If DEBUG_THREADS is enabled __ast_rwlock_destroy causes a segfault while trying
to access a possible NULL t->track object. A NULL check has been added before
trying to access the memory.
(closes issue ASTERISK-21724)
Reported by: Corey Farrell
Fixed by: Corey Farrell
Patches:
ast_rwlock_destroy-segv.patch uploaded by Corey Farrell (license 5909)
........
Merged revisions 388838 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@388839 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The debug versions of ao2_ref() should only be used if REF_DEBUG is
enabled so nothing is written to /tmp/refs unexpectedly.
(closes issue ASTERISK-21785)
Reported by: abelbeck
Patches:
jira_asterisk_21785_v11.patch (license #5621) patch uploaded by rmudgett
Tested by: abelbeck
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@388700 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The CALL-ID (ie [C-00000074]) is missing when logging to syslog. This was just
an oversight when this feature was added.
* Add CALL-IDs when using syslog
(closes issue ASTERISK-21430)
Reported by: Nikola Ciprich
Tested by: Nikola Ciprich, Michael L. Young
Patches:
asterisk-21430-syslog-callid_trunk.diff by Michael L. Young (license 5026)
Review: https://reviewboard.asterisk.org/r/2526/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@388605 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Way back when in the dark days of Asterisk 1.8.9, blind transferring a call
in a context that included the 'h' extension would inadvertently execute the
hangup code logic on the transferred channel. This was a "bad thing". The fix
was to properly check for the softhangup flags on the channel and only execute
the 'h' extension logic (and, in later versions, hangup handler logic) if the
channel was well and truly dead (Jim).
Unfortunately, CDRs are fickle. Setting the softhangup flag when we detected
that the channel was leaving the bridge (but not to die) caused some crucial
snippet of CDR code, lying in ambush in the middle of the bridging code, to
not get executed. This had the effect of blowing away one of the CDRs that is
typically created during a blind transfer.
While we live and die by the adage "don't touch CDRs in release branches", this
was our bad. The attached patch restores the CDR behavior, and still manages to
not run the 'h' extension during a blind transfer (at least not when it's
supposed to).
Thanks to Steve Davies for diagnosing this and providing a fix.
Review: https://reviewboard.asterisk.org/r/2476
(closes issue ASTERISK-21394)
Reported by: Ishfaq Malik
Tested by: Ishfaq Malik, mjordan
patches:
fix_missing_blindXfer_cdr2 uploaded by one47 (License 5012)
........
Merged revisions 387036 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@387038 65c4cc65-6c06-0410-ace0-fbb531ad65f3
If a system allows for its usage, Asterisk will use glob to help parse
Asterisk .conf files. The config file loading routine was leaking the memory
allocated by the glob() routine when the config file was in an unmodified
or invalid state.
This patch properly calls globfree in those off nominal paths.
(closes issue ASTERISK-21412)
Reported by: Corey Farrell
patches:
config_glob_leak.patch uploaded by Corey Farrell (license 5909)
........
Merged revisions 386672 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@386677 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch cleans up two things features:
* It properly unregisters the CLI commands that features registered
* It cancels and performs a pthread_join on the created parking thread. This
not only properly joins a non-detached thread, but also prevents disposing
of the parking lots prior to the parking thread completely exiting.
(closes issue ASTERISK-21407)
Reported by: Corey Farrell
patches:
features_shutdown-r2.patch uploaded by Corey Farrell (License 5909)
........
Merged revisions 386641 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@386642 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The two party bridging loops were changing the bridge peer pointers
without the channel locks held. Thus when ast_channel_massquerade()
tested and used the pointer there is a small window of opportunity for the
pointers to become NULL even though the masquerade code has the channels
locked.
(closes issue ASTERISK-21356)
Reported by: William luke
Patches:
jira_asterisk_21356_v11.patch (license #5621) patch uploaded by rmudgett
Tested by: William luke
........
