Update for 15.4.1

When endpoint specific ACL rules block a SIP request they respond with a
403 forbidden.  However, if an endpoint is not identified then a 401
unauthorized response is sent.  This vulnerability just discloses which
requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
access to the disclosed endpoints.

* Made endpoint specific ACL rules now respond with a 401 unauthorized
which is the same as if an endpoint were not identified.  The fix is
accomplished by replacing the found endpoint with the artificial endpoint
which always fails authentication.

ASTERISK-27818

Change-Id: I716c998d5fad7a12bf6cf1747102189080a4b6de

.lastclean

@@ -0,0 +1 @@
+40

.version

@@ -0,0 +1 @@
+15.4.1

asterisk-15.4.1-summary.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-15.4.1</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-15.4.1</h3><h3 align="center">Date: 2018-06-11</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#commits">Other Changes</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2018-007,AST-2018-008.html">AST-2018-007,AST-2018-008</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-15.4.0.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">1 Sean Bright <sean.bright@gmail.com><br/>1 Kevin Harwell <kharwell@digium.com><br/>1 Richard Mudgett <rmudgett@digium.com><br/></td><td width="33%"><td width="33%">1 John <john@antme.com><br/>1 Sean Bright <sean.bright@gmail.com><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Core/HTTP</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27807">ASTERISK-27807</a>: iostreams: Potential DoS when client connection closed prematurely<br/>Reported by: Sean Bright<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=a0061587f18c6bd54a4149d4ce83eb5bc4d30565">[a0061587f1]</a> Sean Bright -- AST-2018-007: iostreams potential DoS when client connection closed prematurely</li>
+</ul><br><h4>Category: Resources/res_pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27818">ASTERISK-27818</a>: Username bruteforce is possible when using ACL with PJSIP<br/>Reported by: John<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=888979a7ee889271df82d6c8a2253ffa50c74701">[888979a7ee]</a> Richard Mudgett -- AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.</li>
+</ul><br><hr><a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all changes that went into this release that did not reference a JIRA issue.</p><table width="100%" border="1">
+<tr><th>Revision</th><th>Author</th><th>Summary</th></tr>
+<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=6b6402adf3c51e2f5cd7b255fe6a66655f57f753">6b6402adf3</a></td><td>Kevin Harwell</td><td>Update for 15.4.1</td></tr>
+</table><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>asterisk-15.4.0-summary.html   |  380 -----------------
+asterisk-15.4.0-summary.txt    |  906 -----------------------------------------
+b/.version                     |    2
+b/ChangeLog                    |   37 +
+b/asterisk-15.4.1-summary.html |   15
+b/asterisk-15.4.1-summary.txt  |   92 ++++
+b/main/iostream.c              |    9
+7 files changed, 153 insertions(+), 1288 deletions(-)</pre><br></html>

