Importing release summary for 11.6-cert2 release.

git-svn-id: https://origsvn.digium.com/svn/asterisk/certified/tags/11.6-cert2@410444 65c4cc65-6c06-0410-ace0-fbb531ad65f3

.version

@@ -1 +1 @@
-11.6.0
+11.6-cert2

ChangeLog

@@ -1,3 +1,197 @@
+2014-03-10  Asterisk Development Team <asteriskteam@digium.com>
+
+	* Asterisk 11.6-cert2 Released.
+
+	* AST-2012-002: chan_sip: Exit early on bad session timers request
+
+	  This change allows chan_sip to avoid creation of the channel and
+	  consumption of associated file descriptors altogether if the inbound
+	  request is going to be rejected anyway.
+
+	  (closes issue ASTERISK-23373)
+	  Reported by: Corey Farrell
+	  Patches:
+	    chan_sip-earlier-st-1.8.patch uploaded by Corey Farrell (license 5909)
+	    chan_sip-earlier-st-11.patch uploaded by Corey Farrell (license 5909)
+
+	* AST-2014-001: Stack overflow in HTTP processing of Cookie headers.
+
+	  Sending a HTTP request that is handled by Asterisk with a large
+	  number of Cookie headers could overflow the stack.
+
+	  Another vulnerability along similar lines is any HTTP request with a
+	  ridiculous number of headers in the request could exhaust system
+	  memory.
+
+	  (closes issue ASTERISK-23340)
+	  Reported by: Lucas Molas, researcher at Programa STIC, Fundacion;
+	               and Dr. Manuel Sadosky, Buenos Aires, Argentina
+
+2014-01-22  Asterisk Development Team <asteriskteam@digium.com>
+
+	* Asterisk 11.6-cert1 Released.
+
+2014-01-15  Asterisk Development Team <asteriskteam@digium.com>
+
+	* Asterisk 11.6-cert1-rc2 Released.
+
+	* pbx.c: put copy of ast_exten.data on stack to prevent memory
+	  corruption
+
+	  During dialplan execution in pbx_extension_helper(), the contexts
+	  global read lock prevents link list corruption, but was released with
+	  a pointer to the ast_exten and data later used in variable
+	  substitution. Instead, this patch removes pbx_substitute_variables()
+	  and locates a copy of the ast_exten data on the stack before
+	  releasing the lock, where ast_exten could get free'd by another
+	  thread performing a module reload.
+
+	  (issue AST-1179)
+	  Reported by: Thomas Arimont
+	  (issue AST-1246)
+	  Reported by: Alexander Hömig
+	  Review: https://reviewboard.asterisk.org/r/3055/
+
+	* chan_sip: Hangup transferer/transferee when transfer to Parking fails
+
+	  When performing a SIP transfer to a Park extension, if the Park
+	  fails, chan_sip will currently not hang up either the transferer or
+	  the transfer target. This results in the channels being orphaned with
+	  no thread to service frames, resulting in stuck channels.
+
+	  This patch immediately hangs up the two channels if a Park fails.
+
+	  (closes issue ASTERISK-22834)
+	  Reported by: rsw686
+	  Tested by: rsw686
+
+	  (closes issue ASTERISK-23047)
+	  Reported by: Tommy Thompson
+	  Tested by: Tommy Thomspon
+
+	* verbosity: Fix performance of console verbose messages.
+
+	  The per console verbose level feature as previously implemented
+	  caused a large performance penalty.  The fix required some minor
+	  incompatibilities if the new rasterisk is used to connect to an
+	  earlier version.  If the new rasterisk connects to an older Asterisk
+	  version then the root console verbose level is always affected by
+	  the "core set verbose" command of the remote console even though it
+	  may appear to only affect the current console.  If an older version of
+	  rasterisk connects to the new version then the "core set verbose"
+	  command will have no effect.
+
+	  * Fixed the verbose performance by not generating a verbose message
+	    if nothing is going to use it and then filtered any generated
+	    verbose messages before actually sending them to the remote
+	    consoles.
+
+	  * Split the "core set debug" and "core set verbose" CLI commands to
+	    remove the per module verbose support that cannot work with the per
+	    console verbose level.
+
+	  * Added a silent option to the "core set verbose" command.
+
+	  * Fixed "core set debug off" tab completion.
+
+	  * Made "core show settings" list the current console verbosity in
+	    addition to the root console verbosity.
+
