asterisk

Commit Graph

Author	SHA1	Message	Date
Sean Bright	388d286fc8	AST-2018-009: Fix crash processing websocket HTTP Upgrade requests The HTTP request processing in res_http_websocket allocates additional space on the stack for various headers received during an Upgrade request. An attacker could send a specially crafted request that causes this code to overflow the stack, resulting in a crash. * No longer allocate memory from the stack in a loop to parse the header values. NOTE: There is a slight API change when using the passed in strings as is. We now require the passed in strings to no longer have leading or trailing whitespace. This isn't a problem as the only callers have already done this before passing the strings to the affected function. ASTERISK-28013 #close Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a	7 years ago
George Joseph	0caafce7ce	test.c: Make output jUnit compatible Separate "name" into "classname" and "name". Use '.' for classname separator instead of '/'. Prefix reserved words with '_'. Wrap output with a top-level "testsuites" element. Change-Id: Iec1a985eba1c478e5c1d65d5dfd95cb708442099	7 years ago
Richard Mudgett	e01e83d4fc	AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints. * Made endpoint specific ACL rules now respond with a 401 unauthorized which is the same as if an endpoint were not identified. The fix is accomplished by replacing the found endpoint with the artificial endpoint which always fails authentication. ASTERISK-27818 Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32	7 years ago
Kevin Harwell	462842488f	Merge "AST-2018-003: Crash with an invalid SDP fmtp attribute" into 14	7 years ago
Kevin Harwell	d9c9fd2bfd	Merge "AST-2018-002: Crash with an invalid SDP media format description" into 14	7 years ago
George Joseph	591d6e2cd4	Merge "AST-2018-005: res_pjsip_transport_management: Move to core" into 14	7 years ago
George Joseph	1a8b7e5203	Merge "AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)" into 14	7 years ago
George Joseph	18f04820b2	Merge "AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request" into 14	7 years ago
Kevin Harwell	f5343d6133	AST-2018-003: Crash with an invalid SDP fmtp attribute pjproject's fmtp retrieval function failed to catch invalid fmtp attributes. Because of this Asterisk would crash if given an SDP with an invalid fmtp attribute. When retrieving the format this patch now makes sure the fmtp attribute is available. If not available it now returns an error status. ASTERISK-27583 #close Change-Id: I5cebe000ce2d846cae3af33b6d72c416e51caf2f	7 years ago
Kevin Harwell	35271eaa78	AST-2018-002: Crash with an invalid SDP media format description pjproject's media format parsing algorithm failed to catch invalid values. Because of this Asterisk would crash if given an SDP with a invalid media format description. When parsing the media format description this patch now properly parses the value and returns an error status if it can't successfully parse/convert the value. ASTERISK-27582 #close Change-Id: I883b3a4ef85b6972397f7b56bf46c5779c55fdd6	7 years ago
George Joseph	bca7b85182	AST-2018-005: res_pjsip_transport_management: Move to core Since res_pjsip_transport_management provides several attack mitigation features, its functionality moved to res_pjsip and this module has been removed. This way the features will always be available if res_pjsip is loaded. ASTERISK-27618 Reported By: Sandro Gauci Change-Id: I21a2d33d9dda001452ea040d350d7a075f9acf0d	7 years ago
George Joseph	3a585794e1	AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2) pjsip_distributor: authenticate() creates a tdata and uses it to send a challenge or failure response. When pjsip_endpt_send_response2() succeeds, it automatically decrements the tdata ref count but when it fails, it doesn't. Since we weren't checking for a return status, we weren't decrementing the count ourselves on error and were therefore leaking tdatas. res_pjsip_session: session_reinvite_on_rx_request wasn't decrementing the ref count if an error happened while sending a 491 response. pre_session_setup wasn't decrementing the ref count if while sending an error after a pjsip_inv_verify_request failure. res_pjsip: ast_sip_send_response wasn't decrementing the ref count on error. ASTERISK-27618 Reported By: Sandro Gauci Change-Id: Iab33a6c7b6fba96148ed465b690ba8534ac961bf	7 years ago