asterisk-15.4.1-summary.txt

@@ -0,0 +1,116 @@
+                                Release Summary
+
+                                asterisk-15.4.1
+
+                                Date: 2018-06-11
+
+                           <asteriskteam@digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Closed Issues
+    4. Other Changes
+    5. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release has been made to address one or more security vulnerabilities
+   that have been identified. A security advisory document has been published
+   for each vulnerability that includes additional information. Users of
+   versions of Asterisk that are affected are strongly encouraged to review
+   the advisories and determine what action they should take to protect their
+   systems from these issues.
+
+   Security Advisories:
+
+     * AST-2018-007,AST-2018-008
+
+   The data in this summary reflects changes that have been made since the
+   previous release, asterisk-15.4.0.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were affected by commits that went into
+   this release.
+
+   Coders                   Testers                  Reporters                
+   1 Sean Bright                                     1 John                   
+   1 Kevin Harwell                                   1 Sean Bright            
+   1 Richard Mudgett        
+
+     ----------------------------------------------------------------------
+
+                                 Closed Issues
+
+                                 [Back to Top]
+
+   This is a list of all issues from the issue tracker that were closed by
+   changes that went into this release.
+
+  Security
+
+    Category: Core/HTTP
+
+   ASTERISK-27807: iostreams: Potential DoS when client connection closed
+   prematurely
+   Reported by: Sean Bright
+     * [a0061587f1] Sean Bright -- AST-2018-007: iostreams potential DoS when
+       client connection closed prematurely
+
+    Category: Resources/res_pjsip
+
+   ASTERISK-27818: Username bruteforce is possible when using ACL with PJSIP
+   Reported by: John
+     * [888979a7ee] Richard Mudgett -- AST-2018-008: Fix enumeration of
+       endpoints from ACL rejected addresses.
+
+     ----------------------------------------------------------------------
+
+                      Commits Not Associated with an Issue
+
+                                 [Back to Top]
+
+   This is a list of all changes that went into this release that did not
+   reference a JIRA issue.
+
+   +------------------------------------------------------------------------+
+   | Revision           | Author                | Summary                   |
+   |--------------------+-----------------------+---------------------------|
+   | 6b6402adf3         | Kevin Harwell         | Update for 15.4.1         |
+   +------------------------------------------------------------------------+
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ asterisk-15.4.0-summary.html   |  380 -----------------
+ asterisk-15.4.0-summary.txt    |  906 -----------------------------------------
+ b/.version                     |    2
+ b/ChangeLog                    |   37 +
+ b/asterisk-15.4.1-summary.html |   15
+ b/asterisk-15.4.1-summary.txt  |   92 ++++
+ b/main/iostream.c              |    9
+ 7 files changed, 153 insertions(+), 1288 deletions(-)

bridges/bridge_softmix.c

@@ -1318,6 +1318,12 @@ static void remb_collect_report(struct ast_bridge *bridge, struct ast_bridge_cha
 			break;
 		}
 	}
+
+	/* After the report is integrated we reset this to 0 in case they stop producing
+	 * REMB reports.
+	 */
+	sc->remb.br_mantissa = 0;
+	sc->remb.br_exp = 0;
 }
 
 static void remb_send_report(struct ast_bridge_channel *bridge_channel, struct softmix_channel *sc)
@@ -1328,20 +1334,18 @@ static void remb_send_report(struct ast_bridge_channel *bridge_channel, struct s
 		return;
 	}
 
-	/* If we have a new bitrate then use it for the REMB, if not we use the previous
-	 * one until we know otherwise. This way the bitrate doesn't drop to 0 all of a sudden.
+	/* We always do this calculation as even when the bitrate is zero the browser
+	 * still prefers it to be accurate instead of lying.
 	 */
-	if (sc->remb_collector->bitrate) {
-		sc->remb_collector->feedback.remb.br_mantissa = sc->remb_collector->bitrate;
-		sc->remb_collector->feedback.remb.br_exp = 0;
+	sc->remb_collector->feedback.remb.br_mantissa = sc->remb_collector->bitrate;
+	sc->remb_collector->feedback.remb.br_exp = 0;
 
-		/* The mantissa only has 18 bits available, so while it exceeds them we bump
-		 * up the exp.
-		 */
-		while (sc->remb_collector->feedback.remb.br_mantissa > 0x3ffff) {
-			sc->remb_collector->feedback.remb.br_mantissa = sc->remb_collector->feedback.remb.br_mantissa >> 1;
-			sc->remb_collector->feedback.remb.br_exp++;
-		}
+	/* The mantissa only has 18 bits available, so while it exceeds them we bump
+	 * up the exp.
+	 */
+	while (sc->remb_collector->feedback.remb.br_mantissa > 0x3ffff) {
+		sc->remb_collector->feedback.remb.br_mantissa = sc->remb_collector->feedback.remb.br_mantissa >> 1;
+		sc->remb_collector->feedback.remb.br_exp++;
 	}
 
 	for (i = 0; i < AST_VECTOR_SIZE(&bridge_channel->stream_map.to_bridge); ++i) {
@@ -2062,6 +2066,7 @@ static void softmix_bridge_stream_topology_changed(struct ast_bridge *bridge, st
 	struct ast_bridge_channel *participant;
 	struct ast_vector_int media_types;
 	int nths[AST_MEDIA_TYPE_END] = {0};
+	int idx;
 