+	  * Changed the default verbose level of the 'verbose' setting in the
+	    logger.conf [logfiles] section.  The default is now to once again
+	    follow the current root console level.  As a result, using the AMI
+	    Command action with "core set verbose" could again set the root
+	    console verbose level and affect the verbose level logged.
+
+	(closes issue AST-1252)
+	Reported by: Guenther Kelleter
+
+
+	* app_confbridge: Fix crash caused when waitmarked/marked users leave
+	  together
+
+	  When waitmarked users join a ConfBridge, the conference state is
+	  transitioned from EMPTY -> INACTIVE. In this state, the users are
+	  maintained in a waiting users list. When a marked user joins, the
+	  ConfBridge conference transitions from INACTIVE -> MULTI_MARKED, and
+	  all users are put onto the active list of users. This process works
+	  correctly.
+
+	  When the marked user leaves, if they are the last marked user, the
+	  MULTI_MARKED state does the following:
+	  (1) It plays back a message to the bridge stating that the leader
+	      has left the conference. This requires an unlocking of the
+	      bridge.
+	  (2) It moves waitmarked users back to the waiting list
+	  (3) It transitions to the appropriate state: in this case, INACTIVE
+
+	  However, because it plays the prompt back to the bridge before moving
+	  the users and before finishing the state transition, this creates a
+	  race condition: with the bridge unlocked, waitmarked users who leave
+	  the conference (or are kicked from it) can cause a state transition
+	  of the bridge to another state before the conference is transitioned
+	  to the INACTIVE state. This causes the state machine to get a bit
+	  wonky, often leading to a crash when the MULTI_MARKED state attempts
+	  to conclude its processing.
+
+	  This patch fixes this problem:
+	  (1) It prevents kicked users from being kicked again. That's just a
+	      nicety.
+	  (2) More importantly, it fixes the race condition by only playing the
+	      prompt once the state has transitioned correctly to INACTIVE. If
+	      waitmarked users sneak out during the prompt being played, no
+	      harm no foul.
+
+	  Review: https://reviewboard.asterisk.org/r/3108/
+
+	  (closes issue AST-1258)
+	  Reported by: Steve Pitts
+
+	* astdb: crash in sqlite3 during shutdown
+
+	  When Asterisk is shut down, the astdb_atexit() function releases
+	  (finalize) the previously initiated (prepared) SQL statements in
+	  sqlite3.  Another thread making a subsequent request can cause a
+	  crash in sqlite3.  This patch eliminates that issue by resetting
+	  the statement pointer after it is released/cleared.  The sqlite3
+	  code detects the null pointer, and aborts the operation cleanly.
+
+	  (closes issue AST-1265)
+	  Reported by: Alexander Hömig
+	  (closes issue ASTERISK-22350)
+	  Reported by: Birger "WIMPy" Harzenetter
+	  Review: https://reviewboard.asterisk.org/r/3078/
+
+	* security: Inhibit execution of privilege escalating functions
+	
+	  This patch allows individual dialplan functions to be marked as
+	  'dangerous', to inhibit their execution from external sources.
+	  A 'dangerous' function is one which results in a privilege
+	  escalation. For example, if one were to read the channel
+	  variable SHELL(rm -rf /) Bad Things(TM) could happen; even if
+	  the external source has only read permissions.
+
+	  Execution from external sources may be enabled by setting
+	  'live_dangerously' to 'yes' in the [options] section of
+	  asterisk.conf. Although doing so is not recommended.
+
+	  (closes issue ASTERISK-22905)
+	  Review: http://reviewboard.digium.internal/r/432/
+
+	* app_sms: BufferOverflow when receiving odd length 16 bit message
+
+	  This patch prevents an infinite loop overwriting memory when
+	  a message is received into the unpacksms16() function, where
+	  the length of the message is an odd number of bytes.
+
+	  (closes issue ASTERISK-22590)
+	  Reported by: Jan Juergens
+	  Tested by: Jan Juergens
+
+2013-11-04  Asterisk Development Team <asteriskteam@digium.com>
+
+	* Asterisk 11.6-cert1-rc1 Released.
+
 2013-10-21  Asterisk Development Team <asteriskteam@digium.com>
 
