Importing release summary for 1.4.40.2 release.

git-svn-id: https://origsvn.digium.com/svn/asterisk/tags/1.4.40.2@315211 65c4cc65-6c06-0410-ace0-fbb531ad65f3

.version

@@ -1 +1 @@
-1.4.40-rc3
+1.4.40.2

ChangeLog

@@ -1,3 +1,31 @@
+2011-04-25  Leif Madsen <lmadsen@digium.com>
+
+	* Asterisk 1.4.40.2 Released.
+
+	* Reverted part of r314607, as it can introduce a regression.
+	  Specifically, the security check for the "system"
+	  privilege was removed. If a user had the "call" privilege but not the
+	  "system" privilege, they would lose the ability to execute the system
+	  app and dialplan functions that run commands in a shell. This branch
+	  never used the "system" privilege for that purpose and did not need to
+	  be patched.
+	
+	  (Related to AST-2011-006)
+
+2011-04-21  Leif Madsen <lmadsen@digium.com>
+
+	* Asterisk 1.4.40.1 Released.
+
+	* AST-2011-005: File Descriptor Resource Exhaustion
+
+	* AST-2011-006: Asterisk Manager User Shell Access
+
+2011-02-22  Leif Madsen <lmadsen@digium.com>
+
+	* Asterisk 1.4.40 Released.
+
+	* Merged changes related to AST-2011-002
+
 2011-02-16  Leif Madsen <lmadsen@digium.com>
 
 	* Asterisk 1.4.40-rc3 Released.

asterisk-1.4.40.2-summary.html

@@ -1,10 +1,10 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
-<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Release Summary - asterisk-1.4.40-rc3</title></head>
+<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Release Summary - asterisk-1.4.40.2</title></head>
 <body>
 <h1 align="center"><a name="top">Release Summary</a></h1>
-<h3 align="center">asterisk-1.4.40-rc3</h3>
-<h3 align="center">Date: 2011-02-16</h3>
+<h3 align="center">asterisk-1.4.40.2</h3>
+<h3 align="center">Date: 2011-04-25</h3>
 <h3 align="center">&lt;asteriskteam@digium.com&gt;</h3>
 <hr/>
 <h2 align="center">Table of Contents</h2>
@@ -17,7 +17,7 @@
 <hr/>
 <a name="summary"><h2 align="center">Summary</h2></a>
 <center><a href="#top">[Back to Top]</a></center><br/><p>This release includes only bug fixes.  The changes included were made only to address problems that have been identified in this release series.  Users should be able to safely upgrade to this version if this release series is already in use.  Users considering upgrading from a previous release series are strongly encouraged to review the UPGRADE.txt document as well as the CHANGES document for information about upgrading to this release series.</p>
-<p>The data in this summary reflects changes that have been made since the previous release, asterisk-1.4.40-rc2.</p>
+<p>The data in this summary reflects changes that have been made since the previous release, asterisk-1.4.40.1.</p>
 <hr/>
 <a name="contributors"><h2 align="center">Contributors</h2></a>
 <center><a href="#top">[Back to Top]</a></center><br/><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release.  For coders, the number is how many of their patches (of any size) were committed into this release.  For testers, the number is the number of times their name was listed as assisting with testing a patch.  Finally, for reporters, the number is the number of issues that they reported that were closed by commits that went into this release.</p>
@@ -41,19 +41,19 @@
 <a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a>
 <center><a href="#top">[Back to Top]</a></center><br/><p>This is a list of all changes that went into this release that did not directly close an issue from the issue tracker.  The commits may have been marked as being related to an issue.  If that is the case, the issue numbers are listed here, as well.</p>
 <table width="100%" border="1">
-<tr><td><b>Revision</b></td><td><b>Author</b></td><td><b>Summary</b></td><td><b>Issues Referenced</b></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/branches/1.4?view=revision&revision=308139">308139</a></td><td>lmadsen</td><td>Create 1.4.40-rc3 from 1.4.40-rc2</td>
-<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/branches/1.4?view=revision&revision=308142">308142</a></td><td>lmadsen</td><td>Update .version file, remove older summary files, update ChangeLog, merge change that was a blocker for this release.</td>
+<tr><td><b>Revision</b></td><td><b>Author</b></td><td><b>Summary</b></td><td><b>Issues Referenced</b></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/branches/1.4?view=revision&revision=315209">315209</a></td><td>lmadsen</td><td>Create 1.4.40.2 from 1.4.40.1</td>
+<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/branches/1.4?view=revision&revision=315210">315210</a></td><td>lmadsen</td><td>Update .version, ChangeLog, and merge changes related to AST-2011-006</td>
 <td></td></tr></table>
 <hr/>
 <a name="diffstat"><h2 align="center">Diffstat Results</h2></a>
 <center><a href="#top">[Back to Top]</a></center><br/><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p>
 <pre>
-.version                         |    2
-ChangeLog                        |   22 +++++++++
-apps/app_queue.c                 |    1
-asterisk-1.4.40-rc2-summary.html |   60 --------------------------
-asterisk-1.4.40-rc2-summary.txt  |   90 ---------------------------------------
-5 files changed, 23 insertions(+), 152 deletions(-)
+.version                       |    2
+ChangeLog                      |   14 +++++
+asterisk-1.4.40.1-summary.html |   73 ---------------------------
+asterisk-1.4.40.1-summary.txt  |  109 -----------------------------------------
+main/manager.c                 |   18 ------
+5 files changed, 15 insertions(+), 201 deletions(-)
 </pre><br/>
 <hr/>
 </body>

