As detailed in the advisory, AMI users without write authorization for SYSTEM class AMI
actions were able to run system commands by going through other AMI commands which did
not require that authorization. Specifically, GetVar and Status allowed users to do this
by setting their variable/s options to the SHELL or EVAL functions.
Also, within 1.8, 10, and trunk there was a similar flaw with the Originate action that
allowed users with originate permission to run MixMonitor and supply a shell command
in the Data argument. That flaw is fixed in those versions of this patch.
(closes issue ASTERISK-17465)
Reported By: David Woolley
Patches:
162_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
18_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
10_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
........
Merged revisions 363117 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
Merged revisions 363141 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 363156 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@363159 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Redo ast_app_run_sub()/ast_app_exec_sub() to use a known return point so
execution will stop after the routine returns there.
(s@gosub_virtual_context:1)
* Create ast_app_exec_macro() and ast_app_exec_sub() to run the macro and
gosub application respectively with the parameter string already created.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362962 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Move debug message in ast_rtp_instance_early_bridge_make_compatible() to
be output when what it states has actually happened.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362920 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The Security Events Framework API was changed while adding the generation of
security events in chan_sip. A payload type and name was missed from being
added to struct ie_maps.
(closes issue ASTERISK-19759)
Reported by: Michael L. Young
Patches:
issue-asterisk-19759.diff uploaded by Michael L. Young (license 5026)
........
Merged revisions 362918 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362919 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The CHANNEL_DEADLOCK_AVOIDANCE() feature of preserving where the channel
lock was originally obtained is overkill where ast_channel_lock_both() was
inlined.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362888 65c4cc65-6c06-0410-ace0-fbb531ad65f3
ISDN ETSI PTP and Q.SIG (And SS7 in future) have support for reporting who
was the original redirecting party of a call.
* Added support for the original redirecting party and reason to the
REDIRECTING function and the system core as well as to the stubbed
locations in sig_pri.c.
Review: https://reviewboard.asterisk.org/r/1829/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362779 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* chan_mobile: Fixed an overrun where the cind_state buffer (an integer array
of size 16) would be overrun due to improper bounds checking. At worst, the
buffer can be overrun by a total of 48 bytes (assuming 4-byte integers),
which would still leave it within the allocated memory of struct hfp. This
would corrupt other elements in that struct but not necessarily cause any
further issues.
* app_sms: The array imsg is of size 250, while the array (ud) that the data
is copied into is of size 160. If the size of the inbound message is
greater then 160, up to 90 bytes could be overrun in ud. This would corrupt
the user data header (array udh) adjacent to ud.
* chan_unistim: A number of invalid memmoves are corrected. These would move
data (which may or may not be valid) into the ends of these buffers.
* asterisk: ast_console_toggle_loglevel does not check that the console log
level being set is less then or equal to the allowed log levels of 32.
* format_pref: In ast_codec_pref_prepend, if any occurrence of the specified
codec is not found, the value used to index into the array pref->order
would be one greater then the maximum size of the array.
* jitterbuf: If the element being placed into the jitter buffer lands in the
last available slot in the jitter history buffer, the insertion sort attempts
to move the last entry in the buffer into one slot past the maximum length
of the buffer. Note that this occurred for both the min and max jitter
history buffers.
* tdd: If a read from fsk_serial returns a character that is greater then 32,
an attempt to read past one of the statically defined arrays containing the
values that character maps to would occur.
* localtime: struct ast_time and tm are not the same size - ast_time is larger,
although it contains the elements of tm within it in the same layout. Hence,
when using memcpy to copy the contents of tm into ast_time, the size of tm
should be used, as opposed to the size of ast_time.
* extconf: this treats ast_timing's minmask array as if it had a length of 48,
when it has defined the size of the array as 24. pbx.h defines minmask as
having a size of 48.
(issue ASTERISK-19668)
Reported by: Matt Jordan
........
Merged revisions 362485 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 362496 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362497 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch addresses a number of modules in main that did not handle the
negative return value from function calls adequately, or were not sufficiently
clear that the conditions leading to improper handling of the return values
could not occur. This includes:
* asterisk.c: A negative return value from the read function would be used
directly as an index into a buffer. We now check for success of the read
function prior to using its result as an index.
* manager.c: Check for failures in mkstemp and lseek when handling the
temporary file created for processing data returned from a CLI command in
action_command. Also check that the result of an lseek is sanitized prior
to using it as the size of a memory map to allocate.
(issue ASTERISK-19655)
Reported by: Matt Jordan
Review: https://reviewboard.asterisk.org/r/1863/
........
Merged revisions 362359 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 362360 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362361 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The current Security Events Framework API only supports IPv4 when it comes to
generating security events. This patch does the following:
* Changes the Security Events Framework API to support IPV6 and updates
the components that use this API.
* Eliminates an error message that was being generated since the current
implementation was treating an IPv6 socket address as if it was IPv4.
* Some copyright dates were updated on files touched by this patch.