 	* Asterisk 11.6.0 Released.

certified-asterisk-11.6-cert2-summary.html

@@ -0,0 +1,63 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Release Summary - certified-asterisk-11.6-cert2</title></head>
+<body>
+<h1 align="center"><a name="top">Release Summary</a></h1>
+<h3 align="center">certified-asterisk-11.6-cert2</h3>
+<h3 align="center">Date: 2014-03-10</h3>
+<h3 align="center">&lt;asteriskteam@digium.com&gt;</h3>
+<hr/>
+<h2 align="center">Table of Contents</h2>
+<ol>
+   <li><a href="#summary">Summary</a></li>
+   <li><a href="#contributors">Contributors</a></li>
+   <li><a href="#commits">Other Changes</a></li>
+   <li><a href="#diffstat">Diffstat</a></li>
+</ol>
+<hr/>
+<a name="summary"><h2 align="center">Summary</h2></a>
+<center><a href="#top">[Back to Top]</a></center><br/><p>This release has been made to address one or more security vulnerabilities that have been identified.  A security advisory document has been published for each vulnerability that includes additional information.  Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p>
+<p>Security Advisories: <a href="http://downloads.asterisk.org/pub/security/AST-2014-001.html">AST-2014-001</a>, <a href="http://downloads.asterisk.org/pub/security/AST-2014-002.html">AST-2014-002</a></p>
+<p>The data in this summary reflects changes that have been made since the previous release, certified-asterisk-11.6-cert1.</p>
+<hr/>
+<a name="contributors"><h2 align="center">Contributors</h2></a>
+<center><a href="#top">[Back to Top]</a></center><br/><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release.  For coders, the number is how many of their patches (of any size) were committed into this release.  For testers, the number is the number of times their name was listed as assisting with testing a patch.  Finally, for reporters, the number is the number of issues that they reported that were closed by commits that went into this release.</p>
+<table width="100%" border="0">
+<tr>
+<td width="33%"><h3>Coders</h3></td>
+<td width="33%"><h3>Testers</h3></td>
+<td width="33%"><h3>Reporters</h3></td>
+</tr>
+<tr valign="top">
+<td>
+3 bebuild<br/>
+</td>
+<td>
+</td>
+<td>
+</td>
+</tr>
+</table>
+<hr/>
+<a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a>
+<center><a href="#top">[Back to Top]</a></center><br/><p>This is a list of all changes that went into this release that did not directly close an issue from the issue tracker.  The commits may have been marked as being related to an issue.  If that is the case, the issue numbers are listed here, as well.</p>
+<table width="100%" border="1">
+<tr><td><b>Revision</b></td><td><b>Author</b></td><td><b>Summary</b></td><td><b>Issues Referenced</b></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/certified/tags/11.6-cert2?view=revision&revision=410371">410371</a></td><td>bebuild</td><td>Create 11.6-cert2</td>
+<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/certified/tags/11.6-cert2?view=revision&revision=410376">410376</a></td><td>bebuild</td><td>Update version, remove old summaries</td>
+<td></td></tr><tr><td><a href="http://svn.digium.com/view/asterisk/certified/tags/11.6-cert2?view=revision&revision=410432">410432</a></td><td>bebuild</td><td>AST-2014-001: AST-2014-002: Merge into 11.6-cert2</td>
+<td></td></tr></table>
+<hr/>
+<a name="diffstat"><h2 align="center">Diffstat Results</h2></a>
+<center><a href="#top">[Back to Top]</a></center><br/><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p>
+<pre>
+.version                                   |    2
+ChangeLog                                  |   29 ++
+certified-asterisk-11.6-cert1-summary.html |  190 ------------------
+certified-asterisk-11.6-cert1-summary.txt  |  243 -----------------------
+channels/chan_sip.c                        |  303 +++++++++++++++--------------
+main/http.c                                |   49 ++--
+6 files changed, 220 insertions(+), 596 deletions(-)
+</pre><br/>
+<hr/>
+</body>
+</html>