asterisk-1.4.40.2-summary.txt

@@ -1,8 +1,8 @@
                                 Release Summary
 
-                              asterisk-1.4.40-rc3
+                               asterisk-1.4.40.2
 
-                                Date: 2011-02-16
+                                Date: 2011-04-25
 
                            <asteriskteam@digium.com>
 
@@ -30,7 +30,7 @@
    release series.
 
    The data in this summary reflects changes that have been made since the
-   previous release, asterisk-1.4.40-rc2.
+   previous release, asterisk-1.4.40.1.
 
      ----------------------------------------------------------------------
 
@@ -64,14 +64,11 @@
    +------------------------------------------------------------------------+
    | Revision | Author  | Summary                       | Issues Referenced |
    |----------+---------+-------------------------------+-------------------|
-   | 308139   | lmadsen | Create 1.4.40-rc3 from        |                   |
-   |          |         | 1.4.40-rc2                    |                   |
+   | 315209   | lmadsen | Create 1.4.40.2 from 1.4.40.1 |                   |
    |----------+---------+-------------------------------+-------------------|
-   |          |         | Update .version file, remove  |                   |
-   |          |         | older summary files, update   |                   |
-   | 308142   | lmadsen | ChangeLog, merge change that  |                   |
-   |          |         | was a blocker for this        |                   |
-   |          |         | release.                      |                   |
+   |          |         | Update .version, ChangeLog,   |                   |
+   | 315210   | lmadsen | and merge changes related to  |                   |
+   |          |         | AST-2011-006                  |                   |
    +------------------------------------------------------------------------+
 
      ----------------------------------------------------------------------
@@ -83,11 +80,11 @@
    This is a summary of the changes to the source code that went into this
    release that was generated using the diffstat utility.
 
