Update for 14.7.6

pjproject's fmtp retrieval function failed to catch invalid fmtp attributes.
Because of this Asterisk would crash if given an SDP with an invalid fmtp
attribute.

When retrieving the format this patch now makes sure the fmtp attribute is
available. If not available it now returns an error status.

ASTERISK-27583 #close

Change-Id: I5cebe000ce2d846cae3af33b6d72c416e51caf2f

.version

@@ -1 +1 @@
-14.7.5
+14.7.6

CHANGES

@@ -8,6 +8,17 @@
 ===
 ==============================================================================
 
+------------------------------------------------------------------------------
+--- Functionality changes from Asterisk 14.7.5 to Asterisk 14.7.6 ------------
+------------------------------------------------------------------------------
+
+res_pjsip_transport_management
+------------------
+ * Since res_pjsip_transport_management provides several attack
+   mitigation features, its functionality moved to res_pjsip and
+   this module has been removed.  This way the features will always
+   be available if res_pjsip is loaded.
+
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 14.6.0 to Asterisk 14.7.0 ------------
 ------------------------------------------------------------------------------

ChangeLog

@@ -1,3 +1,109 @@
+2018-02-21 18:53 +0000  Asterisk Development Team <asteriskteam@digium.com>
+
+	* asterisk 14.7.6 Released.
+
+2018-01-31 13:37 +0000 [4e9849c4bc]  Kevin Harwell <kharwell@digium.com>
+
+	* AST-2018-003: Crash with an invalid SDP fmtp attribute
+
+	  pjproject's fmtp retrieval function failed to catch invalid fmtp attributes.
+	  Because of this Asterisk would crash if given an SDP with an invalid fmtp
+	  attribute.
+
+	  When retrieving the format this patch now makes sure the fmtp attribute is
+	  available. If not available it now returns an error status.
+
+	  ASTERISK-27583 #close
+
+	  Change-Id: I5cebe000ce2d846cae3af33b6d72c416e51caf2f
+
+2018-01-31 13:33 +0000 [37eb30e1d2]  Kevin Harwell <kharwell@digium.com>
+
+	* AST-2018-002: Crash with an invalid SDP media format description
+
+	  pjproject's media format parsing algorithm failed to catch invalid values.
+	  Because of this Asterisk would crash if given an SDP with a invalid media
+	  format description.
+
+	  When parsing the media format description this patch now properly parses the
+	  value and returns an error status if it can't successfully parse/convert the
+	  value.
+
+	  ASTERISK-27582 #close
+
+	  Change-Id: I883b3a4ef85b6972397f7b56bf46c5779c55fdd6
+
+2018-02-06 12:07 +0000 [45db14178f]  George Joseph <gjoseph@digium.com>
+
+	* AST-2018-005: res_pjsip_transport_management:  Move to core
+
+	  Since res_pjsip_transport_management provides several attack
+	  mitigation features, its functionality moved to res_pjsip and
+	  this module has been removed.  This way the features will always
+	  be available if res_pjsip is loaded.
+
+	  ASTERISK-27618
+	  Reported By: Sandro Gauci
+
+	  Change-Id: I21a2d33d9dda001452ea040d350d7a075f9acf0d
+
+2018-02-06 11:28 +0000 [de0b026c4d]  George Joseph <gjoseph@digium.com>
+
+	* AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)
+
+	  pjsip_distributor:
+	     authenticate() creates a tdata and uses it to send a challenge or
+	     failure response.  When pjsip_endpt_send_response2() succeeds, it
+	     automatically decrements the tdata ref count but when it fails, it
+	     doesn't.  Since we weren't checking for a return status, we weren't
+	     decrementing the count ourselves on error and were therefore leaking
+	     tdatas.
+
+	  res_pjsip_session:
+	     session_reinvite_on_rx_request wasn't decrementing the ref count
+	     if an error happened while sending a 491 response.
+	     pre_session_setup wasn't decrementing the ref count if
+	     while sending an error after a pjsip_inv_verify_request failure.
+
+	  res_pjsip:
+	     ast_sip_send_response wasn't decrementing the ref count on error.
+
+	  ASTERISK-27618
+	  Reported By: Sandro Gauci
+
+	  Change-Id: Iab33a6c7b6fba96148ed465b690ba8534ac961bf
+
+2018-02-06 11:21 +0000 [b5657daf8b]  George Joseph <gjoseph@digium.com>
+
+	* AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request
+
+	  It was discovered that there are some corner cases where a pjsip tsx
+	  might have no last_tx so calling ast_sip_failover_request with
+	  a NULL last_tx as its tdata would cause a crash.
+
+	  ASTERISK-27618
+	  Reported By:  Sandro Gauci
+
+	  Change-Id: Ic2b63f6d4ae617c4c19dcdec2a7a6156b54fd15b
+
+2018-02-07 08:09 +0000 [dd3e3153ea]  Joshua Colp <jcolp@digium.com>
+
+	* AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.
+
+	  When receiving a SUBSCRIBE request the Accept headers from it are
+	  stored locally. This operation has a fixed limit of 32 Accept headers
+	  but this limit was not enforced. As a result it was possible for
+	  memory outside of the allocated space to get written to resulting
+	  in a crash.
+
+	  This change enforces the limit so only 32 Accept headers are
+	  processed.
+
+	  ASTERISK-27640
+	  Reported By: Sandro Gauci
+
+	  Change-Id: I99a814b10b554b13a6021ccf41111e5bc95e7301
+
 2017-12-22 22:26 +0000  Asterisk Development Team <asteriskteam@digium.com>
 