certified-asterisk-11.6-cert2-summary.txt

@@ -0,0 +1,94 @@
+                                Release Summary
+
+                         certified-asterisk-11.6-cert2
+
+                                Date: 2014-03-10
+
+                           <asteriskteam@digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Other Changes
+    4. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release has been made to address one or more security vulnerabilities
+   that have been identified. A security advisory document has been published
+   for each vulnerability that includes additional information. Users of
+   versions of Asterisk that are affected are strongly encouraged to review
+   the advisories and determine what action they should take to protect their
+   systems from these issues.
+
+   Security Advisories: AST-2014-001, AST-2014-002
+
+   The data in this summary reflects changes that have been made since the
+   previous release, certified-asterisk-11.6-cert1.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were closed by commits that went into this
+   release.
+
+     Coders                   Testers                  Reporters              
+   3 bebuild                
+
+     ----------------------------------------------------------------------
+
+                      Commits Not Associated with an Issue
+
+                                 [Back to Top]
+
+   This is a list of all changes that went into this release that did not
+   directly close an issue from the issue tracker. The commits may have been
+   marked as being related to an issue. If that is the case, the issue
+   numbers are listed here, as well.
+
+   +------------------------------------------------------------------------+
+   | Revision | Author  | Summary                       | Issues Referenced |
+   |----------+---------+-------------------------------+-------------------|
+   | 410371   | bebuild | Create 11.6-cert2             |                   |
+   |----------+---------+-------------------------------+-------------------|
+   | 410376   | bebuild | Update version, remove old    |                   |
+   |          |         | summaries                     |                   |
+   |----------+---------+-------------------------------+-------------------|
+   | 410432   | bebuild | AST-2014-001: AST-2014-002:   |                   |
+   |          |         | Merge into 11.6-cert2         |                   |
+   +------------------------------------------------------------------------+
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ .version                                   |    2
+ ChangeLog                                  |   29 ++
+ certified-asterisk-11.6-cert1-summary.html |  190 ------------------
+ certified-asterisk-11.6-cert1-summary.txt  |  243 -----------------------
+ channels/chan_sip.c                        |  303 +++++++++++++++--------------
+ main/http.c                                |   49 ++--
+ 6 files changed, 220 insertions(+), 596 deletions(-)
+
+     ----------------------------------------------------------------------

channels/chan_sip.c

@@ -24930,6 +24930,145 @@ static int handle_request_update(struct sip_pvt *p, struct sip_request *req)
 	return 0;
 }
 
