000 (18:46 +0000)]
AST-2012-008: Fix remote crash vulnerability in chan_skinny
When a skinny session is unregistered, the corresponding device pointer is set
to NULL in the channel private data. If the client was not in the on-hook state
at the time the connection was closed, the device pointer can later be
dereferened if a message or channel event attempts to use a line's pointer to
said device.
The patches prevent this from occurring by checking the line's pointer in
message handlers and channel callbacks that can fire after an unregistration
attempt.
(closes issue ASTERISK-19905)
Reported by: Christoph Hebeisen
Tested by: mjordan, Damien Wedhorn
Patches:
AST-2012-008-1.8.diff uploaded by mjordan (license 6283)
AST-2012-008-10.diff uploaded by mjordan (licesen 6283)
Mark Michelson [Mon, 21 May 2012 19:05:52 +0000 (19:05 +0000)]
Add "send to voicemail" Digium phone functionality to Asterisk.
This change accommodates two methods by which calls can be directed to
a user's voicemail.
* Incoming calls can be redirected to any user's voicemail.
* Established calls can be blind transferred to any user's voicemail.
Digium phones indicate the desire to direct a call to voicemail by using
a Diversion header with a reason parameter of "send_to_vm".
This patch adds the "send_to_vm" reason as a valid redirecting reason. In
addition, chan_sip.c has been modified to update redirecting information
on the transferred channel by reading a Diversion header on a REFER request.
(closes issue AST-871)
Reported by Malcolm Davenport
AST-2012-005: Fix remotely exploitable heap overflow in keypad button handling
When handling a keypad button message event, the received digit is placed into
a fixed length buffer that acts as a queue. When a new message event is
received, the length of that buffer is not checked before placing the new digit
on the end of the queue. The situation exists where sufficient keypad button
message events would occur that would cause the buffer to be overrun. This
patch explicitly checks that there is sufficient room in the buffer before
appending a new digit.
(closes issue ASTERISK-19592)
Reported by: Russell Bryant
........
AST-2012-006: Fix crash in UPDATE handling when no channel owner exists
If Asterisk receives a SIP UPDATE request after a call has been terminated and
the channel has been destroyed but before the SIP dialog has been destroyed, a
condition exists where a connected line update would be attempted on a
non-existing channel. This would cause Asterisk to crash. The patch resolves
this by first ensuring that the SIP dialog has an owning channel before
attempting a connected line update. If an UPDATE request is received and no
channel is associated with the dialog, a 481 response is sent.
(closes issue ASTERISK-19770)
Reported by: Thomas Arimont
Tested by: Matt Jordan
Patches:
ASTERISK-19278-2012-04-16.diff uploaded by Matt Jordan (license 6283)
........
r363141 | jrose | 2012-04-23 09:33:16 -0500 (Mon, 23 Apr 2012) | 20 lines
AST-2012-004: Fix an error that allows AMI users to run shell commands sans authorization.
As detailed in the advisory, AMI users without write authorization for SYSTEM class AMI
actions were able to run system commands by going through other AMI commands which did
not require that authorization. Specifically, GetVar and Status allowed users to do this
by setting their variable/s options to the SHELL or EVAL functions.
Also, within 1.8, 10, and trunk there was a similar flaw with the Originate action that
allowed users with originate permission to run MixMonitor and supply a shell command
in the Data argument. That flaw is fixed in those versions of this patch.
(closes issue ASTERISK-17465)
Reported By: David Woolley
Patches:
162_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
18_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
10_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
........
Merged revisions 363117 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
Merged revisions 363102,363106,363141 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Thu, 12 Apr 2012 18:47:16 +0000 (18:47 +0000)]
Merge of several needed fixes for 1.8-digiumphones
This merges fixes for the following issues into the 1.8-digiumphones branch:
* ASTERISK-19355 - Call transfer with consultation frequently fails in cross-
linked Asterisk scenario (directmedia & sendrpid active)
* ASTERISK 19365 - Remote SIP Call legs are frequently not released in a
cross-linked Asterisk scenario (directmedia & sendrpid)
* ASTERISK-19183 - Sporadically missing connectedline event to caller channel
in directed pickup app
Mark Michelson [Mon, 9 Apr 2012 20:40:25 +0000 (20:40 +0000)]
Fix bugs in voicemail APIs and add unit tests.
There were several crashes that could occur due to NULL
inputs, invalid inputs, and the like. This fixes all known
ones and adds unit tests to exercise the APIs.