 	switch (bridge->softmix.video_mode.mode) {
 	case AST_BRIDGE_VIDEO_MODE_NONE:
@@ -2080,7 +2085,10 @@ static void softmix_bridge_stream_topology_changed(struct ast_bridge *bridge, st
 	 * When channels end up getting added back in they'll reuse their existing
 	 * collector and won't need to allocate a new one (unless they were just added).
 	 */
-	AST_VECTOR_RESET(&softmix_data->remb_collectors, ao2_cleanup);
+	for (idx = 0; idx < AST_VECTOR_SIZE(&softmix_data->remb_collectors); ++idx) {
+		ao2_cleanup(AST_VECTOR_GET(&softmix_data->remb_collectors, idx));
+		AST_VECTOR_REPLACE(&softmix_data->remb_collectors, idx, NULL);
+	}
 
 	/* First traversal: re-initialize all of the participants' stream maps */
 	AST_LIST_TRAVERSE(&bridge->channels, participant, entry) {

contrib/realtime/mssql/mssql_cdr.sql

@@ -0,0 +1,58 @@
+BEGIN TRANSACTION;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+GO
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20) NULL, 
+    src VARCHAR(80) NULL, 
+    dst VARCHAR(80) NULL, 
+    dcontext VARCHAR(80) NULL, 
+    clid VARCHAR(80) NULL, 
+    channel VARCHAR(80) NULL, 
+    dstchannel VARCHAR(80) NULL, 
+    lastapp VARCHAR(80) NULL, 
+    lastdata VARCHAR(80) NULL, 
+    start DATETIME NULL, 
+    answer DATETIME NULL, 
+    [end] DATETIME NULL, 
+    duration INTEGER NULL, 
+    billsec INTEGER NULL, 
+    disposition VARCHAR(45) NULL, 
+    amaflags VARCHAR(45) NULL, 
+    userfield VARCHAR(256) NULL, 
+    uniqueid VARCHAR(150) NULL, 
+    linkedid VARCHAR(150) NULL, 
+    peeraccount VARCHAR(20) NULL, 
+    sequence INTEGER NULL
+);
+
+GO
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+GO
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr ALTER COLUMN accountcode VARCHAR(80);
+
+GO
+
+ALTER TABLE cdr ALTER COLUMN peeraccount VARCHAR(80);
+
+GO
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d';
+
+GO
+
+COMMIT;
+
+GO
+

contrib/realtime/mssql/mssql_voicemail.sql

@@ -0,0 +1,54 @@
+BEGIN TRANSACTION;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+GO
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80) NULL, 
+    macrocontext VARCHAR(80) NULL, 
+    callerid VARCHAR(80) NULL, 
+    origtime INTEGER NULL, 
+    duration INTEGER NULL, 
+    recording IMAGE NULL, 
+    flag VARCHAR(30) NULL, 
+    category VARCHAR(30) NULL, 
+    mailboxuser VARCHAR(30) NULL, 
+    mailboxcontext VARCHAR(30) NULL, 
+    msg_id VARCHAR(40) NULL
+);
+
+GO
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+GO
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+GO
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+GO
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages ALTER COLUMN recording IMAGE;
+
+GO
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+
+GO
+
+COMMIT;
+
+GO
+

contrib/realtime/mysql/mysql_cdr.sql

@@ -0,0 +1,40 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20), 
+    src VARCHAR(80), 
+    dst VARCHAR(80), 
+    dcontext VARCHAR(80), 
+    clid VARCHAR(80), 
+    channel VARCHAR(80), 
+    dstchannel VARCHAR(80), 
+    lastapp VARCHAR(80), 
+    lastdata VARCHAR(80), 
+    start DATETIME, 
+    answer DATETIME, 
+    end DATETIME, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR(45), 
+    amaflags VARCHAR(45), 
+    userfield VARCHAR(256), 
+    uniqueid VARCHAR(150), 
+    linkedid VARCHAR(150), 
+    peeraccount VARCHAR(20), 
+    sequence INTEGER
+);
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr MODIFY accountcode VARCHAR(80) NULL;
+
+ALTER TABLE cdr MODIFY peeraccount VARCHAR(80) NULL;
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d';
+