+/*
+ * \internal \brief Check Session Timers for an INVITE request
+ *
+ * \retval 0 ok
+ * \retval -1 failure
+ */
+static int handle_request_invite_st(struct sip_pvt *p, struct sip_request *req,
+		const char *required, int reinvite)
+{
+	const char *p_uac_se_hdr;       /* UAC's Session-Expires header string                      */
+	const char *p_uac_min_se;       /* UAC's requested Min-SE interval (char string)            */
+	int uac_max_se = -1;            /* UAC's Session-Expires in integer format                  */
+	int uac_min_se = -1;            /* UAC's Min-SE in integer format                           */
+	int st_active = FALSE;          /* Session-Timer on/off boolean                             */
+	int st_interval = 0;            /* Session-Timer negotiated refresh interval                */
+	enum st_refresher tmp_st_ref = SESSION_TIMER_REFRESHER_AUTO; /* Session-Timer refresher     */
+	int dlg_min_se = -1;
+	int dlg_max_se = global_max_se;
+	int rtn;
+
+	/* Session-Timers */
+	if ((p->sipoptions & SIP_OPT_TIMER)) {
+		enum st_refresher_param st_ref_param = SESSION_TIMER_REFRESHER_PARAM_UNKNOWN;
+
+		/* The UAC has requested session-timers for this session. Negotiate
+		the session refresh interval and who will be the refresher */
+		ast_debug(2, "Incoming INVITE with 'timer' option supported\n");
+
+		/* Allocate Session-Timers struct w/in the dialog */
+		if (!p->stimer) {
+			sip_st_alloc(p);
+		}
+
+		/* Parse the Session-Expires header */
+		p_uac_se_hdr = sip_get_header(req, "Session-Expires");
+		if (!ast_strlen_zero(p_uac_se_hdr)) {
+			ast_debug(2, "INVITE also has \"Session-Expires\" header.\n");
+			rtn = parse_session_expires(p_uac_se_hdr, &uac_max_se, &st_ref_param);
+			tmp_st_ref = (st_ref_param == SESSION_TIMER_REFRESHER_PARAM_UAC) ? SESSION_TIMER_REFRESHER_THEM : SESSION_TIMER_REFRESHER_US;
+			if (rtn != 0) {
+				transmit_response_reliable(p, "400 Session-Expires Invalid Syntax", req);
+				return -1;
+			}
+		}
+
+		/* Parse the Min-SE header */
+		p_uac_min_se = sip_get_header(req, "Min-SE");
+		if (!ast_strlen_zero(p_uac_min_se)) {
+			ast_debug(2, "INVITE also has \"Min-SE\" header.\n");
+			rtn = parse_minse(p_uac_min_se, &uac_min_se);
+			if (rtn != 0) {
+				transmit_response_reliable(p, "400 Min-SE Invalid Syntax", req);
+				return -1;
+			}
+		}
+
+		dlg_min_se = st_get_se(p, FALSE);
+		switch (st_get_mode(p, 1)) {
+		case SESSION_TIMER_MODE_ACCEPT:
+		case SESSION_TIMER_MODE_ORIGINATE:
+			if (uac_max_se > 0 && uac_max_se < dlg_min_se) {
+				transmit_response_with_minse(p, "422 Session Interval Too Small", req, dlg_min_se);
+				return -1;
+			}
+
+			p->stimer->st_active_peer_ua = TRUE;
+			st_active = TRUE;
+			if (st_ref_param == SESSION_TIMER_REFRESHER_PARAM_UNKNOWN) {
+				tmp_st_ref = st_get_refresher(p);
+			}
+
+			dlg_max_se = st_get_se(p, TRUE);
+			if (uac_max_se > 0) {
+				if (dlg_max_se >= uac_min_se) {
+					st_interval = (uac_max_se < dlg_max_se) ? uac_max_se : dlg_max_se;
+				} else {
+					st_interval = uac_max_se;
+				}
+			} else if (uac_min_se > 0) {
+				st_interval = MAX(dlg_max_se, uac_min_se);
+			} else {
+				st_interval = dlg_max_se;
+			}
+			break;
+
+		case SESSION_TIMER_MODE_REFUSE:
+			if (p->reqsipoptions & SIP_OPT_TIMER) {
+				transmit_response_with_unsupported(p, "420 Option Disabled", req, required);
+				ast_log(LOG_WARNING, "Received SIP INVITE with supported but disabled option: %s\n", required);
+				return -1;
+			}
+			break;
+
+		default:
+			ast_log(LOG_ERROR, "Internal Error %d at %s:%d\n", st_get_mode(p, 1), __FILE__, __LINE__);
+			break;
+		}
+	} else {
+		/* The UAC did not request session-timers.  Asterisk (UAS), will now decide
+		(based on session-timer-mode in sip.conf) whether to run session-timers for
+		this session or not. */
+		switch (st_get_mode(p, 1)) {
+		case SESSION_TIMER_MODE_ORIGINATE:
+			st_active = TRUE;
+			st_interval = st_get_se(p, TRUE);
+			tmp_st_ref = SESSION_TIMER_REFRESHER_US;
+			p->stimer->st_active_peer_ua = (p->sipoptions & SIP_OPT_TIMER) ? TRUE : FALSE;
+			break;
+
+		default:
+			break;
+		}
+	}
+
+	if (reinvite == 0) {
+		/* Session-Timers: Start session refresh timer based on negotiation/config */
+		if (st_active == TRUE) {
+			p->stimer->st_active = TRUE;
+			p->stimer->st_interval = st_interval;
+			p->stimer->st_ref = tmp_st_ref;
+		}
+	} else {
+		if (p->stimer->st_active == TRUE) {
+			/* Session-Timers:  A re-invite request sent within a dialog will serve as
+			a refresh request, no matter whether the re-invite was sent for refreshing
+			the session or modifying it.*/
+			ast_debug (2, "Restarting session-timers on a refresh - %s\n", p->callid);
+
+			/* The UAC may be adjusting the session-timers mid-session */
+			if (st_interval > 0) {
+				p->stimer->st_interval = st_interval;
+				p->stimer->st_ref      = tmp_st_ref;
+			}
+		}
+	}
+
+	return 0;
+}
+
 /*!
  * \brief Handle incoming INVITE request
  * \note If the INVITE has a Replaces header, it is part of an
@@ -24949,19 +25088,9 @@ static int handle_request_invite(struct sip_pvt *p, struct sip_request *req, str
 	struct ast_channel *c = NULL;		/* New channel */
 	struct sip_peer *authpeer = NULL;	/* Matching Peer */
 	int reinvite = 0;
-	int rtn;
 	struct ast_party_redirecting redirecting;
 	struct ast_set_party_redirecting update_redirecting;
 