Mark Michelson [Thu, 5 Apr 2012 17:24:13 +0000 (17:24 +0000)]
Add additional configuration and presence unit tests.
These were originally written while merging features into trunk, but
these tests apply just as much for the 1.8 version of Digium phones, so
might as well have them here, too.
Fix remotely exploitable stack overrun in Milliwatt
Milliwatt is vulnerable to a remotely exploitable stack overrun when using
the 'o' option. This occurs due to the milliwatt_generate function not
accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
samples it can put in the output buffer.
This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
when determining the maximum number of samples allowed. Note that at no
point is remote code execution possible. The data that is written into the
buffer is the pre-defined Milliwatt data, and not custom data.
(closes issue ASTERISK-19541)
Reported by: Russell Bryant
Tested by: Matt Jordan
Patches:
milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
Note that this patch was written by Russell, even though Matt uploaded it
........
Merged revisions 359645 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
r359706 | mjordan | 2012-03-15 14:01:22 -0500 (Thu, 15 Mar 2012) | 16 lines
Fix remotely exploitable stack overflow in HTTP manager
There exists a remotely exploitable stack buffer overflow in HTTP digest
authentication handling in Asterisk. The particular method in question
is only utilized by HTTP AMI. When parsing the digest information, the
length of the string is not checked when it is copied into temporary buffers
allocated on the stack.
This patch fixes this behavior by parsing out pre-defined key/value pairs
and avoiding unnecessary copies to the stack.
(closes issue ASTERISK-19542)
Reported by: Russell Bryant
Tested by: Matt Jordan
........
r359979 | rmudgett | 2012-03-20 12:21:16 -0500 (Tue, 20 Mar 2012) | 28 lines
Allow AMI action callback to be reentrant.
Fix AMI module reload deadlock regression from ASTERISK-18479 when it
tried to fix the race between calling an AMI action callback and
unregistering that action. Refixes ASTERISK-13784 broken by
ASTERISK-17785 change.
Locking the ao2 object guaranteed that there were no active callbacks that
mattered when ast_manager_unregister() was called. Unfortunately, this
causes the deadlock situation. The patch stops locking the ao2 object to
allow multiple threads to invoke the callback re-entrantly. There is no
way to guarantee a module unload will not crash because of an active
callback. The code attempts to minimize the chance with the registered
flag and the maximum 5 second delay before ast_manager_unregister()
returns.
The trunk version of the patch changes the API to fix the race condition
correctly to prevent the module code from unloading from memory while an
action callback is active.
* Don't hold the lock while calling the AMI action callback.
(closes issue ASTERISK-19487)
Reported by: Philippe Lindheimer
Mark Michelson [Tue, 20 Mar 2012 19:30:07 +0000 (19:30 +0000)]
Get rid of an annoying "Possible programming error" message.
If an extension's 'app' field is NULL, then a "(null)" string
would be written into an ast_str due to the way that snprintf
works. When this is passed to ast_strlen_zero(), it fires up
a big warning indicating something is probably wrong.
There indeed was a problem, but luckily it wasn't a very big
problem. After the failed ast_strlen_zero() check and big
warning message, the very next if statement, checking to
see if the "(null)" matched a presence provider, would fail,
so no harm was done.
Jason Parker [Thu, 8 Mar 2012 18:02:58 +0000 (18:02 +0000)]
Prevent outbound SIP NOTIFY packets from displaying a port of 0
In the change from 1.6.2 to 1.8, ast_sockaddr was introduced which changed the
behavior of ast_find_ourip such that port number was wiped out. This caused
the port in internip (which is used for Contact and Call-ID on NOTIFYs) to be
0. This change causes ast_find_ourip to be port-preserving again.
(closes issue ASTERISK-19430)
........
Merged revisions 357665 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Matthew Jordan [Sat, 25 Feb 2012 17:21:29 +0000 (17:21 +0000)]
Fix crash in app_voicemail during close_mailbox
In r354890, a memory leak in app_voicemail was fixed by properly disposing of
the allocated heard/deleted pointers. However, there are situations,
particularly when no messages are found in a folder, where these pointers are
not allocated and not NULL. In that case, an invalid free would be attempted,
which could crash app_voicemail. As there are a number of code paths where
this could occur, this patch uses the number of messages detected in the folder
before it attempts to free the pointers. This resolves the crash detected in
the Asterisk Test Suite's check_voicemail_nominal test.
