|Tags||communication conferencing telephony sip|
15.7.406 Sep 2019 13:25 minor feature: AST-2019-004 - res_pjsip_t38.c: Add NULL checks before using session media After receiving a 200 OK with a declined stream in response to a T.38 initiated re-invite Asterisk would crash when attempting to dereference a NULL session media object. This patch checks to make sure the session media object is not NULL before attempting to use it.
15.7.312 Jul 2019 14:05 minor feature: Res_pjsip_messaging: Check for body in in-dialog message We now check that a body exists and it has a length 0 before. Attempting to process it. chan_sip: Handle invalid SDP answer to T.38 re-invite The chan_sip module performs a T.38 re-invite using a single media. Stream of udptl, and expects the SDP answer to be the same. If an SDP answer is received instead that contains an additional. Media stream with no joint codec a crash will occur as the code Assumes that at least one joint codec will exist in this Scenario. This change removes this assumption.
15.7.201 Mar 2019 23:45 minor feature: Res_pjsip_sdp_rtp: return code from apply_negotiated_sdp_stream Apply_negotiated_sdp_stream was returning a "1" when no joint. Capabilities were found on an outgoing call instead of a "-1". This indicated to res_pjsip_session that the handler DID handle. The sdp when in fact it didn't. Without the appropriate setup, a subsequent media frame coming in would have an invalid stream_num. And cause a seg fault when the stream was attempted to be retrieved. Apply_negotiated_sdp_stream now returns the correct "-1" and any. Media is now discarded before it reaches the core stream processing. CI: Update jenkinsfiles with new Gerrit URLs The recent upgrade of Gerrit to 2.16 elimiated referencing a. Repository in a way the jenkinsfiles were relying on so The URL references were changed to a more consistent and supported Format.
15.7.128 Dec 2018 02:45 minor feature: Revert "stasis_cache: Stop caching stasis subscription change messages" This reverts commit ad961fd7c3313f989d6fa16ba2fc9b138cee4cb5. This commit caused with polling when combined with the revert commit "Revert "app_voicemail: Remove need to subscribe to stasis".
15.7.013 Dec 2018 07:05 minor feature:
15.6.215 Nov 2018 03:25 minor feature: AST-2018-010: length of buffer needed for SRV and NAPTR results When dn_expand was being called on SRV and NAPTR results, the. Return value was being used to calculate the size of the buffer Needed to store the host names. Since dn_expand returns the Length of the COMPRESSED name the buffer could be too short to hold the EXPANDED name. The expanded name is NULL terminated so using strlen() is the correct way to determine the length. Actually needed for the buffer. CI: Add --test-timeout option to runTestsuite.sh The default is 600 seconds. Also added timeouts to the *TestGroups.json files.
15.6.122 Sep 2018 10:45 minor feature: AST-2018-009: crash processing websocket HTTP Upgrade requests The HTTP request processing in res_http_websocket allocates additional. Space on the stack for various headers received during an Upgrade request. An attacker could send a specially crafted request that causes this code to overflow the stack, resulting in a crash. No longer allocate memory from the stack in a loop to parse the header. Values. NOTE: There is a slight API change when using the passed in Strings as is. We now require the passed in strings to no longer have Leading or trailing whitespace. This isn't a problem as the only callers Have already done this before passing the strings to the affected Function. CI: typo in testsuite git checkout CI: Use proper credentials for Security testsuite checkout. Can't do anonymous http checkout from Security-testsuite. Need to use same credentials as the gerrit review checkout.
15.6.007 Sep 2018 10:25 minor feature:
15.5.013 Jul 2018 20:05 minor feature:
15.4.113 Jun 2018 13:25 minor feature: Update for 15.4.1 AST-2018-008: enumeration of endpoints from ACL rejected addresses. When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401. Unauthorized response is sent. This vulnerability just diswhich Requests hit a defined endpoint. The ACL rules cannot be bypassed to gain Access to the disendpoints. Made endpoint specific ACL rules now respond with a 401 unauthorized. Which is the same as if an endpoint were not identified. The is Accomplished by replacing the found endpoint with the artificial endpoint Which always fails authentication. AST-2018-007: iostreams potential DoS when client connection prematurely Before Asterisk sends an HTTP response (at least in the case of errors), it attempts to read discard the content of the request. If the client. Lies about the Content-Length, or the connection is from the Client side before "Content-Length" bytes are sent, the request handling Thread will busy loop.
15.4.002 May 2018 18:25 minor feature:
15.3.017 Mar 2018 08:45 minor feature:
15.2.225 Feb 2018 22:25 minor feature: AST-2018-006: Properly handle WebSocket frames with 0 length payload. In ast_websocket_read() we were not adequately checking that the. Payload_len was non-zero before passing it to ws_safe_read(). Calling Ws_safe_read with a len argument of 0 will result in a busy loop until The underlying socket is. AST-2018-003: Crash with an invalid SDP fmtp attribute Pjproject's fmtp retrieval function failed to catch invalid fmtp attributes. Because of this Asterisk would crash if given an SDP with an invalid fmtp. Attribute. When retrieving the format this patch now makes sure the fmtp attribute is. Available. If not available it now returns an error status. AST-2018-002: Crash with an invalid SDP media format description Pjproject's media format parsing algorithm failed to catch invalid values. Because of this Asterisk would crash if given an SDP with a invalid media. Format description. When parsing the media format description this patch now properly parses the. Value and returns an error status if it can't successfully parse/convert the Value. AST-2018-005: res_pjsip_transport_management: Move to core Since res_pjsip_transport_management provides several attack. Mitigation features, its functionality moved to res_pjsip and This module has been removed. This way the features will always be available if res_pjsip is loaded. AST-2018-005: tdata leaks when calling pjsip_endpt_send_response(2). Pjsip_distributor: Authenticate() creates a tdata and uses it to send a challenge or Failure response. When pjsip_endpt_send_response2() succeeds, it Automatically decrements the tdata ref count but when it fails, it Doesn't. Since we weren't checking for a return status, we weren't Decrementing the count ourselves on error and were therefore leaking Tdatas. Res_pjsip_session: Session_reinvite_on_rx_request wasn't decrementing the ref count if an error happened while sending a 491 response. Pre_session_setup wasn't decrementing the ref count if While sending an error after a pjsip_inv_v
15.2.117 Feb 2018 10:05 minor feature: Cdr.c: runtime leak of CDR records. Need to remove all CDR's listed by a CDR object from the active_cdrs_all. Container including the root/master record.