-	const char *p_uac_se_hdr;       /* UAC's Session-Expires header string                      */
-	const char *p_uac_min_se;       /* UAC's requested Min-SE interval (char string)            */
-	int uac_max_se = -1;            /* UAC's Session-Expires in integer format                  */
-	int uac_min_se = -1;            /* UAC's Min-SE in integer format                           */
-	int st_active = FALSE;          /* Session-Timer on/off boolean                             */
-	int st_interval = 0;            /* Session-Timer negotiated refresh interval                */
-	enum st_refresher tmp_st_ref = SESSION_TIMER_REFRESHER_AUTO; /* Session-Timer refresher     */
-	int dlg_min_se = -1;
-	int dlg_max_se = global_max_se;
 	struct {
 		char exten[AST_MAX_EXTENSION];
 		char context[AST_MAX_CONTEXT];
@@ -25449,6 +25578,14 @@ static int handle_request_invite(struct sip_pvt *p, struct sip_request *req, str
 			/* Initialize our tag */
 
 			make_our_tag(p);
+
+			if (handle_request_invite_st(p, req, required, reinvite)) {
+				p->invitestate = INV_COMPLETED;
+				sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+				res = INV_REQ_ERROR;
+				goto request_invite_cleanup;
+			}
+
 			/* First invitation - create the channel.  Allocation
 			 * failures are handled below. */
 
@@ -25483,6 +25620,16 @@ static int handle_request_invite(struct sip_pvt *p, struct sip_request *req, str
 		}
 		if (!req->ignore)
 			reinvite = 1;
+
+		if (handle_request_invite_st(p, req, required, reinvite)) {
+			p->invitestate = INV_COMPLETED;
+			if (!p->lastinvite) {
+				sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+			}
+			res = INV_REQ_ERROR;
+			goto request_invite_cleanup;
+		}
+
 		c = p->owner;
 		change_redirecting_information(p, req, &redirecting, &update_redirecting, FALSE); /*Will return immediately if no Diversion header is present */
 		if (c) {
@@ -25494,140 +25641,10 @@ static int handle_request_invite(struct sip_pvt *p, struct sip_request *req, str
 	/* Check if OLI/ANI-II is present in From: */
 	parse_oli(req, p->owner);
 