Merged revisions 386256 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@386286 65c4cc65-6c06-0410-ace0-fbb531ad65f3
In messages.c, there are several places in the code where we create a
tmp_tech_holder and pass that into an ao2_find call. Unfortunately, we
weren't initializing the rwlock on the tmp_tech_holder, which the hash
function was locking. It's apparently harmless, but still not the best
code.
This patch extracts all that copy/pasted code into two functions,
msg_find_by_tech and msg_find_by_tech_name, which properly initialize
and destroy the rwlock on the tmp_tech_holder.
Review: https://reviewboard.asterisk.org/r/2454/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@386006 65c4cc65-6c06-0410-ace0-fbb531ad65f3
res_jabber/res_xmpp were not adding AST_EVENT_IE_CACHABLE to the event as each message came in,
then devstate_change_collector_cb() was unable to find AST_EVENT_IE_CACHABLE in the event,
so defaulted incorrectly to AST_DEVSTATE_NOT_CACHABLE.
(issue ASTERISK-20175)
(closes issue ASTERISK-21429)
(closes issue ASTERISK-21069)
(closes issue ASTERISK-21164)
Reported by: alecdavis
Tested by: alecdavis
alecdavis (license 585)
Review https://reviewboard.asterisk.org/r/2452/
........
Merged revisions 385916 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@385917 65c4cc65-6c06-0410-ace0-fbb531ad65f3
While looking at the security vulnerability in ASTERISK-20967, Walter noticed
a file descriptor leak and some other issues in off nominal code paths. This
patch corrects them.
Note that this patch is not related to the vulnerability in ASTERISK-20967,
but the patch was placed on that issue.
(closes issue ASTERISK-20967)
Reported by: wdoekes
patches:
issueA20967_file_leak_and_unused_wkspace.patch uploaded by wdoekes (License 5674)
........
Merged revisions 384118 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@384119 65c4cc65-6c06-0410-ace0-fbb531ad65f3
AST-2012-014, fixed in January of this year, contained a fix for Asterisk's
HTTP server for a remotely-triggered crash. While the fix put in place fixed
the possibility for the crash to be triggered, a denial of service vector still
exists with that solution if an attacker sends one or more HTTP POST requests
with very large Content-Length values. This patch resolves this by capping
the Content-Length at 1024 bytes. Any attempt to send an HTTP POST with
Content-Length greater than this cap will not result in any memory allocation.
The POST will be responded to with an HTTP 413 "Request Entity Too Large"
response.
This issue was reported by Christoph Hebeisen of TELUS Security Labs
(closes issue ASTERISK-20967)
Reported by: Christoph Hebeisen
patches:
AST-2013-002-1.8.diff uploaded by mmichelson (License 5049)
AST-2013-002-10.diff uploaded by mmichelson (License 5049)
AST-2013-002-11.diff uploaded by mmichelson (License 5049)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@383978 65c4cc65-6c06-0410-ace0-fbb531ad65f3
r375757 attempted to resolve a race condition between multiple submissions of
CDRs while in batch mode from attempting to destroy the scheduled batch
submission by extending the batch CDR lock. Unfortunately, this causes a
deadlock between the pending CDR lock and the batch CDR lock. This patch
resolves the intent of r375757 by simply providing a new lock that protects
the scheduling of the batches. The original batch CDR lock is kept to protect
manipulation of the batch CDR settings, but has been placed such that it
is not held when the pending lock is held.
Thanks to Chase Venters for providing lock analysis on the issue.
(issue ASTERISK-21162)
Reported by: Chase Venters
........
Merged revisions 383839 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@383840 65c4cc65-6c06-0410-ace0-fbb531ad65f3
AMI, HTTP, and chan_sip all support TLS in some way, but none of them
support all the options that Asterisk's TLS core is capable of
interpreting. This prevents consumers of the TLS/SSL layer from setting
TLS/SSL options that they do not support.