15.2.013 Jan 2018 02:45 minor feature:
15.1.524 Dec 2017 10:25 minor feature: AST-2017-014: res_pjsip - Missing contact header can cause crash Those SIP messages that create dialogs require a contact header to be present. If the contact header was missing from the message it could cause Asterisk to. Crash. This patch checks to make sure SIP messages that create a dialog contain the. Contact header. If the message does not and it is required Asterisk now returns a "400 Missing Contact header" response. Also added NULL checks when retrieving. The contact header that were missing as a "just in case".
15.1.415 Dec 2017 09:45 minor feature: AST-2017-012: Place single RTCP report block at beginning of report. When the RTCP code was transitioned over to Stasis a code change. Was made to keep track of how many reports are present. This count Controlled where report blocks were placed in the RTCP report. If a compound RTCP packet was received this logic would incorrectly. Place a report block in the wrong location resulting in a write to an invalid location. This change removes this counting logic and always places the report. Block at the first position. If in the future multiple reports are Supported the logic can be extended but for now keeping a count Serves no purpose.
15.1.303 Dec 2017 22:25 minor feature: AST-2017-013: chan_skinny: Call pthread_detach when sess threads end Chan_skinny creates a new thread for each new session. In trying to be a good cleanup citizen, the threads are joinable and the. Unload_module function does a pthread_cancel() and a pthread_join() on any sessions that are active at that time. This has an. Unintended side effect though. Since you can call pthread_join on a Thread that's already terminated, pthreads keeps the thread's Storage around until you explicitly call pthread_join (or Pthread_detach()). Since only the module_unload function was Calling pthread_join, and even then only on the ones active at the Tme, the storage for every thread/session ever created sticks Around until asterisk exits. A thread can detach itself so the session_destroy() function. Now calls pthread_detach() just before it frees the session Memory allocation. The module_unload function still takes care of the ones that are still active should the module be unloaded.
15.1.218 Nov 2017 04:25 minor feature: Res_pjsip: Add to list of valid characters for from_user. a regression where some characters were unable to be used in. The from_user field of an endpoint. Additionally, the backtick was Removed from the list of valid characters, since it is not valid, And it was replaced with a single quote, which is a valid character. res_pjsip_registrar.c: AOR and pjproject group deadlock. One of the patches for ASTERISK_27147 introduced a deadlock regression. When the connection oriented transport shut down, the code attempted to. Remove the associated contact. However, that same transport had just Requested a registration that we hadn't responded to yet. Depending Upon timing we could deadlock. Made send the REGISTER response after we completed processing the. Request contacts and released the AOR lock to avoid the deadlock.
15.1.109 Nov 2017 18:05 minor feature: AST-2017-009: pjproject: Add validation of numeric header values Parsing the numeric header fields like cseq, ttl, port, etc. all. Had the potential to overflow, either causing unintended values to be captured or, if the values were subsequently converted back to. Strings, a buffer overrun. To address this, new "strto" functions Have been created that do range checking and those functions are Used wherever possible in the parser. Created pjlib/include/limits.h and pjlib/include/compat/limits.h to either include the system limits.h or define common numeric. Limits if there is no system limits.h. Created strto*_validate functions in sip_parser that take bounds. And on failure call the on_str_parse_error function which prints an error message and calls PJ_THROW. Updated sip_parser to validate the numeric fields. an in sip_transport that prevented error messages. From being properly displayed. Added "volatile" to some variables referenced in PJ_CATCH blocks as the optimizer was sometimes optimizing them away. Length calculation in sip_transaction/create_tsx_key_2543 to account for signed ints being 11 characters, not 9. AST-2017-011 - res_pjsip_session: session leak when a call is rejected. A previous commit made it so when an invite session transitioned into a. Disconnected state destruction of the Asterisk pjsip session object was Postponed until either a transport error occurred or the event timer Expired. However, if a call was rejected (for instance a 488) before the Session was fully established the event timer may not have been initiated, or it was canceled without triggering either of the session finalizing states. Mentioned above. Really the only time destruction of the session should be delayed is when a BYE is being transacted. This is because it's possible in some cases for the. Session to be disconnected, but the BYE is still transacting. This patch makes it so the session object always gets released (no more. Memory leak) when the pjsip session is in a dis
15.1.031 Oct 2017 17:25 minor feature:
15.0.004 Oct 2017 11:51 minor feature: asterisk 15.0.0 Released.
ManageYou can also help out here by:
← Update project
or flagging this entry for moderator attention.