-	/* Session-Timers */
-	if ((p->sipoptions & SIP_OPT_TIMER)) {
-		enum st_refresher_param st_ref_param = SESSION_TIMER_REFRESHER_PARAM_UNKNOWN;
-
-		/* The UAC has requested session-timers for this session. Negotiate
-		the session refresh interval and who will be the refresher */
-		ast_debug(2, "Incoming INVITE with 'timer' option supported\n");
-
-		/* Allocate Session-Timers struct w/in the dialog */
-		if (!p->stimer)
-			sip_st_alloc(p);
-
-		/* Parse the Session-Expires header */
-		p_uac_se_hdr = sip_get_header(req, "Session-Expires");
-		if (!ast_strlen_zero(p_uac_se_hdr)) {
-			ast_debug(2, "INVITE also has \"Session-Expires\" header.\n");
-			rtn = parse_session_expires(p_uac_se_hdr, &uac_max_se, &st_ref_param);
-			tmp_st_ref = (st_ref_param == SESSION_TIMER_REFRESHER_PARAM_UAC) ? SESSION_TIMER_REFRESHER_THEM : SESSION_TIMER_REFRESHER_US;
-			if (rtn != 0) {
-				transmit_response_reliable(p, "400 Session-Expires Invalid Syntax", req);
-				p->invitestate = INV_COMPLETED;
-				if (!p->lastinvite) {
-					sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
-				}
-				res = INV_REQ_ERROR;
-				goto request_invite_cleanup;
-			}
-		}
-
-		/* Parse the Min-SE header */
-		p_uac_min_se = sip_get_header(req, "Min-SE");
-		if (!ast_strlen_zero(p_uac_min_se)) {
-			ast_debug(2, "INVITE also has \"Min-SE\" header.\n");
-			rtn = parse_minse(p_uac_min_se, &uac_min_se);
-			if (rtn != 0) {
-				transmit_response_reliable(p, "400 Min-SE Invalid Syntax", req);
-				p->invitestate = INV_COMPLETED;
-				if (!p->lastinvite) {
-					sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
-				}
-				res = INV_REQ_ERROR;
-				goto request_invite_cleanup;
-			}
-		}
-
-		dlg_min_se = st_get_se(p, FALSE);
-		switch (st_get_mode(p, 1)) {
-		case SESSION_TIMER_MODE_ACCEPT:
-		case SESSION_TIMER_MODE_ORIGINATE:
-			if (uac_max_se > 0 && uac_max_se < dlg_min_se) {
-				transmit_response_with_minse(p, "422 Session Interval Too Small", req, dlg_min_se);
-				p->invitestate = INV_COMPLETED;
-				if (!p->lastinvite) {
-					sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
-				}
-				res = INV_REQ_ERROR;
-				goto request_invite_cleanup;
-			}
-
-			p->stimer->st_active_peer_ua = TRUE;
-			st_active = TRUE;
-			if (st_ref_param == SESSION_TIMER_REFRESHER_PARAM_UNKNOWN) {
-				tmp_st_ref = st_get_refresher(p);
-			}
-
-			dlg_max_se = st_get_se(p, TRUE);
-			if (uac_max_se > 0) {
-				if (dlg_max_se >= uac_min_se) {
-					st_interval = (uac_max_se < dlg_max_se) ? uac_max_se : dlg_max_se;
-				} else {
-					st_interval = uac_max_se;
-				}
-			} else if (uac_min_se > 0) {
-				st_interval = MAX(dlg_max_se, uac_min_se);
-			} else {
-				st_interval = dlg_max_se;
-			}
-			break;
-
-		case SESSION_TIMER_MODE_REFUSE:
-			if (p->reqsipoptions & SIP_OPT_TIMER) {
-				transmit_response_with_unsupported(p, "420 Option Disabled", req, required);
-				ast_log(LOG_WARNING, "Received SIP INVITE with supported but disabled option: %s\n", required);
-				p->invitestate = INV_COMPLETED;
-				if (!p->lastinvite) {
-					sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
-				}
-				res = INV_REQ_ERROR;
-				goto request_invite_cleanup;
-			}
-			break;
-
-		default:
-			ast_log(LOG_ERROR, "Internal Error %d at %s:%d\n", st_get_mode(p, 1), __FILE__, __LINE__);
-			break;
-		}
-	} else {
-		/* The UAC did not request session-timers.  Asterisk (UAS), will now decide
-		(based on session-timer-mode in sip.conf) whether to run session-timers for
-		this session or not. */
-		switch (st_get_mode(p, 1)) {
-		case SESSION_TIMER_MODE_ORIGINATE:
-			st_active = TRUE;
-			st_interval = st_get_se(p, TRUE);
-			tmp_st_ref = SESSION_TIMER_REFRESHER_US;
-			p->stimer->st_active_peer_ua = (p->sipoptions & SIP_OPT_TIMER) ? TRUE : FALSE;
-			break;
-
-		default:
-			break;
-		}
-	}
-
-	if (reinvite == 0) {
-		/* Session-Timers: Start session refresh timer based on negotiation/config */
-		if (st_active == TRUE) {
-			p->stimer->st_active = TRUE;
-			p->stimer->st_interval = st_interval;
-			p->stimer->st_ref = tmp_st_ref;
+	if (p->stimer->st_active == TRUE) {
+		if (reinvite == 0) {
 			start_session_timer(p);
-		}
-	} else {
-		if (p->stimer->st_active == TRUE) {
-			/* Session-Timers:  A re-invite request sent within a dialog will serve as
-			a refresh request, no matter whether the re-invite was sent for refreshing
-			the session or modifying it.*/
-			ast_debug (2, "Restarting session-timers on a refresh - %s\n", p->callid);
-
-			/* The UAC may be adjusting the session-timers mid-session */
-			if (st_interval > 0) {
-				p->stimer->st_interval = st_interval;
-				p->stimer->st_ref      = tmp_st_ref;
-			}
-
+		} else {
 			restart_session_timer(p);
 		}
 	}

main/http.c

@@ -186,9 +186,7 @@ uint32_t ast_http_manid_from_vars(struct ast_variable *headers)
 			break;
 		}
 	}
-	if (cookies) {
-		ast_variables_destroy(cookies);
-	}
+	ast_variables_destroy(cookies);
 	return mngid;
 }
 
@@ -805,12 +803,13 @@ static int ssl_close(void *cookie)
 }*/
 #endif	/* DO_SSL */
 
-static struct ast_variable *parse_cookies(char *cookies)
+static struct ast_variable *parse_cookies(const char *cookies)
 {
+	char *parse = ast_strdupa(cookies);
 	char *cur;
 	struct ast_variable *vars = NULL, *var;
 
-	while ((cur = strsep(&cookies, ";"))) {
+	while ((cur = strsep(&parse, ";"))) {
 		char *name, *val;
 
 		name = val = cur;
@@ -840,21 +839,19 @@ static struct ast_variable *parse_cookies(char *cookies)
 /* get cookie from Request headers */
 struct ast_variable *ast_http_get_cookies(struct ast_variable *headers)
 {
-	struct ast_variable *v, *cookies=NULL;
+	struct ast_variable *v, *cookies = NULL;
 
 	for (v = headers; v; v = v->next) {
 		if (!strcasecmp(v->name, "Cookie")) {
-			char *tmp = ast_strdupa(v->value);
-			if (cookies) {
-				ast_variables_destroy(cookies);
-			}
-
-			cookies = parse_cookies(tmp);
+			ast_variables_destroy(cookies);
+			cookies = parse_cookies(v->value);
 		}
 	}
 	return cookies;
 }
 
+/*! Limit the number of request headers in case the sender is being ridiculous. */
+#define MAX_HTTP_REQUEST_HEADERS	100
 
 static void *httpd_helper_thread(void *data)
 {
@@ -865,6 +862,7 @@ static void *httpd_helper_thread(void *data)
 	struct ast_variable *tail = headers;
 	char *uri, *method;
 	enum ast_http_method http_method = AST_HTTP_UNKNOWN;
+	int remaining_headers;
 
 	if (ast_atomic_fetchadd_int(&session_count, +1) >= session_limit) {
 		goto done;
@@ -899,9 +897,13 @@ static void *httpd_helper_thread(void *data)
 		if (*c) {
 			*c = '\0';
 		}
+	} else {
+		ast_http_error(ser, 400, "Bad Request", "Invalid Request");
+		goto done;
 	}
 
 	/* process "Request Headers" lines */
+	remaining_headers = MAX_HTTP_REQUEST_HEADERS;
 	while (fgets(header_line, sizeof(header_line), ser->f)) {
 		char *name, *value;
 
@@ -924,6 +926,11 @@ static void *httpd_helper_thread(void *data)
 
 		ast_trim_blanks(name);
 
+		if (!remaining_headers--) {
+			/* Too many headers. */
+			ast_http_error(ser, 413, "Request Entity Too Large", "Too many headers");
+			goto done;
+		}
 		if (!headers) {
 			headers = ast_variable_new(name, value, __FILE__);
 			tail = headers;
@@ -931,11 +938,17 @@ static void *httpd_helper_thread(void *data)
 			tail->next = ast_variable_new(name, value, __FILE__);
 			tail = tail->next;
 		}
-	}
+		if (!tail) {
+			/*
+			 * Variable allocation failure.
+			 * Try to make some room.
+			 */
+			ast_variables_destroy(headers);
+			headers = NULL;
 
-	if (!*uri) {
-		ast_http_error(ser, 400, "Bad Request", "Invalid Request");
-		goto done;
+			ast_http_error(ser, 500, "Server Error", "Out of memory");
+			goto done;
+		}
 	}
 
 	handle_uri(ser, uri, http_method, headers);
@@ -944,9 +957,7 @@ done:
 	ast_atomic_fetchadd_int(&session_count, -1);
 
 	/* clean up all the header information */
-	if (headers) {
-		ast_variables_destroy(headers);
-	}
+	ast_variables_destroy(headers);
 
 	if (ser->f) {
 		fclose(ser->f);