Update for 14.7.8

The HTTP request processing in res_http_websocket allocates additional
space on the stack for various headers received during an Upgrade request.
An attacker could send a specially crafted request that causes this code
to overflow the stack, resulting in a crash.

* No longer allocate memory from the stack in a loop to parse the header
values.  NOTE: There is a slight API change when using the passed in
strings as is.  We now require the passed in strings to no longer have
leading or trailing whitespace.  This isn't a problem as the only callers
have already done this before passing the strings to the affected
function.

ASTERISK-28013 #close

Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a

.version

@@ -1 +1 @@
-14.7.6
+14.7.8

ChangeLog

@@ -1,3 +1,54 @@
+2018-09-20 18:48 +0000  Asterisk Development Team <asteriskteam@digium.com>
+
+	* asterisk 14.7.8 Released.
+
+2018-08-16 10:45 +0000 [31bde10351]  Sean Bright <sean.bright@gmail.com>
+
+	* AST-2018-009: Fix crash processing websocket HTTP Upgrade requests
+
+	  The HTTP request processing in res_http_websocket allocates additional
+	  space on the stack for various headers received during an Upgrade request.
+	  An attacker could send a specially crafted request that causes this code
+	  to overflow the stack, resulting in a crash.
+
+	  * No longer allocate memory from the stack in a loop to parse the header
+	  values.  NOTE: There is a slight API change when using the passed in
+	  strings as is.  We now require the passed in strings to no longer have
+	  leading or trailing whitespace.  This isn't a problem as the only callers
+	  have already done this before passing the strings to the affected
+	  function.
+
+	  ASTERISK-28013 #close
+
+	  Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a
+
+2018-06-11 21:11 +0000  Asterisk Development Team <asteriskteam@digium.com>
+
+	* asterisk 14.7.7 Released.
+
+2018-06-11 16:11 +0000 [a562192fa4]  Kevin Harwell <kharwell@digium.com>
+
+	* Update for 14.7.7
+
+2018-04-30 17:38 +0000 [b67fe624c6]  Richard Mudgett <rmudgett@digium.com>
+
+	* AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.
+
+	  When endpoint specific ACL rules block a SIP request they respond with a
+	  403 forbidden.  However, if an endpoint is not identified then a 401
+	  unauthorized response is sent.  This vulnerability just discloses which
+	  requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
+	  access to the disclosed endpoints.
+
+	  * Made endpoint specific ACL rules now respond with a 401 unauthorized
+	  which is the same as if an endpoint were not identified.  The fix is
+	  accomplished by replacing the found endpoint with the artificial endpoint
+	  which always fails authentication.
+
+	  ASTERISK-27818
+
+	  Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
+
 2018-02-21 18:53 +0000  Asterisk Development Team <asteriskteam@digium.com>
 
 	* asterisk 14.7.6 Released.