- .version                         |    2
- ChangeLog                        |   22 +++++++++
- apps/app_queue.c                 |    1
- asterisk-1.4.40-rc2-summary.html |   60 --------------------------
- asterisk-1.4.40-rc2-summary.txt  |   90 ---------------------------------------
- 5 files changed, 23 insertions(+), 152 deletions(-)
+ .version                       |    2
+ ChangeLog                      |   14 +++++
+ asterisk-1.4.40.1-summary.html |   73 ---------------------------
+ asterisk-1.4.40.1-summary.txt  |  109 -----------------------------------------
+ main/manager.c                 |   18 ------
+ 5 files changed, 15 insertions(+), 201 deletions(-)
 
      ----------------------------------------------------------------------

channels/chan_skinny.c

@@ -96,8 +96,13 @@ enum skinny_codecs {
 #define DEFAULT_SKINNY_PORT	2000
 #define DEFAULT_SKINNY_BACKLOG	2
 #define SKINNY_MAX_PACKET	1000
+#define DEFAULT_AUTH_TIMEOUT	30
+#define DEFAULT_AUTH_LIMIT	50
 
 static int keep_alive = 120;
+static int auth_timeout = DEFAULT_AUTH_TIMEOUT;
+static int auth_limit = DEFAULT_AUTH_LIMIT;
+static int unauth_sessions = 0;
 static char date_format[6] = "D-M-Y";
 static char version_id[16] = "P002F202";
 
@@ -1060,6 +1065,7 @@ struct skinny_paging_device {
 static struct skinnysession {
 	pthread_t t;
 	ast_mutex_t lock;
+	time_t start;
 	struct sockaddr_in sin;
 	int fd;
 	char inbuf[SKINNY_MAX_PACKET];
@@ -3064,6 +3070,7 @@ static int handle_register_message(struct skinny_req *req, struct skinnysession
 		transmit_response(s, req);
 		return 0;
 	}
+	ast_atomic_fetchadd_int(&unauth_sessions, -1);
 	if (option_verbose > 2)
 		ast_verbose(VERBOSE_PREFIX_3 "Device '%s' successfully registered\n", name);
 
@@ -4427,6 +4434,9 @@ static void destroy_session(struct skinnysession *s)
 		if (s->fd > -1) {
 			close(s->fd);
 		}
+		if (!s->device) {
+			ast_atomic_fetchadd_int(&unauth_sessions, -1);
+		}
 		ast_mutex_destroy(&s->lock);
 		free(s);
 	} else {
@@ -4439,13 +4449,30 @@ static int get_input(struct skinnysession *s)
 {
 	int res;
 	int dlen = 0;
+	int timeout = keep_alive * 1100;
+	time_t now;
 	int *bufaddr;
 	struct pollfd fds[1];
 
+	if (!s->device) {
+		if(time(&now) == -1) {
+			ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno));
+			return -1;
+		}
+
+		timeout = (auth_timeout - (now - s->start)) * 1000;
+		if (timeout < 0) {
+			/* we have timed out */
+			if (skinnydebug)
+				ast_verbose("Skinny Client failed to authenticate in %d seconds\n", auth_timeout);
+			return -1;
+		}
+	}
+
  	fds[0].fd = s->fd;
 	fds[0].events = POLLIN;
 	fds[0].revents = 0;
-	res = ast_poll(fds, 1, (keep_alive * 1100)); /* If nothing has happen, client is dead */
+	res = ast_poll(fds, 1, timeout); /* If nothing has happen, client is dead */
 						 /* we add 10% to the keep_alive to deal */
 						 /* with network delays, etc */
 	if (res < 0) {
@@ -4454,8 +4481,13 @@ static int get_input(struct skinnysession *s)
 			return res;
 		}
  	} else if (res == 0) {
-		if (skinnydebug)
-			ast_verbose("Skinny Client was lost, unregistering\n");
+		if (skinnydebug) {
+			if (s->device) {
+				ast_verbose("Skinny Client was lost, unregistering\n");
+			} else {
+				ast_verbose("Skinny Client failed to authenticate in %d seconds\n", auth_timeout);
+			}
+		}
 		skinny_unregister(NULL, s);
 		return -1;
 	}
@@ -4594,18 +4626,35 @@ static void *accept_thread(void *ignore)
 			ast_log(LOG_NOTICE, "Accept returned -1: %s\n", strerror(errno));
 			continue;
 		}
+
+		if (ast_atomic_fetchadd_int(&unauth_sessions, +1) >= auth_limit) {
+			close(as);
+			ast_atomic_fetchadd_int(&unauth_sessions, -1);
+			continue;
+		}
+
 		p = getprotobyname("tcp");
 		if(p) {
 			if( setsockopt(as, p->p_proto, TCP_NODELAY, (char *)&arg, sizeof(arg) ) < 0 ) {
 				ast_log(LOG_WARNING, "Failed to set Skinny tcp connection to TCP_NODELAY mode: %s\n", strerror(errno));
 			}
 		}
-		if (!(s = ast_calloc(1, sizeof(struct skinnysession))))
+		if (!(s = ast_calloc(1, sizeof(struct skinnysession)))) {
+			close(as);
+			ast_atomic_fetchadd_int(&unauth_sessions, -1);
 			continue;
+		}
 
