Richard Mudgett [Mon, 30 Apr 2018 22:38:58 +0000 (17:38 -0500)]
AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
When endpoint specific ACL rules block a SIP request they respond with a
403 forbidden. However, if an endpoint is not identified then a 401
unauthorized response is sent. This vulnerability just discloses which
requests hit a defined endpoint. The ACL rules cannot be bypassed to gain
access to the disclosed endpoints.
* Made endpoint specific ACL rules now respond with a 401 unauthorized
which is the same as if an endpoint were not identified. The fix is
accomplished by replacing the found endpoint with the artificial endpoint
which always fails authentication.
Kevin Harwell [Wed, 18 Apr 2018 20:59:38 +0000 (15:59 -0500)]
translate: generic plc not filled in after translation
If during translation a codec could not handle a given frame the translation
core would return NULL, thus not passing along the "missing" frame. Due to this
there was no frame to apply generic plc to, thus rendering it useless.
This patch makes it so the translation core produces an interpolated slin frame
in the cases where an attempt was made to translate to slin, but failed. This
interpolated frame is then passed along and can be used by the generic plc
algorithms to fill in the frame.
George Joseph [Fri, 16 Mar 2018 15:19:11 +0000 (09:19 -0600)]
channel.c: Allow generic plc then channel formats are equal
If the two formats on a channel are equal, we don't transcode and since
the generic plc needs slin to work, it doesn't get invoked.
* A new configuration option "genericplc_on_equal_codecs" was added
to the "plc" section of codecs.conf to allow generic packet loss
concealment even if no transcoding was originally needed.
Transcoding via SLIN is forced in this case.
Kevin Harwell [Tue, 20 Mar 2018 20:28:12 +0000 (15:28 -0500)]
bridge_softmix: Clear "talking" when a channel is put on hold
This patch clears the talking flag from the channel (if already set), and
notifies listeners when that channel is put on hold. Note however, if the
endpoint continues to send audio frames and these are received by the bridge
then that channel will be put back into a "talking" state even though they
are on hold.
Richard Mudgett [Thu, 22 Feb 2018 19:53:20 +0000 (13:53 -0600)]
res_pjsip_refer.c: Fix attended transfer race condition crash.
The transferrer's session channel was destroyed by the transferrer's
serializer thread in a race condition with the transfer target's
serializer thread during an attended transfer. The transfer target's
serializer was attempting to clean up a deferred end status on behalf of
the transferrer's channel when it should have passed the action to the
transferrer's serializer. When the transfer target's serializer lost the
race then both threads wind up trying to end the transferrer's session.
* Push the ast_sip_session_end_if_deferred() call onto the transferrer's
serializer to avoid a race condition that results in a crash. The
session_end() function that could be called by
ast_sip_session_end_if_deferred() really must be executed by the
transferrer's serializer to avoid this kind of crash.
Kevin Harwell [Wed, 31 Jan 2018 19:37:54 +0000 (13:37 -0600)]
AST-2018-003: Crash with an invalid SDP fmtp attribute
pjproject's fmtp retrieval function failed to catch invalid fmtp attributes.
Because of this Asterisk would crash if given an SDP with an invalid fmtp
attribute.
When retrieving the format this patch now makes sure the fmtp attribute is
available. If not available it now returns an error status.
Kevin Harwell [Wed, 31 Jan 2018 19:33:16 +0000 (13:33 -0600)]
AST-2018-002: Crash with an invalid SDP media format description
pjproject's media format parsing algorithm failed to catch invalid values.
Because of this Asterisk would crash if given an SDP with a invalid media
format description.
When parsing the media format description this patch now properly parses the
value and returns an error status if it can't successfully parse/convert the
value.
George Joseph [Tue, 6 Feb 2018 18:07:18 +0000 (11:07 -0700)]
AST-2018-005: res_pjsip_transport_management: Move to core
Since res_pjsip_transport_management provides several attack
mitigation features, its functionality moved to res_pjsip and
this module has been removed. This way the features will always
be available if res_pjsip is loaded.