This also gets tlsverifyclient closer to a working state by requesting
the client certificate when tlsverifyclient is set. Currently, there is
no consumer of main/tcptls.c in Asterisk that supports this feature and
so it can not be properly tested.
Review: https://reviewboard.asterisk.org/r/2370/
Reported-by: John Bigelow
Patch-by: Kinsey Moore
(closes issue AST-1093)
........
Merged revisions 383165 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@383166 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Several new IEs were not given types (or names), causing the comparison
function to improperly succeed. This adds those.
(closes issue AST-1128)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@382390 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When converting AMI class authorizations to a string representation, the
method always appends the ALL class authorization. This is especially
important for events, as they should always communicate that class
authorization - even if the event itself does not specify ALL as a class
authorization for itself. (Events have always assumed that the ALL class
authorization is implied when they are raised)
Unfortunately, this did mean that specifying a user with restricted class
authorizations would show up in the 'manager show user' CLI command as
having the ALL class authorization.
Rather then modifying the existing string manipulation function, this patch
adds a function that will only return a string if the field being compared
explicitly matches class authorization field it is being compared against.
This prevents ALL from being returned unless it is actually specified for
the user.
(closes issue ASTERISK-20397)
Reported by: Johan Wilfer
........
Merged revisions 381939 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@381943 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The incorrect callid was being written to the "data1" field in queue_log table
for transfer events. The callid of the queue was being written instead of the
transfer target's callid. This now gets the correct "transfer to" number and
places that in the "data1" field of the queue_log table when a transfer event
is triggered.
(closes issue ASTERISK-19960)
Reported by: vladimir shmagin
........
Merged revisions 381770 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@381791 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch fixes a crash in Asterisk that could be caused by using the
PresenceState AMI action while providing an invalid provider. This patch
also adds some additional warnings when a user attempts to provide the
PresenceState action with invalid data, and removes some NOTICE statements
that were still lurking in the code from testing.
(closes issue AST-1084)
Reported by: John Bigelow
Tested by: John Bigelow
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@381594 65c4cc65-6c06-0410-ace0-fbb531ad65f3
While autoservice is running and servicing a channel the callid is being stored
and removed in the thread's local storage for each iteration of the thread loop.
If debug was set to a sufficient level the log file would be spammed with callid
thread local storage debug messages.
Added a new function that checks to see if the callid to be stored is different
than what is already contained (if anything). If it is different then
store/replace and log, otherwise just leave as is. Also made it so all logging
of debug messages pertaining to the callid thread storage outputs only when
TEST_FRAMEWORK is defined.
(issue ASTERISK-21014)
(closes issue ASTERISK-21014)
Report by: Rusty Newton
Review: https://reviewboard.asterisk.org/r/2324/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@381554 65c4cc65-6c06-0410-ace0-fbb531ad65f3
A regression was introduced which removed automatic fallback behavior from
the PBX. This behavior was used by call parking (or at least documented as
how the feature works) in order to select an extension when the flat channel
extension wasn't available from the comebackcontext. Parking now handles
the fallbacks internally in order to keep behavior matching with how it is
documented.
(closes issue ASTERISK-20716)
Reported by: Chris Gentle
Review: https://reviewboard.asterisk.org/r/2296/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@380348 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch came about due to a problem observed where wav files had an
empty header. The header is supposed to be updated in wav_close(). It
turns out that this was broken when the cache_record_files option from
asterisk.conf was enabled. The cleanup code was moving the file to its
final destination *before* running the close() method of the file
destructor, so the header didn't get updated.
Another problem here is that the move was being done before actually
closing the FILE *.
Finally, the last bug fixed here is that I noticed that wav_close()
checks for stream->filename to be non-NULL. In the previous cleanup
order, it's checking a pointer to freed memory. This doesn't actually
cause anything to break, but it's treading on dangerous waters. Now the
free() of stream->filename is happening after the format module's
close() method gets called, so it's safer.