contrib/realtime/mysql/mysql_voicemail.sql

@@ -0,0 +1,34 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80), 
+    macrocontext VARCHAR(80), 
+    callerid VARCHAR(80), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BLOB, 
+    flag VARCHAR(30), 
+    category VARCHAR(30), 
+    mailboxuser VARCHAR(30), 
+    mailboxcontext VARCHAR(30), 
+    msg_id VARCHAR(40)
+);
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages MODIFY recording BLOB(4294967295) NULL;
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+

contrib/realtime/oracle/oracle_cdr.sql

@@ -0,0 +1,52 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR2(32 CHAR) NOT NULL
+)
+
+/
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR2(20 CHAR), 
+    src VARCHAR2(80 CHAR), 
+    dst VARCHAR2(80 CHAR), 
+    dcontext VARCHAR2(80 CHAR), 
+    clid VARCHAR2(80 CHAR), 
+    channel VARCHAR2(80 CHAR), 
+    dstchannel VARCHAR2(80 CHAR), 
+    lastapp VARCHAR2(80 CHAR), 
+    lastdata VARCHAR2(80 CHAR), 
+    "start" DATE, 
+    answer DATE, 
+    end DATE, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR2(45 CHAR), 
+    amaflags VARCHAR2(45 CHAR), 
+    userfield VARCHAR2(256 CHAR), 
+    uniqueid VARCHAR2(150 CHAR), 
+    linkedid VARCHAR2(150 CHAR), 
+    peeraccount VARCHAR2(20 CHAR), 
+    sequence INTEGER
+)
+
+/
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d')
+
+/
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr MODIFY accountcode VARCHAR2(80 CHAR)
+
+/
+
+ALTER TABLE cdr MODIFY peeraccount VARCHAR2(80 CHAR)
+
+/
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d'
+
+/
+

contrib/realtime/oracle/oracle_voicemail.sql

@@ -0,0 +1,48 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR2(32 CHAR) NOT NULL
+)
+
+/
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR2(255 CHAR) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR2(80 CHAR), 
+    macrocontext VARCHAR2(80 CHAR), 
+    callerid VARCHAR2(80 CHAR), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BLOB, 
+    flag VARCHAR2(30 CHAR), 
+    category VARCHAR2(30 CHAR), 
+    mailboxuser VARCHAR2(30 CHAR), 
+    mailboxcontext VARCHAR2(30 CHAR), 
+    msg_id VARCHAR2(40 CHAR)
+)
+
+/
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum)
+
+/
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir)
+
+/
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e')
+
+/
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages MODIFY recording BLOB
+
+/
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e'
+
+/
+

contrib/realtime/postgresql/postgresql_cdr.sql

@@ -0,0 +1,44 @@
+BEGIN;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20), 
+    src VARCHAR(80), 
+    dst VARCHAR(80), 
+    dcontext VARCHAR(80), 
+    clid VARCHAR(80), 
+    channel VARCHAR(80), 
+    dstchannel VARCHAR(80), 
+    lastapp VARCHAR(80), 
+    lastdata VARCHAR(80), 
+    start TIMESTAMP WITHOUT TIME ZONE, 
+    answer TIMESTAMP WITHOUT TIME ZONE, 
+    "end" TIMESTAMP WITHOUT TIME ZONE, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR(45), 
+    amaflags VARCHAR(45), 
+    userfield VARCHAR(256), 
+    uniqueid VARCHAR(150), 
+    linkedid VARCHAR(150), 
+    peeraccount VARCHAR(20), 
+    sequence INTEGER
+);
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr ALTER COLUMN accountcode TYPE VARCHAR(80);
+
+ALTER TABLE cdr ALTER COLUMN peeraccount TYPE VARCHAR(80);
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d';
+
+COMMIT;
+