George Joseph [Tue, 6 Feb 2018 17:28:49 +0000 (10:28 -0700)]
AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)
pjsip_distributor:
authenticate() creates a tdata and uses it to send a challenge or
failure response. When pjsip_endpt_send_response2() succeeds, it
automatically decrements the tdata ref count but when it fails, it
doesn't. Since we weren't checking for a return status, we weren't
decrementing the count ourselves on error and were therefore leaking
tdatas.
res_pjsip_session:
session_reinvite_on_rx_request wasn't decrementing the ref count
if an error happened while sending a 491 response.
pre_session_setup wasn't decrementing the ref count if
while sending an error after a pjsip_inv_verify_request failure.
res_pjsip:
ast_sip_send_response wasn't decrementing the ref count on error.
Joshua Colp [Wed, 7 Feb 2018 14:09:14 +0000 (14:09 +0000)]
AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.
When receiving a SUBSCRIBE request the Accept headers from it are
stored locally. This operation has a fixed limit of 32 Accept headers
but this limit was not enforced. As a result it was possible for
memory outside of the allocated space to get written to resulting
in a crash.
This change enforces the limit so only 32 Accept headers are
processed.
Joshua Colp [Tue, 20 Feb 2018 16:33:43 +0000 (12:33 -0400)]
chan_sip: Emit a second ringing event to ensure channel is found.
When constructing a dialog-info+xml NOTIFY message a ringing channel
is found if the state is ringing and further information is placed into
the message. Due to the migration to the Stasis message bus this did
not always work as expected.
This change raises a second ringing event in such a way to guarantee
that the event is received by chan_sip and another lookup is done to
find the ringing channel.
Richard Mudgett [Wed, 31 Jan 2018 23:48:46 +0000 (17:48 -0600)]
app_confbridge: ConfbridgeList event has standard channel shapshot headers.
* Made the AMI ConfbridgeList action's ConfbridgeList events output all
the standard channel snapshot headers instead of a few hand-coded channel
snapshot headers. The benefit is that the CallerIDName gets disruptive
characters like CR, LF, Tab, and a few others escaped. However, an empty
CallerIDName is now output as "<unknown>" instead of "<no name>".
Richard Mudgett [Wed, 31 Jan 2018 01:22:51 +0000 (19:22 -0600)]
bridge_softmix.c: Report not talking immediately when muted.
Currently in app_confbridge if someone mutes a channel while that channel
is talking, the talk detection code is suspended while the channel is
muted. As far an an external observer is concerned, the muted channel's
talk status is still "talking" even though the channel is not contributing
audio to the conference bridge. When the channel is later unmuted, it
takes the usual 'dsp_silence_threshold' option time to clear the talking
status even though the channel may have stopped talking while the channel
was muted.
* In bridge_softmix.c, clear the talking status and report talking stopped
if the channel was talking when the channel is muted. When the channel is
unmuted and the channel is still talking then report the channel as
talking since it is contributing audio to the bridge again.
Kevin Harwell [Wed, 20 Dec 2017 22:17:40 +0000 (16:17 -0600)]
AST-2017-014: res_pjsip - Missing contact header can cause crash
Those SIP messages that create dialogs require a contact header to be present.
If the contact header was missing from the message it could cause Asterisk to
crash.
This patch checks to make sure SIP messages that create a dialog contain the
contact header. If the message does not and it is required Asterisk now returns
a "400 Missing Contact header" response. Also added NULL checks when retrieving
the contact header that were missing as a "just in case".
Corey Farrell [Tue, 21 Nov 2017 15:16:24 +0000 (10:16 -0500)]
README: Convert to README.md.
Convert the README file to markdown format, remove the old README. This
causes websites like github to display the README in a much nicer
format with live links. The raw file is still very readable from
plain text editors and terminals.
Joshua Colp [Thu, 30 Nov 2017 16:12:55 +0000 (16:12 +0000)]
AST-2017-012: Place single RTCP report block at beginning of report.
When the RTCP code was transitioned over to Stasis a code change
was made to keep track of how many reports are present. This count
controlled where report blocks were placed in the RTCP report.