 		memcpy(&s->sin, &sin, sizeof(sin));
 		ast_mutex_init(&s->lock);
 		s->fd = as;
+
+		if(time(&s->start) == -1) {
+			ast_log(LOG_ERROR, "error executing time(): %s; disconnecting client\n", strerror(errno));
+			destroy_session(s);
+			continue;
+		}
+
 		ast_mutex_lock(&sessionlock);
 		s->next = sessions;
 		sessions = s;
@@ -4756,6 +4805,24 @@ static int reload_config(void)
 			}
 		} else if (!strcasecmp(v->name, "keepalive")) {
 			keep_alive = atoi(v->value);
+		} else if (!strcasecmp(v->name, "authtimeout")) {
+			int timeout = atoi(v->value);
+
+			if (timeout < 1) {
+				ast_log(LOG_WARNING, "Invalid authtimeout value '%s', using default value\n", v->value);
+				auth_timeout = DEFAULT_AUTH_TIMEOUT;
+			} else {
+				auth_timeout = timeout;
+			}
+		} else if (!strcasecmp(v->name, "authlimit")) {
+			int limit = atoi(v->value);
+
+			if (limit < 1) {
+				ast_log(LOG_WARNING, "Invalid authlimit value '%s', using default value\n", v->value);
+				auth_limit = DEFAULT_AUTH_LIMIT;
+			} else {
+				auth_limit = limit;
+			}
 		} else if (!strcasecmp(v->name, "dateformat")) {
 			memcpy(date_format, v->value, sizeof(date_format));
 		} else if (!strcasecmp(v->name, "allow")) {

configs/http.conf.sample

@@ -26,7 +26,12 @@ bindport=8088
 ; requests must begin with /asterisk
 ;
 ;prefix=asterisk
-
+;
+; sessionlimit specifies the maximum number of httpsessions that will be
+; allowed to exist at any given time. (default: 100)
+;
+;sessionlimit=100
+;
 ; The post_mappings section maps URLs to real paths on the filesystem.  If a
 ; POST is done from within an authenticated manager session to one of the
 ; configured POST mappings, then any files in the POST will be placed in the

configs/manager.conf.sample

@@ -26,6 +26,17 @@ enabled = no
 ;webenabled = yes
 port = 5038
 
+; authtimeout specifies the maximum number of seconds a client has to
+; authenticate.  If the client does not authenticate beofre this timeout
+; expires, the client will be disconnected. (default: 30 seconds)
+
+;authtimeout = 30
+
+; authlimit specifies the maximum number of unauthenticated sessions that will
+; be allowed to connect at any given time.
+
+;authlimit = 50
+
 ;httptimeout = 60
 ; a) httptimeout sets the Max-Age of the http cookie
 ; b) httptimeout is the amount of time the webserver waits 

configs/skinny.conf.sample

@@ -9,6 +9,15 @@ dateformat=M-D-Y	; M,D,Y in any order (6 chars max)
 			; Use M for month, D for day, Y for year, A for 12-hour time.
 keepalive=120
 
