When the 20ms channel timer fires but there are no frames available in
the queue, we now check for leftover data in the buffer and if there is
any, we create a frame with it and send it to the core. This resolves an
issue with the leftover data being delayed if a STOP_MEDIA_BUFFERING
command is delayed. Some existing comments were also clarified to
account for the new behavior.
Resolves: #2006
When a confirmed session is being terminated while an outgoing in-dialog
INVITE transaction is still outstanding, the BYE is delayed until the
outstanding transaction terminates.
If that INVITE has already received a provisional response and the final
response is malformed and rejected before transaction processing, the
transaction can remain outstanding and the delayed BYE can keep the
session, media state, RTP instance, and PJPROJECT pools referenced after
the channels are gone.
When a BYE is delayed behind an outstanding UAC INVITE, set a PJPROJECT
transaction timeout on that INVITE so the delayed cleanup path has a
bounded wait. If PJPROJECT terminates the dialog as a result of the
timeout, discard the delayed BYE instead of sending a duplicate BYE.
Fixes: #1965
Commit e8f548c1 removed AEL `macro` definition and calls from the
sample configuration file, but those do not use the deprecated/removed
`Macro` app - they use `Gosub` under the hood.
ast_format_cap_append_from_cap() and ast_format_cap_replace_from_cap()
dereference 'src' (src->preference_order) without checking it for NULL.
A dummy channel allocated with ast_dummy_channel_alloc() never sets a
native-format capability, so ast_channel_nativeformats() returns NULL on
such channels. When CHANNEL(audionativeformat) / CHANNEL(videonativeformat)
is evaluated against a dummy channel (e.g. via ARI channelvars during a
Stasis VarSet event raised while app_voicemail builds the notification
email on a dummy channel), func_channel_read() passes that NULL straight
into ast_format_cap_append_from_cap(), causing a NULL dereference at
offset 0x28 and a SIGSEGV.
Guard both helpers against a NULL source. A NULL source simply means
"no formats to copy", so appending/replacing nothing is the correct
no-op behaviour. This also protects all other callers.
Fixes https://github.com/asterisk/asterisk/issues/1992
AI disclosure: this was generated using Claude Opus 4.8, tested to fix the issue. Not sure if it is the *right* way to do it.
The ast_tsconvert.py script called by ast_loggrabber is now installed in a
temporary directory that isn't world readable or writable.
Resolves: #GHSA-xgj6-2gc5-5x9c
The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.
* The query parameters from the original incoming GET request that caused the
upgrade to WebSocket are now passed to all REST requests that come from the
client. This ensures that if the client authenticated with a read-only
userid using the "api_key" query_string parameter, REST requests coming
in over the WebSocket will only be able to execute GETs on resources.
The HTTP headers were already passed to the REST requests so if the
client had authenticated via an "Authorization" it was properly handled.
* New tests have been added to test_ari.c to check that read-only users
are properly denied access to resources using non-GET methods. Several
memory leaks were also squashed.
Resolves: #GHSA-wcvv-g26m-wx5c
The filter_on_tx_message() function was using pj_strassign() to save the pointer
of the pjproject transport local address to a local pj_str_t variable. That
variable was ultimately used to set the Contact header's uri->host and the SDP
connection attribute's address again using pj_strassign. pj_strassign() doesn't
copy the actual value of the pj_str_t however, it just copies the pointer so
if a connection-oriented transport is disconnected before the 200 OK with the
SDP is sent, those pointers will be invalid which can cause use-after-free
issues. To prevent this, filter_on_tx_message() now uses pj_strdup with the
tdata->pool as the backing store to save the local IP address to the local
variable. pj_strassign() can then be used safely later on since the tdata
will be available for the life of the transaction.
Resolves: #GHSA-g8q2-p36q-94f6
Several bounds checks have been edded to ooQ931Decode to prevent it from
running past the end of the data buffer when parsing information elements.
Resolves: #GHSA-746q-794h-cc7f
DeveloperNote: ARI applications can no longer call "dangerous" dialplan
functions like DB(), FILE(), SHELL(), CURL(), STAT(), etc. without
enabling "live_dangerously" in asterisk.conf.