 	* asterisk 14.7.5 Released.

UPGRADE.txt

@@ -22,6 +22,14 @@
 === UPGRADE-13.txt  -- Upgrade info for 12 to 13
 ===========================================================
 
+From 14.7.5 to 14.7.6:
+
+res_pjsip_transport_management:
+ - Since res_pjsip_transport_management provides several attack
+   mitigation features, its functionality moved to res_pjsip and
+   this module has been removed.  This way the features will always
+   be available if res_pjsip is loaded.
+
 From 14.6.0 to 14.7.0:
 
 Core:

asterisk-14.7.5-summary.html

@@ -1,11 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-14.7.5</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-14.7.5</h3><h3 align="center">Date: 2017-12-22</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
-<li><a href="#summary">Summary</a></li>
-<li><a href="#contributors">Contributors</a></li>
-<li><a href="#closed_issues">Closed Issues</a></li>
-<li><a href="#diffstat">Diffstat</a></li>
-</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release is a point release of an existing major version. The changes included were made to address problems that have been identified in this release series, or are minor, backwards compatible new features or improvements. Users should be able to safely upgrade to this version if this release series is already in use. Users considering upgrading from a previous version are strongly encouraged to review the UPGRADE.txt document as well as the CHANGES document for information about upgrading to this release series.</p><p>The data in this summary reflects changes that have been made since the previous release, asterisk-14.7.4.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
-<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
-<tr valign="top"><td width="33%">1 Kevin Harwell <kharwell@digium.com><br/></td><td width="33%"><td width="33%">1 Ross Beer <ross.beer@voicehost.co.uk><br/></td></tr>
-</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Bug</h3><h4>Category: Channels/chan_pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27480">ASTERISK-27480</a>: Security: Authenticated SUBSCRIBE without Contact crashes asterisk<br/>Reported by: Ross Beer<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=ad5323acfabfe45bc9688e6d1b6ba13085f9f9b9">[ad5323acfa]</a> Kevin Harwell -- AST-2017-014: res_pjsip - Missing contact header can cause crash</li>
-</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>0 files changed</pre><br></html>