George Joseph	be70eabab0	AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request It was discovered that there are some corner cases where a pjsip tsx might have no last_tx so calling ast_sip_failover_request with a NULL last_tx as its tdata would cause a crash. ASTERISK-27618 Reported By: Sandro Gauci Change-Id: Ic2b63f6d4ae617c4c19dcdec2a7a6156b54fd15b	7 years ago
Joshua Colp	7926348626	AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE. When receiving a SUBSCRIBE request the Accept headers from it are stored locally. This operation has a fixed limit of 32 Accept headers but this limit was not enforced. As a result it was possible for memory outside of the allocated space to get written to resulting in a crash. This change enforces the limit so only 32 Accept headers are processed. ASTERISK-27640 Reported By: Sandro Gauci Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301	7 years ago
Kevin Harwell	f6757b1d60	AST-2017-014: res_pjsip - Missing contact header can cause crash Those SIP messages that create dialogs require a contact header to be present. If the contact header was missing from the message it could cause Asterisk to crash. This patch checks to make sure SIP messages that create a dialog contain the contact header. If the message does not and it is required Asterisk now returns a "400 Missing Contact header" response. Also added NULL checks when retrieving the contact header that were missing as a "just in case". ASTERISK-27480 #close Change-Id: I1810db87683fc637a9e3e1384a746037fec20afe	7 years ago
Joshua Colp	fb18797ae0	AST-2017-012: Place single RTCP report block at beginning of report. When the RTCP code was transitioned over to Stasis a code change was made to keep track of how many reports are present. This count controlled where report blocks were placed in the RTCP report. If a compound RTCP packet was received this logic would incorrectly place a report block in the wrong location resulting in a write to an invalid location. This change removes this counting logic and always places the report block at the first position. If in the future multiple reports are supported the logic can be extended but for now keeping a count serves no purpose. ASTERISK-27382 ASTERISK-27429 Change-Id: Iad6c8a9985c4b608ef493e19c421211615485116	7 years ago
George Joseph	6dca42879c	AST-2017-013: chan_skinny: Call pthread_detach when sess threads end chan_skinny creates a new thread for each new session. In trying to be a good cleanup citizen, the threads are joinable and the unload_module function does a pthread_cancel() and a pthread_join() on any sessions that are active at that time. This has an unintended side effect though. Since you can call pthread_join on a thread that's already terminated, pthreads keeps the thread's storage around until you explicitly call pthread_join (or pthread_detach()). Since only the module_unload function was calling pthread_join, and even then only on the ones active at the tme, the storage for every thread/session ever created sticks around until asterisk exits. * A thread can detach itself so the session_destroy() function now calls pthread_detach() just before it frees the session memory allocation. The module_unload function still takes care of the ones that are still active should the module be unloaded. ASTERISK-27452 Reported by: Juan Sacco Change-Id: I9af7268eba14bf76960566f891320f97b974e6dd	8 years ago
Kevin Harwell	e394ecc961	Merge "res_pjsip_registrar.c: Fix AOR and pjproject group deadlock." into 14	8 years ago
George Joseph	56c0034c97	Merge "AST-2017-009: pjproject: Add validation of numeric header values" into 14	8 years ago
George Joseph	62c3a68c27	Merge "AST-2017-011 - res_pjsip_session: session leak when a call is rejected" into 14	8 years ago