+;authtimeout = 30       ; authtimeout specifies the maximum number of seconds a
+			; client has to authenticate.  If the client does not
+			; authenticate beofre this timeout expires, the client
+                        ; will be disconnected.  (default: 30 seconds)
+
+;authlimit = 50         ; authlimit specifies the maximum number of
+			; unauthenticated sessions that will be allowed to
+                        ; connect at any given time. (default: 50)
+
 ;allow=all		; see doc/rtp-packetization for framing options
 ;disallow=
 

main/http.c

@@ -60,6 +60,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 
 #define MAX_PREFIX 80
 #define DEFAULT_PREFIX "/asterisk"
+#define DEFAULT_SESSION_LIMIT 100
 
 struct ast_http_server_instance {
 	FILE *f;
@@ -77,6 +78,8 @@ static char prefix[MAX_PREFIX];
 static int prefix_len;
 static struct sockaddr_in oldsin;
 static int enablestatic;
+static int session_limit = DEFAULT_SESSION_LIMIT;
+static int session_count = 0;
 
 /*! \brief Limit the kinds of files we're willing to serve up */
 static struct {
@@ -516,6 +519,7 @@ static void *ast_httpd_helper_thread(void *data)
 	}
 	fclose(ser->f);
 	free(ser);
+	ast_atomic_fetchadd_int(&session_count, -1);
 	return NULL;
 }
 
@@ -534,15 +538,23 @@ static void *http_root(void *data)
 		ast_wait_for_input(httpfd, -1);
 		sinlen = sizeof(sin);
 		fd = accept(httpfd, (struct sockaddr *)&sin, &sinlen);
+
 		if (fd < 0) {
 			if ((errno != EAGAIN) && (errno != EINTR))
 				ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
 			continue;
 		}
+
+		if (ast_atomic_fetchadd_int(&session_count, +1) >= session_limit) {
+			close(fd);
+			continue;
+		}
+
 		ser = ast_calloc(1, sizeof(*ser));
 		if (!ser) {
 			ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
 			close(fd);
+			ast_atomic_fetchadd_int(&session_count, -1);
 			continue;
 		}
 		flags = fcntl(fd, F_GETFL);
@@ -557,12 +569,14 @@ static void *http_root(void *data)
 				ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
 				fclose(ser->f);
 				free(ser);
+				ast_atomic_fetchadd_int(&session_count, -1);
 			}
 			pthread_attr_destroy(&attr);
 		} else {
 			ast_log(LOG_WARNING, "fdopen failed!\n");
 			close(ser->fd);
 			free(ser);
+			ast_atomic_fetchadd_int(&session_count, -1);
 		}
 	}
 	return NULL;
@@ -679,8 +693,17 @@ static int __ast_http_load(int reload)
 				} else {
 					newprefix[0] = '\0';
 				}
-					
+			} else if (!strcasecmp(v->name, "sessionlimit")) {
+				int limit = atoi(v->value);
+
+				if (limit < 1) {
+					ast_log(LOG_WARNING, "Invalid sessionlimit value '%s', using default value\n", v->value);
+					session_limit = DEFAULT_SESSION_LIMIT;
+				} else {
+					session_limit = limit;
+				}
 			}
+
 			v = v->next;
 		}
 		ast_config_destroy(cfg);

main/manager.c

@@ -104,6 +104,8 @@ static const int DEFAULT_DISPLAYCONNECTS	= 1;	/*!< Default setting for displayin
 static const int DEFAULT_TIMESTAMPEVENTS	= 0;	/*!< Default setting for timestampevents */	
 static const int DEFAULT_HTTPTIMEOUT 		= 60;	/*!< Default manager http timeout */
 static const int DEFAULT_BROKENEVENTSACTION	= 0;	/*!< Default setting for brokeneventsaction */
+static const int DEFAULT_AUTHTIMEOUT		= 30;	/*!< Default setting for authtimeout */
+static const int DEFAULT_AUTHLIMIT		= 50;	/*!< Default setting for authlimit */
 
 
 static int enabled;
@@ -113,10 +115,13 @@ static int displayconnects;
 static int timestampevents;
 static int httptimeout;
 static int broken_events_action;
+static int authtimeout;
+static int authlimit;
 
 static pthread_t t;
 static int block_sockets;
 static int num_sessions;
+static int unauth_sessions = 0;
 