asterisk-14.7.5-summary.txt

@@ -1,82 +0,0 @@
-                                Release Summary
-
-                                asterisk-14.7.5
-
-                                Date: 2017-12-22
-
-                           <asteriskteam@digium.com>
-
-     ----------------------------------------------------------------------
-
-                               Table of Contents
-
-    1. Summary
-    2. Contributors
-    3. Closed Issues
-    4. Diffstat
-
-     ----------------------------------------------------------------------
-
-                                    Summary
-
-                                 [Back to Top]
-
-   This release is a point release of an existing major version. The changes
-   included were made to address problems that have been identified in this
-   release series, or are minor, backwards compatible new features or
-   improvements. Users should be able to safely upgrade to this version if
-   this release series is already in use. Users considering upgrading from a
-   previous version are strongly encouraged to review the UPGRADE.txt
-   document as well as the CHANGES document for information about upgrading
-   to this release series.
-
-   The data in this summary reflects changes that have been made since the
-   previous release, asterisk-14.7.4.
-
-     ----------------------------------------------------------------------
-
-                                  Contributors
-
-                                 [Back to Top]
-
-   This table lists the people who have submitted code, those that have
-   tested patches, as well as those that reported issues on the issue tracker
-   that were resolved in this release. For coders, the number is how many of
-   their patches (of any size) were committed into this release. For testers,
-   the number is the number of times their name was listed as assisting with
-   testing a patch. Finally, for reporters, the number is the number of
-   issues that they reported that were affected by commits that went into
-   this release.
-
-   Coders                   Testers                  Reporters                
-   1 Kevin Harwell                                   1 Ross Beer              
-
-     ----------------------------------------------------------------------
-
-                                 Closed Issues
-
-                                 [Back to Top]
-
-   This is a list of all issues from the issue tracker that were closed by
-   changes that went into this release.
-
-  Bug
-
-    Category: Channels/chan_pjsip
-
-   ASTERISK-27480: Security: Authenticated SUBSCRIBE without Contact crashes
-   asterisk
-   Reported by: Ross Beer
-     * [ad5323acfa] Kevin Harwell -- AST-2017-014: res_pjsip - Missing
-       contact header can cause crash
-
-     ----------------------------------------------------------------------
-
-                                Diffstat Results
-
-                                 [Back to Top]
-
-   This is a summary of the changes to the source code that went into this
-   release that was generated using the diffstat utility.
-
- 0 files changed

asterisk-14.7.6-summary.html

@@ -0,0 +1,31 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-14.7.6</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-14.7.6</h3><h3 align="center">Date: 2018-02-21</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005.html">AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-14.7.5.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">3 George Joseph <gjoseph@digium.com><br/>2 Kevin Harwell <kharwell@digium.com><br/>1 Joshua Colp <jcolp@digium.com><br/></td><td width="33%"><td width="33%">6 Sandro Gauci <sandro@enablesecurity.com><br/>4 Sandro Gauci<br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Channels/chan_pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27583">ASTERISK-27583</a>: Segmentation fault occurs in asterisk with an invalid SDP fmtp attribute<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=4e9849c4bc706f6c1ca8c7866402e732c322df6f">[4e9849c4bc]</a> Kevin Harwell -- AST-2018-003: Crash with an invalid SDP fmtp attribute</li>
+</ul><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27582">ASTERISK-27582</a>: Segmentation fault occurs in Asterisk with an invalid SDP media format description<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=37eb30e1d26c1c10063c7d01ca8fa26de1bfa297">[37eb30e1d2]</a> Kevin Harwell -- AST-2018-002: Crash with an invalid SDP media format description</li>
+</ul><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27640">ASTERISK-27640</a>: SUBSCRIBE message with a large Accept value causes stack corruption<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=dd3e3153ea1c161569e93bc87fbf788cfd0c1de7">[dd3e3153ea]</a> Joshua Colp -- AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.</li>
+</ul><br><h4>Category: pjproject/pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27618">ASTERISK-27618</a>: Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=45db14178f3840deb24662ff3bb45636fccfb9d8">[45db14178f]</a> George Joseph -- AST-2018-005: res_pjsip_transport_management:  Move to core</li>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=de0b026c4d6b34a6d174e82a0e400f4391d07b0e">[de0b026c4d]</a> George Joseph -- AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)</li>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=b5657daf8b3e9d2dfa4ab7bf034b92a17a2d3cf3">[b5657daf8b]</a> George Joseph -- AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request</li>
+</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>b/CHANGES                                                |   11
+b/UPGRADE.txt                                            |    8
+b/res/res_pjsip.c                                        |   17
+b/res/res_pjsip/include/res_pjsip_private.h              |   28 +
+b/res/res_pjsip/pjsip_distributor.c                      |    8
+b/res/res_pjsip/pjsip_transport_management.c             |  376 ++++++++++++++
+b/res/res_pjsip_pubsub.c                                 |    5
+b/res/res_pjsip_session.c                                |    8
+b/third-party/pjproject/patches/0070-sdp_media_fmt.patch |   19
+res/res_pjsip_transport_management.c                     |  400 ---------------
+10 files changed, 472 insertions(+), 408 deletions(-)</pre><br></html>