Review: https://reviewboard.asterisk.org/r/2286/
........
Merged revisions 380210 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@380211 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When r376428 was commited to re-order start up sequences to be more tolerant of
forking with thread primitives, a few items were changed that caused changes
in behavior on some distros. This includes:
* Not displaying the splash screen on a remote console.
* Displaying an error message on stderr when a remote console cannot connect
to a running instance of Asterisk.
In the first case, the splash screen was re-added (thanks to Michael L. Young).
In the second case, the various init.d scripts were modified to pipe stderr
to /dev/null, as the error message is useful - if you execute a remote
console or a remote console command execution and it fail, it should tell
you. Note that the error message was always present, it just failed to be
printed prior to r376428.
Much thanks to the folks who quickly reported this problem, provided solutions,
and promptly tested the various init.d scripts on a variety of distros.
(closes issue ASTERISK-20945)
Reported by: Warren Selby
Tested by: Michael L. Young, Jamuel Starkey, kaldemar, Danny Nicholas, mjordan
patches:
asterisk-20945-remote-intro-msg.diff uploaded by elguero (license 5026)
ASTERISK-20945-1.8-mjordan.diff uploaded by mjordan (license 6283)
........
Merged revisions 379760 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 379777 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@379790 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When Asterisk forks itself into the background via a call to daemon, it must
re-set the pid value of the new process. Otherwise, astcanary gets the pid
value of the process before the fork, which prevents it from running. Asterisk
eventually starts lowering its priority, as it can no longer communicate
with the proverbial canary in the coal mine.
This patch ensures that the correct process identifier is used by astcanary.
Note that this is getting committed to 10 as a regression fix.
(closes issue ASTERISK-20947)
Reported by: Jakob Hirsch
Tested by: mjordan
patches:
asterisk-10.12.0.astcanary_ppid.diff uploaded by Jakob Hirsch (license 6113)
........
Merged revisions 379509 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 379510 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@379513 65c4cc65-6c06-0410-ace0-fbb531ad65f3
XML encoding in chan_sip is accomplished by naively building the XML
directly from strings. While this usually works, it fails to take into
account escaping the reserved characters in XML.
This patch adds an 'ast_xml_escape' function, which works similarly to
'ast_uri_encode'. This is used to properly escape the local_display
attribute in XML formatted NOTIFY messages.
Several things to note:
* The Right Thing(TM) to do would probably be to replace the
ast_build_string stuff with building an ast_xml_doc. That's a much
bigger change, and out of scope for the original ticket, so I
refrained myself.
* It is with great sadness that I wrote my own ast_xml_escape
function. There's one in libxml2, but it's knee-deep in
libxml2-ness, and not easily used to one-off escape a
string.
* I only escaped the string we know is causing problems
(local_display). At least some of the other strings are
URI-encoded, which should be XML safe. Rather than figuring out
what's safe and escaping what's not, it would be much cleaner to
simply build an ast_xml_doc for the messages and let the XML
library do the XML escaping. Like I said, that's out of scope.
(closes issue ABE-2902)
Reported by: Guenther Kelleter
Tested by: Guenther Kelleter
Review: http://reviewboard.digium.internal/r/365/
........
Merged revision 378919 from https://origsvn.digium.com/svn/asterisk/be/branches/C.3-bier
........
Merged revisions 378933 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@378934 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This test event was missing from channel.c causing the dial_LS_options
test to fail intermittently because of a race condition where most code
paths emitted the test event but this one did not. The dial_LS_options
test should stop bouncing now.
........
Merged revisions 378455 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@378459 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When reading configuration data from an Asterisk .conf file or when pulling
data from an Asterisk RealTime backend, Asterisk was copying the data on the
stack for manipulation. Unfortunately, it is possible to read configuration
data or realtime data from some data source that provides a large blob of
characters. This could potentially cause a crash via a stack overflow.