contrib/realtime/postgresql/postgresql_voicemail.sql

@@ -0,0 +1,38 @@
+BEGIN;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80), 
+    macrocontext VARCHAR(80), 
+    callerid VARCHAR(80), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BYTEA, 
+    flag VARCHAR(30), 
+    category VARCHAR(30), 
+    mailboxuser VARCHAR(30), 
+    mailboxcontext VARCHAR(30), 
+    msg_id VARCHAR(40)
+);
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages ALTER COLUMN recording TYPE BYTEA;
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+
+COMMIT;
+

main/iostream.c

@@ -197,11 +197,18 @@ static ssize_t iostream_read(struct ast_iostream *stream, void *buf, size_t size
 					}
 				}
 				break;
+			case SSL_ERROR_SYSCALL:
+				/* Some non-recoverable I/O error occurred. The OpenSSL error queue may
+				 * contain more information on the error. For socket I/O on Unix systems,
+				 * consult errno for details. */
+				ast_debug(1, "TLS non-recoverable I/O error occurred: %s, %s\n", ERR_error_string(sslerr, err),
+					ssl_error_to_string(sslerr, res));
+				return -1;
 			default:
 				/* Report EOF for an undecoded SSL or transport error. */
 				ast_debug(1, "TLS transport or SSL error reading data:  %s, %s\n", ERR_error_string(sslerr, err),
 					ssl_error_to_string(sslerr, res));
-				return 0;
+				return -1;
 			}
 			if (!ms) {
 				/* Report EOF for a timeout */
@@ -317,7 +324,7 @@ ssize_t ast_iostream_discard(struct ast_iostream *stream, size_t size)
 
 	while (remaining) {
 		ret = ast_iostream_read(stream, buf, remaining > sizeof(buf) ? sizeof(buf) : remaining);
-		if (ret < 0) {
+		if (ret <= 0) {
 			return ret;
 		}
 		remaining -= ret;

res/res_pjsip/pjsip_distributor.c

@@ -676,6 +676,26 @@ static void check_endpoint(pjsip_rx_data *rdata, struct unidentified_request *un
 	ao2_unlock(unid);
 }
 
+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
+
+static void apply_acls(pjsip_rx_data *rdata)
+{
+	struct ast_sip_endpoint *endpoint;
+
+	/* Is the endpoint allowed with the source or contact address? */
+	endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];
+	if (endpoint != artificial_endpoint
+		&& (apply_endpoint_acl(rdata, endpoint)
+			|| apply_endpoint_contact_acl(rdata, endpoint))) {
+		ast_debug(1, "Endpoint '%s' not allowed by ACL\n",
+			ast_sorcery_object_get_id(endpoint));
+
+		/* Replace the rdata endpoint with the artificial endpoint. */
+		ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);
+	}
+}
+
 static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
 {
 	struct ast_sip_endpoint *endpoint;
@@ -694,6 +714,7 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
 			ao2_unlink(unidentified_requests, unid);
 			ao2_ref(unid, -1);
 		}
+		apply_acls(rdata);
 		return PJ_FALSE;
 	}
 
@@ -753,6 +774,8 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
 			ast_sip_report_invalid_endpoint(name, rdata);
 		}
 	}
+
+	apply_acls(rdata);
 	return PJ_FALSE;
 }
 
@@ -836,16 +859,11 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
 
 	ast_assert(endpoint != NULL);
 
-	if (endpoint!=artificial_endpoint) {
-		if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {
-			if (!is_ack) {
-				pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
-			}
-			return PJ_TRUE;
-		}
+	if (is_ack) {
+		return PJ_FALSE;
 	}
 
-	if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {
+	if (ast_sip_requires_authentication(endpoint, rdata)) {
 		pjsip_tx_data *tdata;
 		struct unidentified_request *unid;
 
@@ -881,6 +899,10 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
 			return PJ_TRUE;
 		}
 		pjsip_tx_data_dec_ref(tdata);
+	} else if (endpoint == artificial_endpoint) {
+		/* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */
+		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
+		return PJ_TRUE;
 	}
 
 	return PJ_FALSE;