Matthew Jordan [Fri, 24 Feb 2012 17:41:18 +0000 (17:41 +0000)]
Remove srtp_shutdown from res_srtp
The patch for ASTERISK-19253 included properly shutting down the libsrtp
library in the case of module unload. Unfortunately, not all distributions
have the srtp_shutdown call. As such, this patch removes calling
srtp_shutdown.
Matthew Jordan [Fri, 24 Feb 2012 15:07:09 +0000 (15:07 +0000)]
Allow SRTP policies to be reloaded
Currently, when using res_srtp, once the SRTP policy has been added to the
current session the policy is locked into place. Any attempt to replace an
existing policy, which would be needed if the remote endpoint negotiated a new
cryptographic key, is instead rejected in res_srtp. This happens in particular
in transfer scenarios, where the endpoint that Asterisk is communicating with
changes but uses the same RTP session.
This patch modifies res_srtp to allow remote and local policies to be reloaded
in the underlying SRTP library. From the perspective of users of the SRTP API,
the only change is that the adding of remote and local policies are now added
in a single method call, whereas they previously were added separately. This
was changed to account for the differences in handling remote and local
policies in libsrtp.
Review: https://reviewboard.asterisk.org/r/1741/
(closes issue ASTERISK-19253)
Reported by: Thomas Arimont
Tested by: Thomas Arimont
Patches:
srtp_renew_keys_2012_02_22.diff uploaded by Matt Jordan (license 6283)
(with some small modifications for this check-in)
Richard Mudgett [Thu, 23 Feb 2012 19:49:03 +0000 (19:49 +0000)]
Fix blind transfer parking issues if the dialed extension is not recognized as a parking extension.
Custom parking extensions may not be coded such that the first and only
extension priority is the Park application. These custom parking
extensions will not be recognized as parking extensions. When a call is
blind transferred to an extension that is not recognized as a parking
extension, the normal blind transfer code causes the transferred channel
to start executing dialplan. Calls that get parked in this manner do not
know the original channel name that parked the call so the original parker
could never be called back if the parked call is not retrieved before the
timeout time. The parking space is also announced to the call being
parked as a side effect of not knowing the original parking channel.
* Fix handling of BLINDTRANSFER channel variable for call parking.
* Fixed SIP blind transfer using the wrong dialplan context variable to
check for the parking extension.
Mark Michelson [Thu, 23 Feb 2012 15:37:59 +0000 (15:37 +0000)]
Fix ACK routing for non-2xx responses.
When we send an ACK for a 2xx response to an INVITE, we are supposed
to use the learned route set. However, when we receive a non-2xx final
response to an INVITE, we are supposed to send the ACK to the same place
we initially sent the INVITE.
We had been doing this up until the changes went in that would build a route
set from provisional responses. That introduced a regression where we would
use the learned route set under all circumstances.
With this change, we now will set the destination of our ACK based on the
invitestate. If it is INV_COMPLETED then that means that we have received
a non-2xx final response (INV_TERMINATED indicates a 2xx response was received).
If it is INV_CANCELLED, then that means the call is being canceled, which
means that we should be ACKing a 487 response.
The other change introduced here is setting the invitestate to INV_CONFIRMED
when we send an ACK *after* the reqprep instead of before. This way, we can
tell in reqprep more easily what the invitestate is prior to sending the ACK.
(closes issue ASTERISK-19389)
reported by Karsten Wemheuer
patches:
ASTERISK-19389v2.patch uploaded by Mark Michelson (license #5049)
(with some slight modifications prior to commit)
Terry Wilson [Wed, 22 Feb 2012 21:08:50 +0000 (21:08 +0000)]
Track module use count for res_calendar
If the res_calendar module was followed immediately by one of the
calendar tech modules and "core stop gracefully" was run, Asterisk
would crash.
This patch adds use count tracking for res_calendar so that it is
unloaded after the tech modules when shutting down gracefully. It
is now not possible to unload all the of the calendar modules via
"module unload res_calednar.so", but it is still possible to unload
them all via "module unload -h res_calendar.so".
Matthew Jordan [Wed, 22 Feb 2012 14:50:20 +0000 (14:50 +0000)]
Fix potential buffer overrun and memory leak when executing "sip show peers"
The "sip show peers" command uses a fix sized array to sort the current peers
in the peers ao2_container. The size of the array is based on the current
number of peers in the container. However, once the size of the array is
determined, the number of peers in the container can change, as the peers
container is not locked. This could cause a buffer overrun when populating
the array, if peers were added to the container after the array was created.
Additionally, a memory leak of the allocated array would occur if a user
caused the _show_peers method to return CLI_SHOWUSAGE.