If a compound RTCP packet was received this logic would incorrectly
place a report block in the wrong location resulting in a write
to an invalid location.
This change removes this counting logic and always places the report
block at the first position. If in the future multiple reports are
supported the logic can be extended but for now keeping a count
serves no purpose.
This patch does three things associated with the initial incoming INVITE
request URI.
1) Add access to the full initial incoming INVITE request URI.
2) We were not setting DNID on incoming PJSIP channels. The DNID is the
user portion of the initial incoming INVITE Request-URI. The value is
accessed by reading CALLERID(dnid).
3) Fix CHANNEL(pjsip,target_uri) documentation.
* The initial incoming INVITE request URI is now available using
CHANNEL(pjsip,request_uri).
* Set the DNID on PJSIP channel creation so CALLERID(dnid) can return the
initial incoming INVITE request URI user portion.
* CHANNEL(pjsip,target_uri) now correctly documents that the target URI is
the contact URI.
* Refactored print_escaped_uri() out of channel_read_pjsip() to handle
pjsip_uri_print() error condition when the buffer is too small.
Kevin Harwell [Fri, 8 Dec 2017 00:22:34 +0000 (18:22 -0600)]
pjsip_options: contacts sometimes not being updated on reload
For both dynamic and static contacts it was possible that potential AOR
changes were not being applied to all contacts. This was because the qualify
and schedule code was only retrieving AOR's, and contacts with frequencies
greater than zero.
For instance the following could happen: and AOR/contact has a frequency of 5,
it then gets set to 0, and then a reload occurs. All scheduled OPTIONS are
stopped, a list of AOR's is retrieved with frequency > 0, but none are
selected since in this scenario all are 0. The contact for the one previously
set to 5 though does not get updated, so it's status remains "AVAILABLE".
This patch makes it so all contacts (static and dynamic) are selected, and
appropriately updated if need be.
Kevin Harwell [Fri, 8 Dec 2017 00:18:00 +0000 (18:18 -0600)]
pjsip_options: dynamic contact's fields not updated on reload
Dynamic contacts were not being properly updated on reload. As a matter of
fact any changes to the AOR that a dynamic contact was associated with were
not being applied.
On reload, this patch makes it so for each dynamic contact, the associated
AOR is now retrieved and the AOR's fields are applied to the contact.
Richard Mudgett [Wed, 6 Dec 2017 00:04:47 +0000 (18:04 -0600)]
CDR: Fix deadlock setting some CDR values.
Setting channel variables with the AMI Originate action caused a deadlock
when you set CDR(amaflags) or CDR(accountcode). This path has the channel
locked when the CDR function is called. The CDR function then
synchronously passes the job to a stasis thread. The stasis handling
function then attempts to lock the channel. Deadlock results.
* Avoid deadlock by making the CDR function handle setting amaflags and
accountcode directly on the channel rather than passing it off to the CDR
processing code under a stasis thread to do it.
* Made the CHANNEL function and the CDR function process amaflags the same
way.
* Fixed referencing the wrong message type in cdr_prop_write().
Pirmin Walthert [Thu, 16 Nov 2017 08:47:39 +0000 (09:47 +0100)]
res_rtp_asterisk.c: Fix rtp source address learning for broken clients
Some clients do not send rtp packets every ptime ms. This can lead to
situations in which the rtp source learning algorithm will never learn
the address of the client. This has been discovered on a Mac mini with
a pjsip based softphone after updating to Sierra: as soon as USB
headsets are involved, the softphone will send the second packet 30ms
after the first, the third 30ms after the second and the fourth 1ms
after the third. So in the old implmentation the rtp source learning
algorithm was repeatedly reset on the fourth packet.
The patch changes the algorithm in a way that doesn't take the arrival
time between two consecutive packets into account but the time between
the first and the last packet of a learning sequence.
The patch also fixes a second problem: when a user was using a wrong
value for the probation setting there was a LOG_WARNING output stating
that the value had been set to the default value instead. However
the code for setting the value back to defaults was missing.
More complicated direct media reinvite negotiations can result in longer
delays before direct media flows. The strictrtp learning timeout time
was too short. One log showed that the first RTP packet came in just
after three seconds.