Resolves: #GHSA-vrfp-mg3q-3959
* Add check to red_t140_to_red() to ensure that the new primary payload
can't cause the rtp_red->len array items to wrap or cause an overrun of
the rtp_red->t140red_data buffer.
* Add check to rtp_red_buffer() to ensure that a T.140 frame to be sent
can't cause rtp_red->len array items to wrap or cause an overrun of
the rtp_red->buf_data buffer.
Resolves: #GHSA-vfhr-r9x9-c687
Resolves: #GHSA-j2mm-57pq-jh94
Add constraint checks to prevent unauthenticated users from crashing Asterisk
instance by sending a crafted inbound SIP NOTIFY request with "Content-Type:
application/simple-message-summary".
Resolves: #GHSA-8jw3-ccr9-xrmf
To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.
Resolves: #GHSA-3rhj-hhw7-m6fw
The protocol 1 unpack helpers trusted externally controlled lengths and wrote
them directly into fixed-size buffers in sms_t. Clamp the address, header,
and body copies to the destination array sizes so malformed messages cannot
overwrite adjacent state.
Resolves: #GHSA-q9fr-m7g8-6ph5
The snprintf size parameter in xmpp_action_hook() is computed from
the attacker-controlled namespace prefix length and is not bounded
by the 256-byte stack buffer size. When a remote XMPP peer sends a
stanza with a child element whose namespace prefix exceeds 249
characters, snprintf writes past the buffer boundary.
Use sizeof(attr) as the snprintf size limit and %.*s precision to
extract only the prefix portion of the element name, preserving
the original truncation behavior for valid inputs.
Resolves: #GHSA-mxgm-8c6f-5p8f
The parse_simple_message_summary() function uses sscanf with an
unbounded %s format specifier to parse the Message-Account field
from incoming SIP NOTIFY bodies into a fixed-size 512-byte stack
buffer (PJSIP_MAX_URL_SIZE). A single unauthenticated SIP NOTIFY
with a Message-Account value exceeding 512 bytes overflows the
buffer, corrupting adjacent stack data and permanently disabling
the PJSIP transport layer without crashing the process.
Add a width specifier (%511s) to limit the sscanf write to
PJSIP_MAX_URL_SIZE - 1 bytes plus the NUL terminator, matching
the destination buffer size.
Resolves: #GHSA-589g-qgf8-m6mx
The LDAP realtime driver constructs search filters by directly
concatenating user-supplied values without RFC 4515 escaping.
When LDAP is used as a realtime backend for endpoint
identification, characters with special meaning in LDAP filters
(*, (, ), \) can be injected via the SIP From header username.
Add ldap_filter_escape_value() that escapes RFC 4515 special
characters to their \HH hex representation, and apply it to
non-LIKE query values. The LIKE query path preserves the existing
wildcard conversion behavior with a note for maintainers.
Resolves: #GHSA-r6c2-hwc2-j4mp
The eventtype column handler in cel_pgsql.c inserts
record.user_defined_name directly into the SQL query without
calling PQescapeStringConn(), while all other string fields in
the same function are properly escaped. Similarly, cel_tds.c
passes the raw user_defined_name into the SQL INSERT without
routing it through anti_injection(), while all other fields are
processed through that function.
For cel_pgsql.c, escape the eventtype value using
PQescapeStringConn(), matching the existing pattern used for all
other string fields at lines 308-331 of the same function.
For cel_tds.c, route the eventtype value through
anti_injection() consistent with how all other fields are handled
in the same function.
Resolves: #GHSA-ph27-3m5q-mj5m
The text parameter in ast_http_create_response() is inserted into
the HTML body without escaping, while the server name on the same
page is properly escaped via ast_xml_escape(). When res_phoneprov
passes the decoded request URI as the text of a 404 response, HTML
metacharacters in the URI are rendered by the browser.
Apply ast_xml_escape() to the text parameter before inserting it
into the HTML template, using the same function already used for
the server name.
Resolves: #GHSA-4pgv-j3mr-3rcp
The codec2_samples() function uses floor division (160 * datalen/6)
to compute expected output samples, but the decode loop condition
(x < datalen) iterates with ceiling behavior when datalen is not a
multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
decode one extra frame beyond what the framework bounds check
budgeted for, leading to an out-of-bounds write on the output buffer.