George Joseph	e2395dbc1f	AST-2017-009: pjproject: Add validation of numeric header values Parsing the numeric header fields like cseq, ttl, port, etc. all had the potential to overflow, either causing unintended values to be captured or, if the values were subsequently converted back to strings, a buffer overrun. To address this, new "strto" functions have been created that do range checking and those functions are used wherever possible in the parser. * Created pjlib/include/limits.h and pjlib/include/compat/limits.h to either include the system limits.h or define common numeric limits if there is no system limits.h. * Created strto_validate functions in sip_parser that take bounds and on failure call the on_str_parse_error function which prints an error message and calls PJ_THROW. Updated sip_parser to validate the numeric fields. * Fixed an issue in sip_transport that prevented error messages from being properly displayed. * Added "volatile" to some variables referenced in PJ_CATCH blocks as the optimizer was sometimes optimizing them away. * Fixed length calculation in sip_transaction/create_tsx_key_2543 to account for signed ints being 11 characters, not 9. ASTERISK-27319 Reported by: Youngsung Kim at LINE Corporation Change-Id: I48de2e4ccf196990906304e8d7061f4ffdd772ff	8 years ago
Kevin Harwell	6032fb973b	AST-2017-011 - res_pjsip_session: session leak when a call is rejected A previous commit made it so when an invite session transitioned into a disconnected state destruction of the Asterisk pjsip session object was postponed until either a transport error occurred or the event timer expired. However, if a call was rejected (for instance a 488) before the session was fully established the event timer may not have been initiated, or it was canceled without triggering either of the session finalizing states mentioned above. Really the only time destruction of the session should be delayed is when a BYE is being transacted. This is because it's possible in some cases for the session to be disconnected, but the BYE is still transacting. This patch makes it so the session object always gets released (no more memory leak) when the pjsip session is in a disconnected state. Except when the method is a BYE. Then it waits until a transport error occurs or an event timeout. ASTERISK-27345 #close Reported by: Corey Farrell Change-Id: I1e724737b758c20ac76d19d3611e3d2876ae10ed	8 years ago
Richard Mudgett	9670040e2e	AST-2017-010: Fix cdr_object_update_party_b_userfield_cb() buf overrun cdr_object_update_party_b_userfield_cb() could overrun the fixed buffer if the supplied string is too long. The long string could be supplied by external means using the CDR(userfield) function. This may seem reminiscent to AST-2017-001 (ASTERISK_26897) and it is. The earlier patch fixed the buffer overrun for Party A's userfield while this patch fixes the same thing for Party B's userfield. ASTERISK-27337 Change-Id: I0fa767f65ecec7e676ca465306ff9e0edbf3b652	8 years ago
Richard Mudgett	84983c1222	res_pjsip_registrar.c: Fix AOR and pjproject group deadlock. One of the patches for ASTERISK_27147 introduced a deadlock regression. When the connection oriented transport shut down, the code attempted to remove the associated contact. However, that same transport had just requested a registration that we hadn't responded to yet. Depending upon timing we could deadlock. * Made send the REGISTER response after we completed processing the request contacts and released the AOR lock to avoid the deadlock. ASTERISK-27391 Change-Id: I89a90f87cb7a02facbafb44c75d8845f93417364	8 years ago
Ben Ford	9c7c441a0f	res_pjsip: Add to list of valid characters for from_user. Fixes a regression where some characters were unable to be used in the from_user field of an endpoint. Additionally, the backtick was removed from the list of valid characters, since it is not valid, and it was replaced with a single quote, which is a valid character. ASTERISK-27387 Change-Id: Id80c10a644508365c87b3182e99ea49da11b0281	8 years ago
Joshua Colp	4f05474753	Merge "http.c: Fix http header send content." into 14	8 years ago
Joshua Colp	a71adfaa24	res_xmpp: Ensure the connection filter is available. Users of the API that res_xmpp provides expect that a filter be available on the client at all times. When OAuth authentication support was added this requirement was not maintained. This change merely moves the OAuth authentication to after the filter is created, ensuring users of res_xmpp can add things to the filter as needed. ASTERISK-27346 Change-Id: I4ac474afe220e833288ff574e32e2b9a23394886 (cherry picked from commit `07e17fd04f`)	8 years ago
Ben Ford	599af60d46	http.c: Fix http header send content. Currently ast_http_send barricades a portion of the content that needs to be sent in order to establish a connection for things like the ARI client. The conditional and contents have been changed to ensure that everything that needs to be sent, will be sent. ASTERISK-27372 Change-Id: I8816d2d8f80f4fefc6dcae4b5fdfc97f1e46496d	8 years ago