asterisk-14.7.6-summary.txt

@@ -0,0 +1,118 @@
+                                Release Summary
+
+                                asterisk-14.7.6
+
+                                Date: 2018-02-21
+
+                           <asteriskteam@digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Closed Issues
+    4. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release has been made to address one or more security vulnerabilities
+   that have been identified. A security advisory document has been published
+   for each vulnerability that includes additional information. Users of
+   versions of Asterisk that are affected are strongly encouraged to review
+   the advisories and determine what action they should take to protect their
+   systems from these issues.
+
+   Security Advisories:
+
+     * AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005
+
+   The data in this summary reflects changes that have been made since the
+   previous release, asterisk-14.7.5.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were affected by commits that went into
+   this release.
+
+   Coders                   Testers                  Reporters                
+   3 George Joseph                                   6 Sandro Gauci           
+   2 Kevin Harwell                                   4 Sandro Gauci           
+   1 Joshua Colp            
+
+     ----------------------------------------------------------------------
+
+                                 Closed Issues
+
+                                 [Back to Top]
+
+   This is a list of all issues from the issue tracker that were closed by
+   changes that went into this release.
+
+  Security
+
+    Category: Channels/chan_pjsip
+
+   ASTERISK-27583: Segmentation fault occurs in asterisk with an invalid SDP
+   fmtp attribute
+   Reported by: Sandro Gauci
+     * [4e9849c4bc] Kevin Harwell -- AST-2018-003: Crash with an invalid SDP
+       fmtp attribute
+   ASTERISK-27582: Segmentation fault occurs in Asterisk with an invalid SDP
+   media format description
+   Reported by: Sandro Gauci
+     * [37eb30e1d2] Kevin Harwell -- AST-2018-002: Crash with an invalid SDP
+       media format description
+   ASTERISK-27640: SUBSCRIBE message with a large Accept value causes stack
+   corruption
+   Reported by: Sandro Gauci
+     * [dd3e3153ea] Joshua Colp -- AST-2018-004: Restrict the number of
+       Accept headers in a SUBSCRIBE.
+
+    Category: pjproject/pjsip
+
+   ASTERISK-27618: Crash occurs when sending a repeated number of INVITE
+   messages over TCP or TLS transport
+   Reported by: Sandro Gauci
+     * [45db14178f] George Joseph -- AST-2018-005:
+       res_pjsip_transport_management: Move to core
+     * [de0b026c4d] George Joseph -- AST-2018-005: Fix tdata leaks when
+       calling pjsip_endpt_send_response(2)
+     * [b5657daf8b] George Joseph -- AST-2018-005: Add a check for NULL tdata
+       in ast_sip_failover_request
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ b/CHANGES                                                |   11
+ b/UPGRADE.txt                                            |    8
+ b/res/res_pjsip.c                                        |   17
+ b/res/res_pjsip/include/res_pjsip_private.h              |   28 +
+ b/res/res_pjsip/pjsip_distributor.c                      |    8
+ b/res/res_pjsip/pjsip_transport_management.c             |  376 ++++++++++++++
+ b/res/res_pjsip_pubsub.c                                 |    5
+ b/res/res_pjsip_session.c                                |    8
+ b/third-party/pjproject/patches/0070-sdp_media_fmt.patch |   19
+ res/res_pjsip_transport_management.c                     |  400 ---------------
+ 10 files changed, 472 insertions(+), 408 deletions(-)