Change the loop condition to only process complete frames, matching
the floor-division behavior of codec2_samples(). This also prevents
an out-of-bounds read on the input side when fewer than
CODEC2_FRAME_LEN bytes remain.
Resolves: #GHSA-qf8j-jp7h-c5hx
The ogg_speex_read() function copies OGG packet data via memcpy()
without validating the packet size against the destination buffer
(BUF_SIZE = 200 bytes). A crafted .spx file with an oversized OGG
audio packet causes a heap buffer overflow that corrupts the
adjacent speex_desc structure containing libogg heap pointers,
leading to a crash (SIGSEGV) on playback.
Add a bounds check for both negative and oversized values before
the memcpy, consistent with how format_ogg_vorbis bounds its reads
via ov_read().
Resolves: #GHSA-8jhw-m2hg-vp3h
The native sampling of duplex recording is set to match the raw 8K
output format. If one or more of the streams being recorded is above
8K, the frame size coming into the mixmonitor is too large and needs
to be translated to 8K before being mixed into the stereo frame to
avoid garbled and mistimed audio
Fixes: #1779
The websocket client proxy and server handshakes use ast_iostream_gets which
are blocking calls. If the outgoing connection succeeds at the TCP or TLS
layer but the proxy (if configured) or the websocket server fails to respond
to the CONNECT or GET requests, the process can hang indefinitely and escalate
to a deadlock. To address this, the handshakes are now guarded with calls to
ast_iostream_set_timeout_sequence() with the timeout set to the client's
(connection_timeout * 2) milliseconds.
In order to use ast_iostream_set_timeout_sequence(), the iostream has to be
set to non-blocking with ast_iostream_nonblock() but there was no way to
reset the stream back to blocking mode so a new API ast_iostream_blocking()
was added for it.
Tracing was also enabled in the websocket_client_handshake function for
future troubleshooting.
Resolves: #1979
Extension state to this point has been an API implemented
inside the PBX core resulting in its state being intermingled
with that of the dialplan. This increased the complexity of
the PBX core and made it difficult to enact improvements.
This change adds a new separate extension state API
which receives updates from the PBX core as configuration
changes but maintains its own separate state. The API is
also written to fully take advantage of modern APIs in a
more selective manner by subscribing each extension state to
only the devices it is interested in, ultimately reducing
resource consumption during updates. Presence state updates
being infrequently done use a single shared subscription that
goes through the extension states to find and update ones
that the update is applicable to.
Legacy API support is provided by reimplementing the API
as wrappers over the new extension state API. This improves
the legacy API by making it multithreaded, with each callback
being individually subscribed.
Autohints support is maintained but has been separated out
into a self contained new implementation.
Synchronous subscription support has also been added to
Stasis to remove the overhead of asynchronous publishing when
the handling of published messages is small and fast.
Adds a new transport option 'external_signaling_hostname' which allows
a hostname or FQDN to be used in SIP Contact and Via headers instead of
the automatically determined IP address. This is useful when a remote
SIP endpoint requires a fully qualified domain name in these headers.
The option is mutually exclusive with 'external_signaling_address' and
an error is raised at transport load time if both are set simultaneously.
Resolves: #1749
UserNote: A new pjsip.conf transport option 'external_signaling_hostname'
has been added. When set, this value will be used in SIP Contact and Via
headers instead of the automatically determined IP address. This option
is mutually exclusive with 'external_signaling_address'.
See the notes below for high-level descriptions of the new features.
* Proxies
Outbound/forward HTTP proxies are now supported and configurable in
websocket_client.conf. You can specify a host:port plus optional proxy_username
and proxy_password. Because WebSockets aren't consistently supported among
proxies (specifically passing through UPGRADEs), the CONNECT method is always
used to establish a TCP tunnel through the proxy. This is required if a TLS
session is to be established with the WebSocket server anyway. It's important
to understand that that negotiation with the proxy is ALWAYS unsecured. Once
the proxy establishes the tunnel, the TLS session will be negotiated directly
with the remote WebSocket server via the tunnel.
* Keepalives
Both TCP-level and WebSocket PING/PONG keepalives can be configured and are
available with either the curl or tcptls client implementations. The TCP
keepalives are handled entirely by the operating system and require no
resources from Asterisk but by their very nature, they can't traverse proxies.