* Increase the strictrtp learning timeout time from 1.5 to 5 seconds.
George Joseph [Thu, 30 Nov 2017 20:38:50 +0000 (13:38 -0700)]
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end
chan_skinny creates a new thread for each new session. In trying
to be a good cleanup citizen, the threads are joinable and the
unload_module function does a pthread_cancel() and a pthread_join()
on any sessions that are active at that time. This has an
unintended side effect though. Since you can call pthread_join on a
thread that's already terminated, pthreads keeps the thread's
storage around until you explicitly call pthread_join (or
pthread_detach()). Since only the module_unload function was
calling pthread_join, and even then only on the ones active at the
tme, the storage for every thread/session ever created sticks
around until asterisk exits.
* A thread can detach itself so the session_destroy() function
now calls pthread_detach() just before it frees the session
memory allocation. The module_unload function still takes care
of the ones that are still active should the module be unloaded.
George Joseph [Fri, 10 Nov 2017 16:37:16 +0000 (09:37 -0700)]
bundled_pjproject: sip_parser: Fix return code in pjsip_find_msg
The default return code for pjsip_find_msg was PJ_SUCCESS so if
a Content-Length header wasn't found at all, pjsip_find_msg was
returning PJ_SUCCESS instead of PJSIP_EMISSINGHDR.
Also added the volatile keyword to a few variables that are used
both inside and outside the PJ_TRY/PJ_CATCH block.
Joshua Colp [Fri, 10 Nov 2017 13:06:38 +0000 (13:06 +0000)]
pjsip: Add patch to allow all transports to be destroyed.
If a transport is created with the same transport type, source
IP address, and source port as one that already exists the old
transport is moved into a linked list called "tp_list".
If this old transport is later shutdown it will not be destroyed
as the process checks whether the transport is valid or not. This
check does not look at the "tp_list" when making the determination
causing the transport to not be destroyed.
This change updates the logic to query not just the main storage
method for transports but also the "tp_list".
Kevin Harwell [Thu, 19 Oct 2017 18:35:16 +0000 (13:35 -0500)]
AST-2017-011 - res_pjsip_session: session leak when a call is rejected
A previous commit made it so when an invite session transitioned into a
disconnected state destruction of the Asterisk pjsip session object was
postponed until either a transport error occurred or the event timer
expired. However, if a call was rejected (for instance a 488) before the
session was fully established the event timer may not have been initiated,
or it was canceled without triggering either of the session finalizing states
mentioned above.
Really the only time destruction of the session should be delayed is when a
BYE is being transacted. This is because it's possible in some cases for the
session to be disconnected, but the BYE is still transacting.
This patch makes it so the session object always gets released (no more
memory leak) when the pjsip session is in a disconnected state. Except when
the method is a BYE. Then it waits until a transport error occurs or an event
timeout.
cdr_object_update_party_b_userfield_cb() could overrun the fixed buffer if
the supplied string is too long. The long string could be supplied by
external means using the CDR(userfield) function.
This may seem reminiscent to AST-2017-001 (ASTERISK_26897) and it is. The
earlier patch fixed the buffer overrun for Party A's userfield while this
patch fixes the same thing for Party B's userfield.
George Joseph [Thu, 19 Oct 2017 18:53:32 +0000 (12:53 -0600)]
AST-2017-009: pjproject: Add validation of numeric header values
Parsing the numeric header fields like cseq, ttl, port, etc. all
had the potential to overflow, either causing unintended values to
be captured or, if the values were subsequently converted back to
strings, a buffer overrun. To address this, new "strto" functions
have been created that do range checking and those functions are
used wherever possible in the parser.
* Created pjlib/include/limits.h and pjlib/include/compat/limits.h
to either include the system limits.h or define common numeric
limits if there is no system limits.h.
* Created strto*_validate functions in sip_parser that take bounds
and on failure call the on_str_parse_error function which prints
an error message and calls PJ_THROW.
* Updated sip_parser to validate the numeric fields.
* Fixed an issue in sip_transport that prevented error messages
from being properly displayed.