(closes issue ASTERISK-19447)
Reported by: Michael L. Young
Tested by: Michael L. Young
Patches:
security_events_ipv6v3.diff uploaded by Michael L. Young (license 5026)
Review: https://reviewboard.asterisk.org/r/1777/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362200 65c4cc65-6c06-0410-ace0-fbb531ad65f3
ASTERISK-18809 eliminated the legacy macro invocation of the stdexten in
favor of the Gosub method without a means of backwards compatibility.
(issue ASTERISK-18809)
(closes issue ASTERISK-19457)
Reported by: Matt Jordan
Tested by: rmudgett
Review: https://reviewboard.asterisk.org/r/1855/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@361998 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Doing Set(MESSAGE_DATA(key)=) would add an empty key header if the key
header did not already exist. If it already existed it would delete it.
* Made msg_set_var_full() exit early if the named variable did not already
exist and the value to set is empty.
........
Merged revisions 361522 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@361523 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Hangup now can take a regular expression as the Channel option. If you want
to hangup multiple channels, use /regex/ as the Channel option. Existing
behavior to hanging up a single channel is unchanged, but if you pass a regex,
the manager will send you a list of channels back that were hung up.
(closes issue ASTERISK-19575)
Reported by: Mark Murawski
Tested by: Mark Murawski
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@361038 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Prior to this patch, a connected line update was queued during
call pickup and then an answer frame was queued. The original
caller would presumably then have his connected line updated
and then the call would be answered.
In actuality, the answer frame was not how the call ended up
being answered. Rather, an odd section in app_dial that checks
if the called channel's state is up.
The result is that the order of the connected line update and
the answer were variable. In most cases, this wasn't actually
a bad thing. However, if the 'I' option was passed to dial, the
connected line update would be inhibited.
The fix is to queued the connected line after the answer frame is
queued. This way the race in app_dial is between two
conditions resulting in an answer. This way the connected line
update occurs after the answer every time.
(closes issue ASTERISK-19183)
Reported by: Thomas Arimont
Tested by: Thomas Arimont
Mark Michelson
Patches:
ASTERISK-19183.patch uploaded by Mark Michelson (license 5049)
........
Merged revisions 360884 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 360885 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@360886 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Rename astobj2 API parameter funcname to func.
* Rename astobj2 API iterator parameter to iter.
* Update some documentation for OBJ_MULTIPLE.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@360827 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Global ao2 objects must always exist after initialization because there is
no access control to obtain another reference to the global object.
It is expected that module configuration could use these new API calls to
replace an active configuration parameter object with an updated
configuration parameter object.
With these new API calls, the global object could be replaced, removed, or
referenced without the risk of someone using a stale global object
pointer.
Review: https://reviewboard.asterisk.org/r/1824/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@360627 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Rather then flood the CLI with verbose messages, we've changed the level to
debug. This will help keep the CLI clean.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@360536 65c4cc65-6c06-0410-ace0-fbb531ad65f3
........
r360356 | russell | 2012-03-23 22:33:36 -0400 (Fri, 23 Mar 2012) | 6 lines
expression parser: Fix (theoretical) memory leak.
Fix a memory leak that is very unlikely to actually happen. If a malloc()
succeeded, but the following strdup() failed, the memory from the original
malloc() would be leaked.
........
r360357 | russell | 2012-03-23 22:34:39 -0400 (Fri, 23 Mar 2012) | 6 lines
Rebuild parsers.
This is needed to include the last fix to main/ast_expr2.y. The changes look
much bigger as this regeneration of the code was done with newer versions of
flex and bison.
........
Merged revisions 360356-360357 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 360358 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@360359 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Q.951 indicates that when the presentation indicator is "Number not
available due to interworking" for a number then the screening indicator
field should be "Network provided".
* Made ast_party_id_presentation() return AST_PRES_NUMBER_NOT_AVAILABLE
when the presentation is "Number not available due to interworking". This
fix makes Asterisk consistent and it also makes it consistent with earlier
branches as far as this presentation value is concerned.
* Made pri_to_ast_presentation() and ast_to_pri_presentation() conversions
handle the "Number not available due to interworking" case better in
sig_pri.c. This change is possible because the minimum required libpri
version (v1.4.11) has the necessary defines in libpri.h.
........
Merged revisions 360309 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 360310 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@360311 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Everything still compiled after making these changes, so I assume these
whitespace-only changes didn't break anything (and shouldn't have).
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@360190 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Fix AMI module reload deadlock regression from ASTERISK-18479 when it
tried to fix the race between calling an AMI action callback and
unregistering that action. Refixes ASTERISK-13784 broken by
ASTERISK-17785 change.
Locking the ao2 object guaranteed that there were no active callbacks that
mattered when ast_manager_unregister() was called. Unfortunately, this
causes the deadlock situation. The patch stops locking the ao2 object to
allow multiple threads to invoke the callback re-entrantly. There is no
way to guarantee a module unload will not crash because of an active
callback. The code attempts to minimize the chance with the registered
flag and the maximum 5 second delay before ast_manager_unregister()
returns.