WebSocket PING/PONGs are implemented in the Asterisk websocket code and require
a scheduler thread to keep track of them so they're a bit more complicated but
they do traverse proxies. Which one is used is completely up to the admin.
You could use both.
* Other Changes
A few changes were needed to res/ari/ari_websockets and
res/res_aeap/transport_websocket to add explicit calls to ast_websocket_close.
They had been assuming that the websocket session destructor would close the
websocket when it unreffed it but the keepalive process now holds a reference
so the destructor wouldn't actually run without the call to ast_websocket_close
to stop the keepalives.
A few new methods were added to tcptls.c to allow switching an existing
connection from unsecured to TLS. These were required because the initial
connection and handshake with a proxy is always unsecured but then needs
to be switched to TLS if required for the remote WebSocket server.
There was a bug in sorcery.h where the ast_sorcery_register_uint macro
was referencing _stringify (which doesn't exist) instead of _sorcery_stringify.
Resolves: #1881Resolves: #1933
UserNote: Forward/outbound proxies can now be specified for outbound websockets.
See the websocket_client.conf.sample file for configuration information.
UserNote: TCP-level or WebSocket PING/PONG keepalives can now be enabled on
outbound websockets. They can help detect network failures even when a
persistent connection is idle. See the websocket_client.conf.sample
file for configuration information.
DeveloperNote: The addition of the proxy and keepalive configuration parameters
pushed the websocket client parameter count over 32. This necessitated changing
the size of the ast_ws_client_fields enum from a 32 bit bitfield to a 64-bit
bitfield with a corresponding change to the ast_websocket_client structure.
chan_local no longer exists since Local channels are built into the
core (core_local), but there are still comments which reference it,
including in the configs. Update these to avoid confusion.
Resolves: #1849
Under certain timing/load conditions, res_ari_model may not load until after
res_ari on startup or it might unload before res_ari on shutdown. This can
cause a segfault when DEVMODE is enabled and there are persistent outbound
websocket connections because DEVMODE forces validation of outgoing events
against the models. To prevent this, res_ari_model has been added as an
"optional_module" to res_ari's NODULE_INFO. This will enforce load/unload
order but not make res_ari dependent on res_ari_model. However, if
Asterisk is configured with --enable-dev-mode, res_ari will fail to
load if res_ari_model isn't available.
Resolves: #1970
Adds the ability to attach multiple states to both Channels and Bridges in the form
of variables that are included in all events on the associated object.
First, this adds an optional boolean field to channel variables 'report_events'
that causes the variable to automatically be included in all events on that channel.
To allow this, variables can now be either name value pairs (the current format):
`<variable_name>: '<value_string>'`
- or -
`<variable_name>: {value: '<value_string>', report_events: [true|false]}`
If the old format is used or 'report_events' is not included, it will default to
false and retain current behavior.
Second, this extends both reported and unreported variables to Bridges so they too
may have stateful information.
Resolves: #1910
UserNote: Bridge variables now can be set and retrieved via the following paths:
`/bridges/{bridgeId}/variable`
`/bridges/{bridgeId}/variables`
Both Bridge and Channel variables can now be set with an optional 'report_events'
boolean flag that will cause those variables to be included on all events on that
object. The 'report_events' flag will default to False if not set to maintain
backwards capability.
To allow this, variables can now be either name value pairs (the current format):
`<variable_name>: '<value_string>'`
- or -
`<variable_name>: {value: '<value_string>', report_events: [true|false]}`
Two new paths exist for ARI to get and set multiple channel variables at
the same time. This is done via GET and POST like the single get and set
variable equivalents. Leading and trailing whitespace will be stripped
from the variable names for both paths. When setting variables, the
values will be read as-is, whitespace included. GET takes in a single
string with comma-separated values, while POST takes in a dictionary of
key value pairs. The code follows the same paths as when setting
multiple variables when originating a channel via ARI.
UserNote: Added new ARI paths for getting and setting multiple channel
variables at a time. For GET, this takes in a single string of
comma-separated variable names, while POST takes in a dictionary of key
value pairs. The behavior is the same as passing in variables when
originating a channel.
libical 4.0 removed the icaltime_add() function in favor of icaltime_adjust(). Additionally, the callback signature for icalcomponent_foreach_recurrence() was updated to use a const pointer for the icaltime_span argument.