res/res_pjsip.c

@@ -3887,7 +3887,8 @@ int ast_sip_failover_request(pjsip_tx_data *tdata)
 {
 	pjsip_via_hdr *via;
 
-	if (!tdata->dest_info.addr.count || (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) {
+	if (!tdata || !tdata->dest_info.addr.count
+		|| (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) {
 		/* No more addresses to try */
 		return 0;
 	}
@@ -4423,9 +4424,15 @@ static void supplement_outgoing_response(pjsip_tx_data *tdata, struct ast_sip_en
 
 int ast_sip_send_response(pjsip_response_addr *res_addr, pjsip_tx_data *tdata, struct ast_sip_endpoint *sip_endpoint)
 {
-	supplement_outgoing_response(tdata, sip_endpoint);
+	pj_status_t status;
 
-	return pjsip_endpt_send_response(ast_sip_get_pjsip_endpoint(), res_addr, tdata, NULL, NULL);
+	supplement_outgoing_response(tdata, sip_endpoint);
+	status = pjsip_endpt_send_response(ast_sip_get_pjsip_endpoint(), res_addr, tdata, NULL, NULL);
+	if (status != PJ_SUCCESS) {
+		pjsip_tx_data_dec_ref(tdata);
+	}
+
+	return status == PJ_SUCCESS ? 0 : -1;
 }
 
 int ast_sip_send_stateful_response(pjsip_rx_data *rdata, pjsip_tx_data *tdata, struct ast_sip_endpoint *sip_endpoint)
@@ -4667,6 +4674,7 @@ static int unload_pjsip(void *data)
 		ast_res_pjsip_cleanup_options_handling();
 		ast_res_pjsip_cleanup_message_filter();
 		ast_sip_destroy_distributor();
+		ast_sip_destroy_transport_management();
 		ast_res_pjsip_destroy_configuration();
 		ast_sip_destroy_system();
 		ast_sip_destroy_global_headers();
@@ -4832,6 +4840,11 @@ static int load_module(void)
 	ast_sip_initialize_resolver();
 	ast_sip_initialize_dns();
 
+	if (ast_sip_initialize_transport_management()) {
+		ast_log(LOG_ERROR, "Failed to initialize SIP transport management. Aborting load\n");
+		goto error;
+	}
+
 	if (ast_sip_initialize_distributor()) {
 		ast_log(LOG_ERROR, "Failed to register distributor module. Aborting load\n");
 		goto error;

res/res_pjsip/include/res_pjsip_private.h

@@ -395,4 +395,32 @@ int ast_sip_initialize_scheduler(void);
  */
 int ast_sip_destroy_scheduler(void);
 
+/*!
+ * \internal
+ * \brief Initialize the transport management module
+ * \since 13.20.0
+ *
+ * The transport management module is responsible for 3 things...
+ * 1.  It automatically destroys any reliable transport that does not
+ * receive a valid request within system/timer_b milliseconds of the
+ * connection being opened. (Attack mitigation)
+ * 2.  Since it increments the reliable transport's reference count
+ * for that period of time, it also prevents issues if the transport
+ * disconnects while we're still trying to process a response.
+ *  (Attack mitigation)
+ * 3.  If enabled by global/keep_alive_interval, it sends '\r\n'
+ * keepalives on reliable transports at the interval specified.
+ *
+ * \retval -1 Failure
+ * \retval 0 Success
+ */
+int ast_sip_initialize_transport_management(void);
+
+/*!
+ * \internal
+ * \brief Destruct the transport management module.
+ * \since 13.20.0
+ */
+void ast_sip_destroy_transport_management(void);
+
 #endif /* RES_PJSIP_PRIVATE_H_ */