 /* Protected by the sessions list lock */
 struct eventqent *master_eventq = NULL;
@@ -222,6 +227,7 @@ struct mansession_session {
 	struct eventqent *eventq;
 	/* Timeout for ast_carefulwrite() */
 	int writetimeout;
+	time_t authstart;
 	int pending_event;         /*!< Pending events indicator in case when waiting_thread is NULL */
 	AST_LIST_ENTRY(mansession_session) list;
 };
@@ -2305,6 +2311,7 @@ static int process_message(struct mansession *s, const struct message *m)
 				return -1;
 			} else {
 				s->session->authenticated = 1;
+				ast_atomic_fetchadd_int(&unauth_sessions, -1);
 				if (option_verbose > 1) {
 					if (displayconnects) {
 						ast_verbose(VERBOSE_PREFIX_2 "%sManager '%s' logged on from %s\n", 
@@ -2354,6 +2361,8 @@ static int get_input(struct mansession_session *s, char *output)
 	int res;
 	int x;
 	struct pollfd fds[1];
+	int timeout = -1;
+	time_t now;
 	for (x = 1; x < s->inlen; x++) {
 		if ((s->inbuf[x] == '\n') && (s->inbuf[x-1] == '\r')) {
 			/* Copy output data up to and including \r\n */
@@ -2372,7 +2381,22 @@ static int get_input(struct mansession_session *s, char *output)
 	}
 	fds[0].fd = s->fd;
 	fds[0].events = POLLIN;
+
 	do {
+		/* calculate a timeout if we are not authenticated */
+		if (!s->authenticated) {
+			if(time(&now) == -1) {
+				ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno));
+				return -1;
+			}
+
+			timeout = (authtimeout - (now - s->authstart)) * 1000;
+			if (timeout < 0) {
+				/* we have timed out */
+				return 0;
+			}
+		}
+
 		ast_mutex_lock(&s->__lock);
 		if (s->pending_event) {
 			s->pending_event = 0;
@@ -2382,7 +2406,7 @@ static int get_input(struct mansession_session *s, char *output)
 		s->waiting_thread = pthread_self();
 		ast_mutex_unlock(&s->__lock);
 
-		res = ast_poll(fds, 1, -1);
+		res = ast_poll(fds, 1, timeout);
 
 		ast_mutex_lock(&s->__lock);
 		s->waiting_thread = AST_PTHREADT_NULL;
@@ -2400,6 +2424,9 @@ static int get_input(struct mansession_session *s, char *output)
 			if (res < 1)
 				return -1;
 			break;
+		} else {
+			/* timeout */
+			return 0;
 		}
 	} while(1);
 	s->inlen += res;
@@ -2412,6 +2439,7 @@ static int do_message(struct mansession *s)
 	struct message m = { 0 };
 	char header_buf[sizeof(s->session->inbuf)] = { '\0' };
 	int res;
+	time_t now;
 