The trunk version of the patch changes the API to fix the race condition
correctly to prevent the module code from unloading from memory while an
action callback is active.
* Don't hold the lock while calling the AMI action callback.
(closes issue ASTERISK-19487)
Reported by: Philippe Lindheimer
Review: https://reviewboard.asterisk.org/r/1818/
Review: https://reviewboard.asterisk.org/r/1820/
........
Merged revisions 359979 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 359980 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359981 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Remove unnnecessary const from const char * const var declaration in the
ast_app_run_macro() and ast_app_run_sub() prototypes. The second const is
unnecessary.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359904 65c4cc65-6c06-0410-ace0-fbb531ad65f3
There exists a remotely exploitable stack buffer overflow in HTTP digest
authentication handling in Asterisk. The particular method in question
is only utilized by HTTP AMI. When parsing the digest information, the
length of the string is not checked when it is copied into temporary buffers
allocated on the stack.
This patch fixes this behavior by parsing out pre-defined key/value pairs
and avoiding unnecessary copies to the stack.
(closes issue ASTERISK-19542)
Reported by: Russell Bryant
Tested by: Matt Jordan
........
Merged revisions 359706 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 359707 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359708 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Added 'b' and 'B' options to Dial. These options will allow you to run
last-minute dialplan on the caller and callee channels while the Dial
application is executing, but before the call is started. For example you
can use the 'b' option to run dialplan on the callee channel to get the name
of the newly created channel right away.
Review: https://reviewboard.asterisk.org/r/1229/
(closes issue: ASTERISK-19548)
Reported by: Mark Murawski
Tested by: Mark Murawski, Stefan Schmidt
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359705 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When a change in time occurs, such that the timestamps associated with frames
being placed into an adaptive jitter buffer (implemented in jitterbuf.c)
are significantly different then the previously inserted frames, the jitter
buffer checks to see if it needs to be resynched to the new time frame. If
three consecutive packets break the threshold, the jitter buffer resynchs
itself to the new timestamps. This currently only occurs when history is
calculated, and hence only on JB_TYPE_VOICE frames.
JB_TYPE_CONTROL frames, on the other hand, are never passed to the history
calculations. Because of this, if the jump in time is greater then the
maximum allowed length of the jitter buffer, the JB_TYPE_CONTROL frames are
dropped and no resynchronization occurs. Alterntively, if the overfill
logic is not triggered, the JB_TYPE_CONTROL frame will be placed into the
buffer, but with a time reference that is not applicable. Subsequent
JB_TYPE_VOICE frames will quickly trigger the overflow logic until reads
from the jitter buffer reach the errant JB_TYPE_CONTROL frame.
This patch allows JB_TYPE_CONTROL frames to resynch the jitter buffer. As
JB_TYPE_CONTROL frames are unlikely to occur in multiples, it perform the
resynchronization on any JB_TYPE_CONTROL frame that breaks the resynch
threshold.
Note that this only impacts chan_iax2, as other consumers of the adaptive
jitter buffer use the abstract jitter buffer API, which does not use
JB_TYPE_CONTROL frames.
Review: https://reviewboard.asterisk.org/r/1814/
(closes issue ASTERISK-18964)
Reported by: Kris Shaw
Tested by: Kris Shaw, Matt Jordan
Patches:
jitterbuffer-2012-2-26.diff uploaded by Kris Shaw (license 5722)
........
Merged revisions 359356 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 359358 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359359 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When connected line support was added, the wait_for_answer() variable
single changed its meaning slightly. Unfortunately, the places where
single was used did not necessarily get updated to reflect that change.
Also audio/video frames were sent to all forked calls when the endpoints
were never made compatible.
* Don't pass audio/video media frames when the channels have not been made
compatible.
* Added handling of AST_CONTROL_SRCCHANGE to app_dial.c.
* Fixed app_dial.c passing on AST_CONTROL_HOLD because that frame can also
pass a requested MOH class.
(closes issue ASTERISK-16901)
Reported by: Chris Gentle
(closes issue ASTERISK-17541)
Reported by: clint
Review: https://reviewboard.asterisk.org/r/1805/
........
Merged revisions 359344 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 359355 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359357 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch updates the NUMLOGLEVELS define in logger.h to 32, to match the fact
that logger.c implements 32 log levels (because of the custom log level stuff).
asterisk.c uses this define to size an array of levels per remote console.
This array is modified in ast_console_toggle_loglevel(), which is called by the
"logger set level" CLI command. While the documentation for the CLI command
doesn't make it terribly obvious, you can use this CLI command to toggle a
custom log level on a remote console, as well. However, doing so led to an
invalid array index in asterisk.c.
This array is read from any time a log message is written to a console. So,
all custom log level messages resulted in a bogus read if a remote console
was connected.
........
Merged revisions 359259 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 359260 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359261 65c4cc65-6c06-0410-ace0-fbb531ad65f3