res/res_pjsip/pjsip_distributor.c

@@ -854,7 +854,9 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
 		case AST_SIP_AUTHENTICATION_CHALLENGE:
 			/* Send the 401 we created for them */
 			ast_sip_report_auth_challenge_sent(endpoint, rdata, tdata);
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 			return PJ_TRUE;
 		case AST_SIP_AUTHENTICATION_SUCCESS:
 			/* See note in endpoint_lookup about not holding an unnecessary write lock */
@@ -867,7 +869,9 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
 		case AST_SIP_AUTHENTICATION_FAILED:
 			log_failed_request(rdata, "Failed to authenticate", 0, 0);
 			ast_sip_report_auth_failed_challenge_response(endpoint, rdata);
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 			return PJ_TRUE;
 		case AST_SIP_AUTHENTICATION_ERROR:
 			log_failed_request(rdata, "Error to authenticate", 0, 0);

res/res_pjsip/pjsip_transport_management.c

@@ -16,12 +16,6 @@
  * at the top of the source tree.
  */
 
-/*** MODULEINFO
-	<depend>pjproject</depend>
-	<depend>res_pjsip</depend>
-	<support_level>core</support_level>
- ***/
-
 #include "asterisk.h"
 
 #include <signal.h>
@@ -32,6 +26,7 @@
 #include "asterisk/res_pjsip.h"
 #include "asterisk/module.h"
 #include "asterisk/astobj2.h"
+#include "include/res_pjsip_private.h"
 
 /*! \brief Number of buckets for monitored transports */
 #define TRANSPORTS_BUCKETS 127
@@ -319,12 +314,10 @@ static pjsip_module idle_monitor_module = {
 	.on_rx_request = idle_monitor_on_rx_request,
 };
 
-static int load_module(void)
+int ast_sip_initialize_transport_management(void)
 {
 	struct ao2_container *transports;
 
-	CHECK_PJSIP_MODULE_LOADED();
-
 	transports = ao2_container_alloc(TRANSPORTS_BUCKETS, monitored_transport_hash_fn,
 		monitored_transport_cmp_fn);
 	if (!transports) {
@@ -356,11 +349,10 @@ static int load_module(void)
 	ast_sorcery_observer_add(ast_sip_get_sorcery(), "global", &keepalive_global_observer);
 	ast_sorcery_reload_object(ast_sip_get_sorcery(), "global");
 
-	ast_module_shutdown_ref(ast_module_info->self);
 	return AST_MODULE_LOAD_SUCCESS;
 }
 
-static int unload_module(void)
+void ast_sip_destroy_transport_management(void)
 {
 	if (keepalive_interval) {
 		keepalive_interval = 0;
@@ -381,20 +373,4 @@ static int unload_module(void)
 	sched = NULL;
 
 	ao2_global_obj_release(monitored_transports);
-
-	return 0;
 }
-
-static int reload_module(void)
-{
-	ast_sorcery_reload_object(ast_sip_get_sorcery(), "global");
-	return 0;
-}
-
-AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP Reliable Transport Management",
-	.support_level = AST_MODULE_SUPPORT_CORE,
-	.load = load_module,
-	.reload = reload_module,
-	.unload = unload_module,
-	.load_pri = AST_MODPRI_CHANNEL_DEPEND - 4,
-);

res/res_pjsip_pubsub.c

@@ -732,10 +732,11 @@ static struct ast_sip_pubsub_body_generator *subscription_get_generator_from_rda
 	char accept[AST_SIP_MAX_ACCEPT][64];
 	size_t num_accept_headers = 0;
 
-	while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next))) {
+	while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next)) &&
+		(num_accept_headers < AST_SIP_MAX_ACCEPT)) {
 		int i;
 