 	for (;;) {
 		/* Check if any events are pending and do them if needed */
@@ -2421,6 +2449,17 @@ static int do_message(struct mansession *s)
 		}
 		res = get_input(s->session, header_buf);
 		if (res == 0) {
+			if (!s->session->authenticated) {
+				if(time(&now) == -1) {
+					ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno));
+					return -1;
+				}
+
+				if (now - s->session->authstart > authtimeout) {
+					ast_log(LOG_EVENT, "Client from %s, failed to authenticate in %d seconds\n", ast_inet_ntoa(s->session->sin.sin_addr), authtimeout);
+					return -1;
+				}
+			}
 			continue;
 		} else if (res > 0) {
 			/* Strip trailing \r\n */
@@ -2455,6 +2494,7 @@ static void *session_do(void *data)
 		}
 		ast_log(LOG_EVENT, "Manager '%s' logged off from %s\n", session->username, ast_inet_ntoa(session->sin.sin_addr));
 	} else {
+		ast_atomic_fetchadd_int(&unauth_sessions, -1);
 		if (option_verbose > 1) {
 			if (displayconnects)
 				ast_verbose(VERBOSE_PREFIX_2 "Connect attempt from '%s' unable to authenticate\n", ast_inet_ntoa(session->sin.sin_addr));
@@ -2528,14 +2568,25 @@ static void *accept_thread(void *ignore)
 			ast_log(LOG_NOTICE, "Accept returned -1: %s\n", strerror(errno));
 			continue;
 		}
+
+		if (ast_atomic_fetchadd_int(&unauth_sessions, +1) >= authlimit) {
+			close(as);
+			ast_atomic_fetchadd_int(&unauth_sessions, -1);
+			ast_log(LOG_WARNING, "manager connection rejected, too many unauthenticated sessions.\n");
+			continue;
+		}
+
 		p = getprotobyname("tcp");
 		if (p) {
 			if( setsockopt(as, p->p_proto, TCP_NODELAY, (char *)&arg, sizeof(arg) ) < 0 ) {
 				ast_log(LOG_WARNING, "Failed to set manager tcp connection to TCP_NODELAY mode: %s\n", strerror(errno));
 			}
 		}
-		if (!(s = ast_calloc(1, sizeof(*s))))
+		if (!(s = ast_calloc(1, sizeof(*s)))) {
+			close(as);
+			ast_atomic_fetchadd_int(&unauth_sessions, -1);
 			continue;
+		}
 
 		memcpy(&s->sin, &sin, sizeof(sin));
 		s->writetimeout = 100;
@@ -2562,8 +2613,16 @@ static void *accept_thread(void *ignore)
 			s->eventq = s->eventq->next;
 		ast_atomic_fetchadd_int(&s->eventq->usecount, 1);
 		AST_LIST_UNLOCK(&sessions);
-		if (ast_pthread_create_background(&t, &attr, session_do, s))
+		if(time(&s->authstart) == -1) {
+			ast_log(LOG_ERROR, "error executing time(): %s; disconnecting client\n", strerror(errno));
+			ast_atomic_fetchadd_int(&unauth_sessions, -1);
 			destroy_session(s);
+			continue;
+		}
+		if (ast_pthread_create_background(&t, &attr, session_do, s)) {
+			ast_atomic_fetchadd_int(&unauth_sessions, -1);
+			destroy_session(s);
+		}
 	}
 	pthread_attr_destroy(&attr);
 	return NULL;
@@ -3100,6 +3159,8 @@ int init_manager(void)
 	block_sockets = DEFAULT_BLOCKSOCKETS;
 	timestampevents = DEFAULT_TIMESTAMPEVENTS;
 	httptimeout = DEFAULT_HTTPTIMEOUT;
+	authtimeout = DEFAULT_AUTHTIMEOUT;
+	authlimit = DEFAULT_AUTHLIMIT;
 
 	cfg = ast_config_load("manager.conf");
 	if (!cfg) {
@@ -3137,6 +3198,26 @@ int init_manager(void)
 	if ((val = ast_variable_retrieve(cfg, "general", "httptimeout")))
 		newhttptimeout = atoi(val);
 