Kevin Harwell	dae71acdc4	AMI: Increase version number Bump the AMI patch number since the following new addition was made: * Added a new CancelAtxfer action that cancels an attended transfer. Change-Id: I9bac528791bd62ef0e99243903b6bc7a6c7ab182	8 years ago
Joshua Colp	cf21116e3f	Merge "features, manager : Add CancelAtxfer AMI action" into 14	8 years ago
Joshua Colp	06ccb8ce1e	Merge "res_pjsip_session: Prevent user=phone being added to anonimized URIs." into 14	8 years ago
Thomas Sevestre	2a1d7f97d6	features, manager : Add CancelAtxfer AMI action Add action to cancel feature attended transfer with AMI interface ASTERISK-27215 #close Change-Id: Iab8a81362b5a1757e2608f70b014ef863200cb42	8 years ago
Jenkins2	db108c6fa4	Merge "sorcery: Use ao2_weakproxy to hold list of instances." into 14	8 years ago
Daniel Tryba	58c071e7ca	res_pjsip_session: Prevent user=phone being added to anonimized URIs. Move ast_sip_add_usereqphone to be called after anonymization of URIs, to prevent the user_eq_phone adding "user=phone" to URIs containing a username that is not a phonenumber (RFC3261 19.1.1). An extra call to ast_sip_add_usereqphone on the saved version before anonymization is added to add user=phone" to the PAI. ASTERISK-27047 #close Change-Id: Ie5644bc66341b86dc08b1f7442210de2e6acdec6	8 years ago
Jenkins2	afb7c50055	Merge "named_locks: Use ao2_weakproxy_find." into 14	8 years ago
Joshua Colp	765dfdc529	Merge "astobj2: Add ao2_weakproxy_find function." into 14	8 years ago
Jenkins2	0a54ccf56a	Merge "astobj2: Run weakproxy callbacks outside of lock." into 14	8 years ago
Jenkins2	6446950c38	Merge "cdr.c: Defer misc checks." into 14	8 years ago
Tzafrir Cohen	ce71acf9ca	cdr_mysql: avoid releasing a config string Fixes a memory corruption issue after a reload of cdr_mysql. Issue was accidentally included in `747beb1ed1` . ASTERISK-27270 #close Change-Id: I90b6a9d18710c0f9009466370bd5f4bac5d5d12e	8 years ago
Jenkins2	e1009588a5	Merge "chan_vpb: Fix a gcc 7 out-of-bounds complaint" into 14	8 years ago
Jenkins2	304403fe11	Merge "app_originate: Set ORIGINATE_STATUS correctly on failure" into 14	8 years ago
Richard Mudgett	ef2f8a66dc	cdr.c: Defer misc checks. Try to defer some checks until needed in case there is an early exit. Change-Id: Ibc6b34c38a4f60ad4f9b67984b7d070a07257064	8 years ago
Jenkins2	165fdf2a66	Merge "cdr.c: Eliminated simple RAII_VAR usages." into 14	8 years ago
George Joseph	5bdad97458	chan_vpb: Fix a gcc 7 out-of-bounds complaint chan_vpb was trying to use sizeof(p->play_dtmf), where p->play_dtmf is defined as char[16], to get the length of the array but since p->play_dtmf is an actual array, sizeof(p->play_dtmf) returns the size of the first array element, which is 1. gcc7 validly complains because the context in which it's used could cause an out-of-bounds condition. Change-Id: If9c4bfdb6b02fa72d39e0c09bf88900663c000ba	8 years ago
Corey Farrell	b6defc6746	sorcery: Use ao2_weakproxy to hold list of instances. Store weak proxy objects in instances container. Change-Id: I5a150a4e13cee319d46b5a4654f95a4623a978f8	8 years ago
Jenkins2	f3f3dcbf9e	Merge "res_pjsip_registrar.c: Update remove_existing AOR contact handling." into 14	8 years ago
Corey Farrell	fa3aa3417b	named_locks: Use ao2_weakproxy_find. Change-Id: I0ce8a1b7101b6caac6a19f83a89f00eaba1e9d9c	8 years ago
Corey Farrell	722d443275	astobj2: Add ao2_weakproxy_find function. This function finds a weak proxy in an ao2_container and returns the real object associated with it. Change-Id: I9da822049747275f5961b5c0a7f14e87157d65d8	8 years ago
Corey Farrell	aadfc09edd	astobj2: Run weakproxy callbacks outside of lock. Copy the list of weakproxy callbacks to temporary memory so they can be run without holding the weakproxy lock. Change-Id: Ib167622a8a0f873fd73938f7611b2a5914308047	8 years ago
Sean Bright	1541e2c70a	app_originate: Set ORIGINATE_STATUS correctly on failure We were ignoring the return value from ast_pbx_outgoing_exten() and ast_pbx_outgoing_app() which could fail before setting the reason code. This resulted in failures being reported as success. ASTERISK-25266 #close Reported by: Allen Ford Change-Id: Idf16237b7e41b527d2c69c865829128686beeb3b	8 years ago

1 2 3 4 5 ...

29658 Commits (14) All Branches Search

29658 Commits (14)

All Branches