We now create a snapshot of the current peers using an ao2_callback with the
OBJ_MULTIPLE flag. This size of the array is set to the number of peers
that the iterator will iterate over; hence, if peers are added or removed
from the peers container it will not affect the execution of the "sip show
peers" command.
Review: https://reviewboard.asterisk.org/r/1738/
(closes issue ASTERISK-19231)
(closes issue ASTERISK-19361)
Reported by: Thomas Arimont, Jamuel Starkey
Tested by: Thomas Arimont, Jamuel Starkey
Patches: sip_show_peers_2012_02_16.diff uploaded by mjordan (license 6283)
Sean Bright [Mon, 20 Feb 2012 18:38:28 +0000 (18:38 +0000)]
Remove spurious warning when 'qualifyfreqnotok' is set successfully.
(closes issue ASTERISK-17176)
Reported by: John Covert
Tested by: Sean Bright
Patches:
chan_iax2.c.qualifyfreqnotok.patch uploaded by John Covert (license 5512)
Alec L Davis [Sat, 18 Feb 2012 07:55:11 +0000 (07:55 +0000)]
push 'outgoing' flag from sig_XXX up to chan_dahdi
'p->outgoing' in chan_dahdi and sig_analog wern't kept in sync, particulary FXS ast_hangup didn't clear the 'outgoing' flag.
sig_pri and sig_ss7 were keeping 'outgoing' flag insync.
Now provides a callback for all the low level sig_XXX modules.
(issue ASTERISK-19316)
alecdavis (license 585)
Reported by: Jeremy Pepper
Tested by: alecdavis
Sean Bright [Fri, 17 Feb 2012 19:32:52 +0000 (19:32 +0000)]
Pass the correct value to ast_timer_set_rate() for IAX2 trunking.
IAX2 uses the trunkfreq variable to determine how often to send trunk packets, but
this value is in milliseconds while ast_timer_set_rate() expects the rate argument
to be ticks per second. So we divide 1000 by trunkfreq and pass that in instead.
With a default of 20ms, this change makes IAX2 send trunk packets every 20ms
instead of every 50ms.
Mark Michelson [Fri, 17 Feb 2012 18:57:28 +0000 (18:57 +0000)]
Fix regressions with regards to route-set creation on early dialogs.
This fixes two main issues:
1. Asterisk would send a CANCEL to the route created by the provisional response
instead of using the same destination it did in the initial INVITE.
2. If a new route set arrives in a 200 OK than was in the 1XX response (perfectly
possible if our outbound INVITE gets forked), then the route set in the 200 OK
needs to overwrite the route set in the 1XX response.
(closes issue ASTERISK-19358)
Reported by: Karsten Wemheuer
Tested by: Karsten Wemheuer
patches:
ASTERISK-19358.patch uploaded by Mark Michelson (license 5049)
ASTERISK-19358.patch uploaded by Stefan Schmidt (license 6034)
Sean Bright [Thu, 16 Feb 2012 20:01:15 +0000 (20:01 +0000)]
Revert a change to audio_audiohook_write_list that had no affect.
When I made this change initially, I was under the false impression that the
audiohooks structure remained on the channel after all of the hooks had been
detached. This is not the case, ast ast_read takes care of removing the
audiohooks structure if the lists are empty.
Richard Mudgett [Thu, 16 Feb 2012 19:26:16 +0000 (19:26 +0000)]
Fix compile problem when old version of libvorbisfile v1.1.2 is used.
The principle difference between libvorbisfile v1.1.2 and newer (at least
v1.2.0) is the addition of the predefined callbacks OV_CALLBACKS_xxx in
vorbis/vorbisfile.h used for ov_open_callbacks().
* Updated the configure script to detect if libvorbisfile.h declares
OV_CALLBACKS_NOCLOSE.
* Copied the declaration of OV_CALLBACKS_NOCLOSE from v1.2.0 to allow
v1.1.2 to compile.
(closes issue ASTERISK-19370)
Reported by: Jonn Taylor
Sean Bright [Wed, 15 Feb 2012 17:24:22 +0000 (17:24 +0000)]
Use TRUNK_CALL_START as originally intended.
Back in r646, TRUNK_CALL_START was added and defined as 0x4000. That same value
was also hard-coded in one part of the IAX2 code instead of using the #define.
TRUNK_CALL_START has changed over the years (for dealing with LOW_MEMORY), but
the hard-coded usage was never updated to match. This patch fixes that.
projects / thirdparty / asterisk.git / log