+	if ((val = ast_variable_retrieve(cfg, "general", "authtimeout"))) {
+		int timeout = atoi(val);
+
+		if (timeout < 1) {
+			ast_log(LOG_WARNING, "Invalid authtimeout value '%s', using default value\n", val);
+		} else {
+			authtimeout = timeout;
+		}
+	}
+
+	if ((val = ast_variable_retrieve(cfg, "general", "authlimit"))) {
+		int limit = atoi(val);
+
+		if (limit < 1) {
+			ast_log(LOG_WARNING, "Invalid authlimit value '%s', using default value\n", val);
+		} else {
+			authlimit = limit;
+		}
+	}
+
 	memset(&ba, 0, sizeof(ba));
 	ba.sin_family = AF_INET;
 	ba.sin_port = htons(portno);

main/udptl.c

@@ -175,37 +175,31 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
 	}
 	*pvalue = (buf[*len] & 0x3F) << 14;
 	(*len)++;
-	/* Indicate we have a fragment */
+	/* We have a fragment.  Currently we don't process fragments. */
+	if (option_debug) {
+		ast_log(LOG_DEBUG, "UDPTL packet with length greater than 16K received, decoding will fail\n");
+	}
 	return 1;
 }
 /*- End of function --------------------------------------------------------*/
 
 static int decode_open_type(uint8_t *buf, int limit, int *len, const uint8_t **p_object, int *p_num_octets)
 {
-	int octet_cnt;
-	int octet_idx;
-	int stat;
-	int i;
-	const uint8_t **pbuf;
+	int octet_cnt = 0;
 
-	for (octet_idx = 0, *p_num_octets = 0; ; octet_idx += octet_cnt) {
-		if ((stat = decode_length(buf, limit, len, &octet_cnt)) < 0)
+	if (decode_length(buf, limit, len, &octet_cnt) != 0)
+		return -1;
+
+	if (octet_cnt > 0) {
+		/* Make sure the buffer contains at least the number of bits requested */
+		if ((*len + octet_cnt) > limit)
 			return -1;
-		if (octet_cnt > 0) {
-			*p_num_octets += octet_cnt;
 
-			pbuf = &p_object[octet_idx];
-			i = 0;
-			/* Make sure the buffer contains at least the number of bits requested */
-			if ((*len + octet_cnt) > limit)
-				return -1;
-
-			*pbuf = &buf[*len];
-			*len += octet_cnt;
-		}
-		if (stat == 0)
-			break;
+		*p_num_octets = octet_cnt;
+		*p_object = &buf[*len];
+		*len += octet_cnt;
 	}
+
 	return 0;
 }
 /*- End of function --------------------------------------------------------*/
@@ -290,8 +284,8 @@ static int udptl_rx_packet(struct ast_udptl *s, uint8_t *buf, int len)
 	const uint8_t *data;
 	int ifp_len;
 	int repaired[16];
-	const uint8_t *bufs[16];
-	int lengths[16];
+	const uint8_t *bufs[ARRAY_LEN(s->f) - 1];
+	int lengths[ARRAY_LEN(s->f) - 1];
 	int span;
 	int entries;
 	int ifp_no;
@@ -321,13 +315,13 @@ static int udptl_rx_packet(struct ast_udptl *s, uint8_t *buf, int len)
 			do {
 				if ((stat2 = decode_length(buf, len, &ptr, &count)) < 0)
 					return -1;
-				for (i = 0; i < count; i++) {
+				for (i = 0; i < count && total_count + i < ARRAY_LEN(bufs); i++) {
 					if ((stat = decode_open_type(buf, len, &ptr, &bufs[total_count + i], &lengths[total_count + i])) != 0)
 						return -1;
 				}
-				total_count += count;
+				total_count += i;
 			}
-			while (stat2 > 0);
+			while (stat2 > 0 && total_count < ARRAY_LEN(bufs));
 			/* Step through in reverse order, so we go oldest to newest */
 			for (i = total_count; i > 0; i--) {
 				if (seq_no - i >= s->rx_seq_no) {
@@ -390,6 +384,9 @@ static int udptl_rx_packet(struct ast_udptl *s, uint8_t *buf, int len)
 		if (ptr + 1 > len)
 			return -1;
 		entries = buf[ptr++];
+		if (entries > MAX_FEC_ENTRIES) {
+			return -1;
+		}
 		s->rx[x].fec_entries = entries;
 
 		/* Decode the elements */