* Added "volatile" to some variables referenced in PJ_CATCH blocks
as the optimizer was sometimes optimizing them away.
* Fixed length calculation in sip_transaction/create_tsx_key_2543
to account for signed ints being 11 characters, not 9.
ASTERISK-27319
Reported by: Youngsung Kim at LINE Corporation
Richard Mudgett [Mon, 6 Nov 2017 22:37:49 +0000 (16:37 -0600)]
res_pjsip_registrar.c: Fix named AOR and pjproject group deadlock.
One of the patches for ASTERISK_27147 introduced a deadlock regression.
When the connection oriented transport shut down, the code attempted to
remove the associated contact. However, that same transport had just
requested a registration that we hadn't responded to yet. Depending
upon timing we could deadlock.
* Made send the REGISTER response after we completed processing the
request contacts and released the named AOR lock to avoid the deadlock.
Ben Ford [Wed, 1 Nov 2017 16:12:45 +0000 (11:12 -0500)]
res_pjsip: Add to list of valid characters for from_user.
Fixes a regression where some characters were unable to be used in
the from_user field of an endpoint. Additionally, the backtick was
removed from the list of valid characters, since it is not valid,
and it was replaced with a single quote, which is a valid character.
Kevin Harwell [Mon, 30 Oct 2017 20:24:53 +0000 (15:24 -0500)]
Initialize 13.18-cert branch
A new branch was created for what will be Asterisk certified 13.18. A couple
of things needed to be done to the branch in order to complete initialization:
Modified the version file to reflect the certified version.
Updated all extended modules to be disabled by default.
Joshua Colp [Sun, 22 Oct 2017 22:32:20 +0000 (19:32 -0300)]
res_xmpp: Ensure the connection filter is available.
Users of the API that res_xmpp provides expect that a
filter be available on the client at all times. When
OAuth authentication support was added this requirement
was not maintained.
This change merely moves the OAuth authentication to
after the filter is created, ensuring users of res_xmpp
can add things to the filter as needed.
Ben Ford [Mon, 23 Oct 2017 18:42:27 +0000 (13:42 -0500)]
http.c: Fix http header send content.
Currently ast_http_send barricades a portion of the content that
needs to be sent in order to establish a connection for things
like the ARI client. The conditional and contents have been changed
to ensure that everything that needs to be sent, will be sent.
Daniel Tryba [Fri, 6 Oct 2017 09:55:38 +0000 (11:55 +0200)]
res_pjsip_session: Prevent user=phone being added to anonimized URIs.
Move ast_sip_add_usereqphone to be called after anonymization of URIs,
to prevent the user_eq_phone adding "user=phone" to URIs containing a
username that is not a phonenumber (RFC3261 19.1.1). An extra call to
ast_sip_add_usereqphone on the saved version before anonymization is
added to add user=phone" to the PAI.
Daniel Tryba [Fri, 6 Oct 2017 10:14:40 +0000 (12:14 +0200)]
res_pjsip: Prevent "user=phone" being added multiple times to header
ast_sip_add_usereqphone adds "user=phone" to the header every time is is
called without checking whether the param already exists. Preventing
this by searching to string representation of header for "user=phone".
George Joseph [Wed, 11 Oct 2017 12:03:41 +0000 (06:03 -0600)]
chan_vpb: Fix a gcc 7 out-of-bounds complaint
chan_vpb was trying to use sizeof(*p->play_dtmf), where
p->play_dtmf is defined as char[16], to get the length of the array
but since p->play_dtmf is an actual array, sizeof(*p->play_dtmf)
returns the size of the first array element, which is 1. gcc7
validly complains because the context in which it's used could
cause an out-of-bounds condition.
Sean Bright [Tue, 10 Oct 2017 17:01:05 +0000 (13:01 -0400)]
app_originate: Set ORIGINATE_STATUS correctly on failure
We were ignoring the return value from ast_pbx_outgoing_exten() and
ast_pbx_outgoing_app() which could fail before setting the reason code.
This resulted in failures being reported as success.
projects / thirdparty / asterisk.git / log