This commit adds conditional compilation using ICAL_MAJOR_VERSION to support both libical 3.X and the new 4.X API, ensuring backward compatibility.
Fixes: #1957
When a hangup occurs while app_record is playing the initial beep,
the application does not detect the hangup and continues running
until the maxduration timeout expires.
Replace the manual ast_streamfile() + ast_waitstream() sequence with
ast_stream_and_wait(), which properly detects hangup and returns
non-zero, allowing the application to exit immediately with
RECORD_STATUS set to HANGUP.
Resolves: #1950
The reference identifier (what the client provides - in this case a
hostname) must start with a domain label, not a `.`.
The current implementation will match `.seanbright.com` against
`*.seanbright.com` which is incorrect.
If the channel is locked when calling ast_set_variables and any of the
variables contained dialplan functions, there's a possiblilty of a deadlock.
To prevent this, either the explicit locks were removed or the call to
ast_set_variables moved out of the lock scope. A warning to not hold
channel locks is also added to the documentation for ast_set_variables.
Resolves: #1936
Under high concurrency, update_queue() may be invoked multiple times
for the same call, causing member->calls and queue-level counters to
be incremented more than once.
The existing starttime check is not atomic and allows concurrent
execution paths to pass. Treat member->starttime as a single-use token
and consume it via CAS to ensure the call is counted exactly once.
This also prevents incorrect call distribution when using strategies
such as fewestcalls.
Observed as a regression after upgrading to 20.17.
Resolves: #1736
When openr2 is installed mfcr2_show_links_of() is no longer ifdeffed out
which makes gcc-16 complain with 'variable ‘x’ set but not used'.
Resolves: #1947
This tests checks [slin -> codec -> slin] and then compares slin in vs out
regarding signal noise ratio and delay.
Near-lossless codecs (ulaw, alaw) are checked with a maximum per-sample
error bound. Lossy codecs are checked with a per-codec SNR threshold.
Cross-correlation alignment compensates for algorithmic delay in codecs
like speex and opus.
Covered codecs: ulaw, alaw, adpcm, g726, g726aal2, gsm, speex,
speex16, speex32, ilbc, codec2, lpc10, g722, opus.
Resolves: #1812
The original trigger for setting the RTP stats in ast_softhangup() came from
an ARI issue where stats weren't being set in time to be reported on STASIS_END
events. The thought was that setting them in a common place like ast_softhangup()
would ensure the stats were set in possibly other scenarios. Unfortunately,
setting the RTP stats variables in ast_softhangup() broke ABI as it required
that no channel locks be held which was not the case earlier.
Given that the original issue was ARI, we can move setting the stats to
ast_ari_channels_hangup() in resource_channels just before it calls
ast_softhangup(). This might not catch all cases of the stats not being set,
but it won't break ABI or deadlock either.
Resolves: #1928
If a hostname is specified for stunaddr in rtp.conf, periodic DNS resolution
is enabled based on the TTL returned in the DNS results. If the TTL returned
is 0, it means that the next time the IP address is needed, it must be
looked up again. I.E. Don't cache. Historically (and incorrectly) however,
res_rtp_asterisk stopped the periodic resolution and never re-resolved the
hostname again.
Besides what's mentioned in the user notes...
* Additional debugging was added in various STUN/DNS functions.
* The `rtp show settings` CLI command shows more detailed STUN info.
* Some debugging was added to dns_core.c and dns_recurring.c.
UserNote: A new `stunaddr_reresolve_ttl_0` parameter has been added to rtp.conf
that allows control over what happens when a STUN server hostname lookup
returns a TTL of 0. The values can be set as follows:
- 'no': This is the historical (and current default) behavior of not doing
any further lookups and continuing to use the last successful result until
Asterisk is restarted or rtp.conf is reloaded.
- 'yes': Use the last cached result for the current call but trigger
re-resolution in the background for the benefit of future calls.
If the result of the background lookup is a ttl > 0, periodic resolution
will be restarted otherwise the next call will use the new cached value
and will trigger a background lookup again.
UserNote: A new CLI command `rtp resolve stun hostname` has been added
that will force a resolution of the STUN hostname and (re)start periodic
resolution if the result has a TTL > 0.
Resolves: #1858