Using an array in this context (to return a list of call IDs) is mostly
pointless as it wastes memory and incurs the additional overhead of
having to initialise the array and an extra layer of copying strings
around. This also eliminates the auxiliary type `med_callid_t` and
ultimately allows us to dynamically append to the list of call IDs
without having to reallocate the array.
Use g_strdup for string allocation as it guarantees a non-NULL return
value.
Change-Id: Iae6c97f80c216352ab36de89d361f09ee355b6c8
We are migrating from redis to keydb so for now we need to support both
so we should not depend on specific key-value storage in unit file but
should use database.key_value.flavor value in override file.
But we can't redefine dependencies in override file just add additional
ones. So remove it from unit file.
Change-Id: I16e94e938bd9f1da14e1068bc6b94485b08a4ca5
As the number of subscribers grows, the current approach of doing a full
table dump of the subscribers DB and caching it in memory becomes less
and less feasible. The new approach is to simply do a straight DB query
for each subscriber as records are processed, and then cache the result
in memory for a little while.
Change-Id: I19a6271d779bd0abccc29e3548e7bcdb2e00baa3
ubuntu-20.04 doesn't provide debhelper-compat (= 13), therefore fails with:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
| E: Unable to correct problems, you have held broken packages.
Let's switch from ubuntu-20.04 to ubuntu-latest, which
currently still points to ubuntu-20.04, but should reduce
our maintenance efforts.
Furthermore enabled the ubuntu-cloud-archive/yoga-staging PPA,
which provides a backport of debhelper v13:
https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/yoga-staging/+packages
and fixes our failing coverity builds on github.
Change-Id: I3bba166843f164b67b90c403cc772dfd939eeae7
Using apt-get with `-qq` displays only the following message
on package installation problems:
| E: Unable to correct problems, you have held broken packages.
Whereas with `-q`, we get the actual underlying problem, being:
| The following packages have unmet dependencies:
| builddeps:. : Depends: debhelper-compat (= 13)
| E: Unable to correct problems, you have held broken packages.
Change-Id: Ibadc483f1cb324c83d7616d009bcc932876a25a3
Use a macro in combination with an included file to define the list of
all string fields used in the CDR struct.
Change-Id: Ic0b93c005b792eadf00544768c74382fa3307577
We cannot overwrite the reallocated variable, otherwise on failure we
leak it.
Change-Id: I541537ade71086c9ceb851d8c5223364e3908b07
Warned-by: cppcheck (memleakOnRealloc)
While the code is not threaded, better be future-proof and use safer
APIs, which in addition has less side-effects as it does not set the
global TZ related variables.
Change-Id: I57fbe6683590cc2fbc0da508819553c040764739
Warned-by: lgtm
Whether a bit-field is signed or unsigned is implementation specific, so
we should be explicit about this.
Change-Id: I8bce847d6ece3d08fc93fa77227f6f970d1353de
Warned-by: lgtm
On Debian buster the latter contains transitive dependencies in Libs,
instead of in Libs.private, which leaks linking implementation details.
Change-Id: Ia131fe82444b8c2204976df75be047ab6d17c561
We need readonly access to /dev/urandom, otherwise the rand()
calls might fail, as seen in kamailio-config-tests.
Change-Id: Id132191994ae5fe74ec3ebb7d34a4a5d50769dbc
Thanks: Victor Seva for reporting
In carrier environments we have foreign DB hosts
configured in /etc/ngcp-mediator/ngcp-mediator.conf,
therefore we can't easily apply IP address filtering.
JFTR, new and current systemd hardening state for ngcp-mediator:
| $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's … 0.5
| ✗ User=/DynamicUser= Service runs as root user 0.4
| ✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc… 0.3
| ✗ RestrictAddressFamilies=~… Service may allocate exotic socke… 0.3
| ✗ DeviceAllow= Service has a device ACL with som… 0.1
| ✗ IPAddressDeny= Service does not define an IP add… 0.2
| ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet socke… 0.2
| ✗ SystemCallFilter=~@privileged System call whitelist defined for… 0.2
| ✗ RestrictAddressFamilies=~AF_NETLI… Service may allocate netlink sock… 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's ro… 0.1
| SupplementaryGroups= Service runs as root, option does…
| RemoveIPC= Service runs as root, option does…
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
|
| → Overall exposure level for ngcp-mediator.service: 2.1 OK 🙂
Change-Id: I0e7c474eddd5d4d4c77b9bda157448294ed0a5c4
ngcp-mediator service state BEFORE this change:
| $ systemd-analyze security ngcp-mediator | tail -1
| → Overall exposure level for ngcp-mediator.service: 9.5 UNSAFE 😨
ngcp-mediator service state AFTER this change:
| $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓'
| NAME DESCRIPTION EXPOSURE
| ✗ PrivateNetwork= Service has access to the host's network 0.5
| ✗ User=/DynamicUser= Service runs as root user 0.4
| ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
| ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3
| ✗ DeviceAllow= Service has a device ACL with some special devices 0.1
| ✗ IPAddressDeny= Service defines IP address whitelits with only localhost entries 0.1
| ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2
| ✗ SystemCallFilter=~@privileged System call whitelist defined for service, and @privileged is included 0.2
| ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
| ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
| SupplementaryGroups= Service runs as root, option does not matter
| RemoveIPC= Service runs as root, option does not apply
| ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
|
| → Overall exposure level for ngcp-mediator.service: 2.0 OK 🙂
Change-Id: If33c303b9df465393f15c0b685d1aab54a465df6
We only ever go into the error handling code before malloc has
succeeded, which means ‘entries’ will always be NULL.
Change-Id: Iaedd1ac668249b0e4516f782c24a2f420e8682a5
Warned-by: coverity
While MariaDB uses my_bool here, MySQL uses the standard bool type. Both
are compatible, so use the more standard one.
Change-Id: I648bc8eb55f7617f6b4eb796a33bc77ce15ca34b
We need to respect user-controlled variables and only append to them
whatever we require for the build.
Change-Id: Ie86415863f806e2c76b6a47929c65aafc0a2d177
With the increased length of src/dst_leg strings, we must also increase
the buffer size for the insert string.
Did I mention that we should really move to dynamic strings here...
Change-Id: I0e77155d36f434055e36124d37bf699179f887b1
This is relevant for records coming from Redis, as the insertion into
the trash and backup tables is done from the strings kept in memory.
Change-Id: I1398f7bfc0d4a0c2da8b8104dc4589ea9d983da7
(cherry picked from commit 6e957e69b7)
/var/lock was deprecated with Debian/wheezy (see
https://wiki.debian.org/ReleaseGoals/RunDirectory), so
/var/lock/mediator.lock is actually /run/lock/mediator.lock.
Reflect this in the definition of MEDIATOR_LOCK_FILE.
Change-Id: If50a5fdcfafb289d59ae828f750388e103b5b3ad