This patch prevents large sets of data from being read from an ARA backend or
from an Asterisk conf file.
(issue ASTERISK-20658)
Reported by: wdoekes
Tested by: wdoekes, mmichelson
patches:
* issueA20658_dont_process_overlong_config_lines.patch uploaded by wdoekes (license 5674)
* issueA20658_func_realtime_limit.patch uploaded by wdoekes (license 5674)
........
Merged revisions 378375 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@378376 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The AMI redirect action can fail to redirect two channels that are bridged
together. There is a race between the AMI thread redirecting the two
channels and the bridge thread noticing that a channel is hungup from the
redirects.
* Made the bridge wait for both channels to be redirected before exiting.
* Made the AMI redirect check that all required headers are present before
proceeding with the redirection.
* Made the AMI redirect require that any supplied ExtraChannel exist
before proceeding. Previously the code fell back to a single channel
redirect operation.
(closes issue ASTERISK-18975)
Reported by: Ben Klang
(closes issue ASTERISK-19948)
Reported by: Brent Dalgleish
Patches:
jira_asterisk_19948_v11.patch (license #5621) patch uploaded by rmudgett
Tested by: rmudgett, Thomas Sevestre, Deepak Lohani, Kayode
Review: https://reviewboard.asterisk.org/r/2243/
........
Merged revisions 378356 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@378358 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Asterisk maintains an internal cache for devices in the event subsystem. The
device state cache holds the state of each device known to Asterisk, such that
consumers of device state information can query for the last known state for
a particular device, even if it is not part of an active call. The concept of
a device in Asterisk can include entities that do not have a physical
representation. One way that this occurred was when anonymous calls are allowed
in Asterisk. A device was automatically created and stored in the cache for
each anonymous call that occurred; this was possible in the SIP and IAX2
channel drivers and through channel drivers that utilized the
res_jabber/res_xmpp resource modules (Gtalk, Jingle, and Motif). These devices
are never removed from the system, allowing anonymous calls to potentially
exhaust a system's resources.
This patch changes the event cache subsystem and device state management to
no longer cache devices that are not associated with a physical entity.
(issue ASTERISK-20175)
Reported by: Russell Bryant, Leif Madsen, Joshua Colp
Tested by: kmoore
patches:
event-cachability-3.diff uploaded by jcolp (license 5000)
........
Merged revisions 378303 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 378320 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@378321 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Asterisk had several places where messages received over various network
transports may be copied in a single stack allocation. In the case of TCP,
since multiple packets in a stream may be concatenated together, this can
lead to large allocations that overflow the stack.
This patch modifies those portions of Asterisk using TCP to either
favor heap allocations or use an upper bound to ensure that the stack will not
overflow:
* For SIP, the allocation now has an upper limit
* For HTTP, the allocation is now a heap allocation instead of a stack
allocation
* For XMPP (in res_jabber), the allocation has been eliminated since it was
unnecesary.
Note that the HTTP portion of this issue was independently found by Brandon
Edwards of Exodus Intelligence.
(issue ASTERISK-20658)
Reported by: wdoekes, Brandon Edwards
Tested by: mmichelson, wdoekes
patches:
ASTERISK-20658_res_jabber.c.patch uploaded by mmichelson (license 5049)
issueA20658_http_postvars_use_malloc2.patch uploaded by wdoekes (license 5674)
issueA20658_limit_sip_packet_size3.patch uploaded by wdoekes (license 5674)
........
Merged revisions 378269 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 378286 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@378287 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This was causing issues when using DESTDIR, since the path to which the link
pointed is not likely to exist (and not useful to exist) on the target system.
(issue ASTNOW-284)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@378073 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Kevin Harwell
Richard Mudgett
Michael L. Young
Jonathan Rose
David M. Lee
Alec L Davis
Matthew Jordan
Kinsey Moore
Jason Parker
Tzafrir Cohen
Mark Michelson
Russell Bryant
Walter Doekes