-		for (i = 0; i < accept_header->count; ++i) {
+		for (i = 0; i < accept_header->count && num_accept_headers < AST_SIP_MAX_ACCEPT; ++i) {
 			if (!exceptional_accept(&accept_header->values[i])) {
 				ast_copy_pj_str(accept[num_accept_headers], &accept_header->values[i], sizeof(accept[num_accept_headers]));
 				++num_accept_headers;

res/res_pjsip_session.c

@@ -1083,7 +1083,9 @@ static pj_bool_t session_reinvite_on_rx_request(pjsip_rx_data *rdata)
 
 		/* Otherwise this is a new re-invite, so reject it */
 		if (pjsip_dlg_create_response(dlg, rdata, 491, NULL, &tdata) == PJ_SUCCESS) {
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 		}
 
 		return PJ_TRUE;
@@ -2045,7 +2047,9 @@ static pjsip_inv_session *pre_session_setup(pjsip_rx_data *rdata, const struct a
 
 	if (pjsip_inv_verify_request(rdata, &options, NULL, NULL, ast_sip_get_pjsip_endpoint(), &tdata) != PJ_SUCCESS) {
 		if (tdata) {
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 		} else {
 			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
 		}

third-party/pjproject/patches/0070-sdp_media_fmt.patch

@@ -0,0 +1,19 @@
+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
+index a3dd80b..0a13206 100644
+--- a/pjmedia/src/pjmedia/sdp.c
++++ b/pjmedia/src/pjmedia/sdp.c
+@@ -1516,11 +1516,12 @@ PJ_DEF(pj_status_t) pjmedia_sdp_validate2(const pjmedia_sdp_session *sdp,
+ 	     * RTC based programs sends "null" for instant messaging!
+ 	     */
+ 	    if (pj_isdigit(*m->desc.fmt[j].ptr)) {
+-		unsigned pt = pj_strtoul(&m->desc.fmt[j]);
++		unsigned long pt;
++		pj_status_t status = pj_strtoul3(&m->desc.fmt[j], &pt, 10);
+ 
+ 		/* Payload type is between 0 and 127. 
+ 		 */
+-		CHECK( pt <= 127, PJMEDIA_SDP_EINPT);
++		CHECK( status == PJ_SUCCESS && pt <= 127, PJMEDIA_SDP_EINPT);
+ 
+ 		/* If port is not zero, then for each dynamic payload type, an
+ 		 * rtpmap attribute must be specified.

third-party/pjproject/patches/0071-sdp_fmtp_attr.patch

@@ -0,0 +1,34 @@
+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
+index a3dd80b..6117e07 100644
+--- a/pjmedia/src/pjmedia/sdp.c
++++ b/pjmedia/src/pjmedia/sdp.c
+@@ -256,7 +256,8 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_rtpmap( const pjmedia_sdp_attr *attr,
+ 
+     PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "rtpmap")==0, PJ_EINVALIDOP);
+ 
+-    PJ_ASSERT_RETURN(attr->value.slen != 0, PJMEDIA_SDP_EINATTR);
++    if (attr->value.slen == 0)
++        return PJMEDIA_SDP_EINATTR;
+ 
+     init_sdp_parser();
+ 
+@@ -341,6 +342,9 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_fmtp( const pjmedia_sdp_attr *attr,
+ 
+     PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "fmtp")==0, PJ_EINVALIDOP);
+ 
++    if (attr->value.slen == 0)
++        return PJMEDIA_SDP_EINATTR;
++
+     /* fmtp BNF:
+      *	a=fmtp:<format> <format specific parameter>
+      */
+@@ -379,6 +383,9 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_rtcp(const pjmedia_sdp_attr *attr,
+ 
+     PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "rtcp")==0, PJ_EINVALIDOP);
+ 
++    if (attr->value.slen == 0)
++        return PJMEDIA_SDP_EINATTR;
++
+     init_sdp_parser();
+ 
+     /* fmtp BNF: