........
r363102 | mjordan | 2012-04-23 08:37:55 -0500 (Mon, 23 Apr 2012) | 16 lines
AST-2012-005: Fix remotely exploitable heap overflow in keypad button handling
When handling a keypad button message event, the received digit is placed into
a fixed length buffer that acts as a queue. When a new message event is
received, the length of that buffer is not checked before placing the new digit
on the end of the queue. The situation exists where sufficient keypad button
message events would occur that would cause the buffer to be overrun. This
patch explicitly checks that there is sufficient room in the buffer before
appending a new digit.
(closes issue ASTERISK-19592)
Reported by: Russell Bryant
........
Merged revisions 363100 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
r363106 | mjordan | 2012-04-23 09:05:02 -0500 (Mon, 23 Apr 2012) | 17 lines
AST-2012-006: Fix crash in UPDATE handling when no channel owner exists
If Asterisk receives a SIP UPDATE request after a call has been terminated and
the channel has been destroyed but before the SIP dialog has been destroyed, a
condition exists where a connected line update would be attempted on a
non-existing channel. This would cause Asterisk to crash. The patch resolves
this by first ensuring that the SIP dialog has an owning channel before
attempting a connected line update. If an UPDATE request is received and no
channel is associated with the dialog, a 481 response is sent.
(closes issue ASTERISK-19770)
Reported by: Thomas Arimont
Tested by: Matt Jordan
Patches:
ASTERISK-19278-2012-04-16.diff uploaded by Matt Jordan (license 6283)
........
r363141 | jrose | 2012-04-23 09:33:16 -0500 (Mon, 23 Apr 2012) | 20 lines
AST-2012-004: Fix an error that allows AMI users to run shell commands sans authorization.
As detailed in the advisory, AMI users without write authorization for SYSTEM class AMI
actions were able to run system commands by going through other AMI commands which did
not require that authorization. Specifically, GetVar and Status allowed users to do this
by setting their variable/s options to the SHELL or EVAL functions.
Also, within 1.8, 10, and trunk there was a similar flaw with the Originate action that
allowed users with originate permission to run MixMonitor and supply a shell command
in the Data argument. That flaw is fixed in those versions of this patch.
(closes issue ASTERISK-17465)
Reported By: David Woolley
Patches:
162_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
18_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
10_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
........
Merged revisions 363117 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
Merged revisions 363102,363106,363141 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8-digiumphones@363161 65c4cc65-6c06-0410-ace0-fbb531ad65f3
........
r359656 | mjordan | 2012-03-15 13:35:59 -0500 (Thu, 15 Mar 2012) | 22 lines
Fix remotely exploitable stack overrun in Milliwatt
Milliwatt is vulnerable to a remotely exploitable stack overrun when using
the 'o' option. This occurs due to the milliwatt_generate function not
accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
samples it can put in the output buffer.
This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
when determining the maximum number of samples allowed. Note that at no
point is remote code execution possible. The data that is written into the
buffer is the pre-defined Milliwatt data, and not custom data.
(closes issue ASTERISK-19541)
Reported by: Russell Bryant
Tested by: Matt Jordan
Patches:
milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
Note that this patch was written by Russell, even though Matt uploaded it
........
Merged revisions 359645 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
r359706 | mjordan | 2012-03-15 14:01:22 -0500 (Thu, 15 Mar 2012) | 16 lines
Fix remotely exploitable stack overflow in HTTP manager
There exists a remotely exploitable stack buffer overflow in HTTP digest
authentication handling in Asterisk. The particular method in question
is only utilized by HTTP AMI. When parsing the digest information, the
length of the string is not checked when it is copied into temporary buffers
allocated on the stack.
This patch fixes this behavior by parsing out pre-defined key/value pairs
and avoiding unnecessary copies to the stack.
(closes issue ASTERISK-19542)
Reported by: Russell Bryant
Tested by: Matt Jordan
........
r359979 | rmudgett | 2012-03-20 12:21:16 -0500 (Tue, 20 Mar 2012) | 28 lines
Allow AMI action callback to be reentrant.
Fix AMI module reload deadlock regression from ASTERISK-18479 when it
tried to fix the race between calling an AMI action callback and
unregistering that action. Refixes ASTERISK-13784 broken by
ASTERISK-17785 change.
Locking the ao2 object guaranteed that there were no active callbacks that
mattered when ast_manager_unregister() was called. Unfortunately, this
causes the deadlock situation. The patch stops locking the ao2 object to
allow multiple threads to invoke the callback re-entrantly. There is no
way to guarantee a module unload will not crash because of an active
callback. The code attempts to minimize the chance with the registered
flag and the maximum 5 second delay before ast_manager_unregister()
returns.
The trunk version of the patch changes the API to fix the race condition
correctly to prevent the module code from unloading from memory while an
action callback is active.
* Don't hold the lock while calling the AMI action callback.
(closes issue ASTERISK-19487)
Reported by: Philippe Lindheimer
Review: https://reviewboard.asterisk.org/r/1818/
Review: https://reviewboard.asterisk.org/r/1820/
........
Merged revisions 359656,359706,359979 from http://svn.asterisk.org/svn/asterisk/branches/1.8
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8-digiumphones@360826 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The astman_get_header() never returns NULL so the check by the code for
NULL would never fail.
(closes issue ASTERISK-16974)
Reported by: Nuno Borges
Patches:
0018325.patch (license #6116) patch uploaded by Nuno Borges (modified)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@354835 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Removes references to tlsbindport from http.conf.sample and manager.conf.sample
* Properly bind to port specified in tlsbindaddr, using the default port if specified.
* On a reload, properly close socket if the service has been disabled.
A note has been added to UPGRADE.txt to indicate how ports must be set for TLS.
(closes issue ASTERISK-16959)
reported by Olaf Holthausen
(closes issue ASTERISK-19201)
reported by Chris Mylonas
(closes issue ASTERISK-19204)
reported by Chris Mylonas
Review: https://reviewboard.asterisk.org/r/1709
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@353770 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Fix memory leak of vars in error paths for action_originate().
* Moved struct fast_originate_helper tech and data members to stringfields.
* Simplified ActionID header handling for fast_originate().
* Added doxygen note to ast_request() and ast_call() and the associated
channel callbacks that the data/addr parameters should be treated as const
char *.
Review: https://reviewboard.asterisk.org/r/1690/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@353454 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Fixed race between calling an AMI action callback and unregistering that
action. Refixes ASTERISK-13784 broken by ASTERISK-17785 change.
* Fixed potential memory leak if an AMI action failed to get registered
because is already was registered. Part of the ao2 conversion.
* Fixed AMI ListCommands action not walking the actions list with a lock
held.
* Fix usage of ast_strdupa() and alloca() in loops. Excess stack usage.
* Fix AMI Originate action Variable header requiring a space after the
header colon. Reported by Yaroslav Panych on the asterisk-dev list.
* Increased the number of listed variables allowed per AMI Originate
action Variable header to 64.
* Fixed AMI GetConfigJSON action output format.
* Fixed usage of res contents outside of scope in append_channel_vars().
* Fixed inconsistency of config file channelvars option. The values no
longer accumulate with every channelvars option in the config file. Only
the last value is kept to be consistent with the CLI "manager show
settings" command.
(closes issue ASTERISK-18479)
Reported by: Jaco Kroon
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@340279 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch adds an optional "module" attribute to the XML documentation spec
that allows the documentation processor to match apps with identical names from
different modules to their documentation. This patch also fixes a number of
bugs with the documentation processor and should make it a little more
efficient. Support for multiple languages has also been properly implemented.
ASTERISK-18130
Review: https://reviewboard.asterisk.org/r/1485/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@340108 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Dummy channels created by ast_dummy_channel_alloc() should be destoyed by
ast_channel_unref(). Using ast_channel_release() needlessly grabs the
channel container lock and can cause a deadlock as a result.
* Analyzed use of ast_dummy_channel_alloc() and made use
ast_channel_unref() when done with the dummy channel. (Primary reason for
the reported deadlock.)
* Made app_dial.c:dial_exec_full() not call ast_call() holding any channel
locks. Chan_local could not perform deadlock avoidance correctly.
(Potential deadlock exposed by this issue. Secondary reason for the
reported deadlock since the held lock was part of the deadlock chain.)
* Fixed some uses of ast_dummy_channel_alloc() not checking the returned
channel pointer for failure.
* Fixed some potential chan=NULL pointer usage in func_odbc.c. Protected
by testing the bogus_chan value.
* Fixed needlessly clearing a 1024 char auto array when setting the first
char to zero is enough in manager.c:action_getvar().
(closes issue ASTERISK-18613)
Reported by: Thomas Arimont
Patches:
jira_asterisk_18613_v1.8.patch (license #5621) patch uploaded by rmudgett
Tested by: Thomas Arimont
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@337973 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This update adds a new AMI event, TestEvent, which is enabled when the TEST_FRAMEWORK compiler flag is defined. It also adds initial usage of this event to app_voicemail. The TestEvent AMI event is used extensively by the voicemail tests in the Asterisk Test Suite.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@332817 65c4cc65-6c06-0410-ace0-fbb531ad65f3
An empty string was not being checked for properly causing identification of
the module to be reloaded to fail and return an Error with message
"No such module."
(closes issue AST-616)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@331315 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The process_output() function calls ast_str_append() and xml_translate() on its
'out' parameter, which is a pointer to an ast_str buffer. If either of these
functions need to reallocate the ast_str so it will have more space, they will
free the existing buffer and allocate a new one, returning the address of the
new one. However, because process_output only receives a pointer to the ast_str,
not a pointer to its caller's variable holding the pointer, if the original
ast_str is freed, the caller will not know, and will continue to use it (and
later attempt to free it).
(reported by jkroon on #asterisk-dev)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@327950 65c4cc65-6c06-0410-ace0-fbb531ad65f3
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
................
r323579 | seanbright | 2011-06-15 11:22:50 -0400 (Wed, 15 Jun 2011) | 32 lines
Merged revisions 323559 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r323559 | seanbright | 2011-06-15 11:15:30 -0400 (Wed, 15 Jun 2011) | 25 lines
Resolve a segfault/bus error when we try to map memory that falls on a page
boundary.
The fix for ASTERISK-15359 was incorrect in that it added 1 to the length of the
mmap'd region. The problem with this is that reading/writing to that extra byte
outside of the bounds of the underlying fd causes a bus error.
The real issue is that we are working with both a FILE * and the raw fd
underneath it and not synchronizing between them. The code that was removed in
ASTERISK-15359 was correct, but we weren't flushing the FILE * before mapping
the fd.
Looking at the manager code in 1.4 reveals that the FILE * in 'struct
mansession' is never used except to create a temporary file that we immediately
fdopen. This means we just need to write a 0 byte to the fd and everything will
just work. The other branches require a call to fflush() which, while not a
guaranteed fix, should reduce the likelihood of a crash.
This all makes sense in my head.
(closes issue ASTERISK-16460)
Reported by: Ravelomanantsoa Hoby (hoby)
Patches:
issue17747_1.4_svn_markII.patch uploaded by Sean Bright (license #5060)
........
................
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@323608 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The addition of connected line support in v1.8 changes the behavior of the
channel caller ID somewhat. The channel caller ID value no longer time
shares with the connected line ID on outgoing call legs. The timing of
some AMI events/responses output the connected line ID as caller ID.
These party ID's are now separate.
* The ConnectedLineNum and ConnectedLineName headers were added to many
AMI events/responses if the CallerIDNum/CallerIDName headers were also
present.
(closes issue #18252)
Reported by: gje
Tested by: rmudgett
Review: https://reviewboard.asterisk.org/r/1227/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@320823 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Add ConnectedLineNum and ConnectedLineName headers to the output of the
AMI action Status. This makes it easier to find out who the channel is
connected to without having to lookup BridgedChannel or when they are
connected to an application (e.g.: VoiceMail) which has no bridged
channel.
* Bridged channels with no CallerID had "" instead of "<unknown>" output,
that might be a bug as "<unknown>" was what older versions used.
(closes issue #18158)
Reported by: gareth
Patches:
svn-292308.diff uploaded by gareth (license 208)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@320650 65c4cc65-6c06-0410-ace0-fbb531ad65f3
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
................
r314620 | mnicholson | 2011-04-21 13:22:19 -0500 (Thu, 21 Apr 2011) | 20 lines
Merged revisions 314607 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r314607 | mnicholson | 2011-04-21 13:19:21 -0500 (Thu, 21 Apr 2011) | 14 lines
Added limits to the number of unauthenticated sessions TCP based protocols are allowed to have open simultaneously. Also added timeouts for unauthenticated sessions where it made sense to do so.
Unrelated, the manager interface now properly checks if the user has the "system" privilege before executing shell commands via the Originate action.
AST-2011-005
AST-2011-006
(closes issue #18787)
Reported by: kobaz
(related to issue #18996)
Reported by: tzafrir
........
................
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@314628 65c4cc65-6c06-0410-ace0-fbb531ad65f3
r309204 changed the behavior of ast_http_send. It now requires headers
to be passed with trailing \r\n. This change updates the remaining
instances in the code that did not pass the \r\n.
(closes issue #18186)
Reported by: nivaldomjunior
Patches:
res_phoneprov.c.diff uploaded by lathama (license 1028)
manager.diff.txt uploaded by twilson (license 396)
Tested by: lathama
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@310240 65c4cc65-6c06-0410-ace0-fbb531ad65f3
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
................
r308814 | twilson | 2011-02-24 11:54:49 -0600 (Thu, 24 Feb 2011) | 19 lines
Merged revisions 308813 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r308813 | twilson | 2011-02-24 11:42:16 -0600 (Thu, 24 Feb 2011) | 12 lines
Don't broadcast FullyBooted to every AMI connection
The FullyBooted event should not be sent to every AMI connection every
time someone connects via AMI. It should only be sent to the user who
just connected.
(closes issue #18168)
Reported by: FeyFre
Patches:
bug0018168.patch uploaded by FeyFre (license 1142)
Tested by: FeyFre, twilson
........
................
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@308815 65c4cc65-6c06-0410-ace0-fbb531ad65f3
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
................
r305889 | rmudgett | 2011-02-02 18:15:07 -0600 (Wed, 02 Feb 2011) | 17 lines
Merged revisions 305888 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r305888 | rmudgett | 2011-02-02 18:02:43 -0600 (Wed, 02 Feb 2011) | 8 lines
Minor AST_FRAME_TEXT related issues.
* Include the null terminator in the buffer length. When the frame is
queued it is copied. If the null terminator is not part of the frame
buffer length, the receiver could see garbage appended onto it.
* Add channel lock protection with ast_sendtext().
* Fixed AMI SendText action ast_sendtext() return value check.
........
................
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@305923 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The intent of this check as it stands in previous versions of Asterisk was to
check if there are any active sessions. If there were no sessions, then the
function would return immediately and not bother with queueing up the manager
event to be processed. Since the conversion of storing sessions in an astobj2
container, this check will always pass. I changed it to go back to checking
what was intended.
The side effect of this was that if the AMI is disabled, the manager event
queue is populated anyway, but the code that runs to clear out the queue
never runs. A producer with no consumer is a bad thing.
Reported internally by kmorgan.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@302785 65c4cc65-6c06-0410-ace0-fbb531ad65f3
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
................
r301594 | mnicholson | 2011-01-12 12:50:31 -0600 (Wed, 12 Jan 2011) | 15 lines
Removed a usleep(1) that shouldn't be necessary in session_do, and removed the
ms_t member from the mansession_session structure.
Merged revisions 301591 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r301591 | mnicholson | 2011-01-12 12:39:03 -0600 (Wed, 12 Jan 2011) | 5 lines
Don't store the thread id for the manager session in the structure we pass to
the thread for the manager session.
ABE-2543
........
................
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@301595 65c4cc65-6c06-0410-ace0-fbb531ad65f3
It is possible for a AMI session to freeze because of invalid
use of recursive locks during the EVENT processing. This
patch removes the unnecessary locks.
(closes issue #18167)
Reported by: sustav
Patches:
manager_locking_v1.diff uploaded by dvossel (license 671)
Tested by: sustav
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@292595 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This issue was caused by improper use of the mansession lock and
manession_session lock. These two structures are confusing to begin
with so I'm not surprised this occurred. I fixed this by consistently
making sure we use each of these locks only to protect the data
in the corresponding structure. We had mismatched usage of these
locks which resulted in no mutual exclusivity occurring at all.
(closes issue #17994)
Reported by: vrban
Patches:
mansession_locking_fix.diff uploaded by dvossel (license 671)
Tested by: vrban
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@291227 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Previously, this code required exactly one space to be after the ':' in headers
for an AMI action. This now makes whitespace optional, and allows whitespace that
is there to vary in amount.
(closes issue #17862)
Reported by: cmoye
Patches:
manager.c.patch_trunk uploaded by cmoye (license 858)
manager.c.patch_1.8 uploaded by cmoye (license 858)
Tested by: cmoye
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@284065 65c4cc65-6c06-0410-ace0-fbb531ad65f3