asterisk-14.7.6-summary.html

@@ -1,31 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-14.7.6</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-14.7.6</h3><h3 align="center">Date: 2018-02-21</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
-<li><a href="#summary">Summary</a></li>
-<li><a href="#contributors">Contributors</a></li>
-<li><a href="#closed_issues">Closed Issues</a></li>
-<li><a href="#diffstat">Diffstat</a></li>
-</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
-<li><a href="http://downloads.asterisk.org/pub/security/AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005.html">AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005</a></li>
-</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-14.7.5.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
-<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
-<tr valign="top"><td width="33%">3 George Joseph <gjoseph@digium.com><br/>2 Kevin Harwell <kharwell@digium.com><br/>1 Joshua Colp <jcolp@digium.com><br/></td><td width="33%"><td width="33%">6 Sandro Gauci <sandro@enablesecurity.com><br/>4 Sandro Gauci<br/></td></tr>
-</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Channels/chan_pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27583">ASTERISK-27583</a>: Segmentation fault occurs in asterisk with an invalid SDP fmtp attribute<br/>Reported by: Sandro Gauci<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=4e9849c4bc706f6c1ca8c7866402e732c322df6f">[4e9849c4bc]</a> Kevin Harwell -- AST-2018-003: Crash with an invalid SDP fmtp attribute</li>
-</ul><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27582">ASTERISK-27582</a>: Segmentation fault occurs in Asterisk with an invalid SDP media format description<br/>Reported by: Sandro Gauci<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=37eb30e1d26c1c10063c7d01ca8fa26de1bfa297">[37eb30e1d2]</a> Kevin Harwell -- AST-2018-002: Crash with an invalid SDP media format description</li>
-</ul><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27640">ASTERISK-27640</a>: SUBSCRIBE message with a large Accept value causes stack corruption<br/>Reported by: Sandro Gauci<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=dd3e3153ea1c161569e93bc87fbf788cfd0c1de7">[dd3e3153ea]</a> Joshua Colp -- AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.</li>
-</ul><br><h4>Category: pjproject/pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27618">ASTERISK-27618</a>: Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport<br/>Reported by: Sandro Gauci<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=45db14178f3840deb24662ff3bb45636fccfb9d8">[45db14178f]</a> George Joseph -- AST-2018-005: res_pjsip_transport_management:  Move to core</li>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=de0b026c4d6b34a6d174e82a0e400f4391d07b0e">[de0b026c4d]</a> George Joseph -- AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)</li>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=b5657daf8b3e9d2dfa4ab7bf034b92a17a2d3cf3">[b5657daf8b]</a> George Joseph -- AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request</li>
-</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>b/CHANGES                                                |   11
-b/UPGRADE.txt                                            |    8
-b/res/res_pjsip.c                                        |   17
-b/res/res_pjsip/include/res_pjsip_private.h              |   28 +
-b/res/res_pjsip/pjsip_distributor.c                      |    8
-b/res/res_pjsip/pjsip_transport_management.c             |  376 ++++++++++++++
-b/res/res_pjsip_pubsub.c                                 |    5
-b/res/res_pjsip_session.c                                |    8
-b/third-party/pjproject/patches/0070-sdp_media_fmt.patch |   19
-res/res_pjsip_transport_management.c                     |  400 ---------------
-10 files changed, 472 insertions(+), 408 deletions(-)</pre><br></html>

asterisk-14.7.8-summary.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-14.7.8</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-14.7.8</h3><h3 align="center">Date: 2018-09-20</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2018-009.html">AST-2018-009</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-14.7.7.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">1 Sean Bright <sean.bright@gmail.com><br/></td><td width="33%"><td width="33%">1 Sean Bright <sean.bright@gmail.com><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Resources/res_http_websocket</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-28013">ASTERISK-28013</a>: res_http_websocket: Crash when reading HTTP Upgrade requests<br/>Reported by: Sean Bright<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=31bde103516240cdc98cf7fa591ea16d6b6b677a">[31bde10351]</a> Sean Bright -- AST-2018-009: Fix crash processing websocket HTTP Upgrade requests</li>
+</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>asterisk-14.7.7-summary.html   |   24 --------
+asterisk-14.7.7-summary.txt    |  107 -------------------------------------
+b/.version                     |    2
+b/ChangeLog                    |   27 ---------
+b/asterisk-14.7.6-summary.html |   31 ++++++++++
+b/asterisk-14.7.6-summary.txt  |  118 +++++++++++++++++++++++++++++++++++++++++
+b/res/res_http_websocket.c     |   23 ++++---
+7 files changed, 162 insertions(+), 170 deletions(-)</pre><br></html>

asterisk-14.7.8-summary.txt

@@ -1,8 +1,8 @@
                                 Release Summary
 
-                                asterisk-14.7.6
+                                asterisk-14.7.8
 
-                                Date: 2018-02-21
+                                Date: 2018-09-20
 
                            <asteriskteam@digium.com>
 
@@ -30,10 +30,10 @@
 
    Security Advisories:
 
-     * AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005
+     * AST-2018-009
 
    The data in this summary reflects changes that have been made since the
-   previous release, asterisk-14.7.5.
+   previous release, asterisk-14.7.7.
 
      ----------------------------------------------------------------------
 
@@ -51,9 +51,7 @@
    this release.
 
    Coders                   Testers                  Reporters                
-   3 George Joseph                                   6 Sandro Gauci           
-   2 Kevin Harwell                                   4 Sandro Gauci           
-   1 Joshua Colp            
+   1 Sean Bright                                     1 Sean Bright            
 
      ----------------------------------------------------------------------
 
@@ -66,35 +64,13 @@
 
   Security
 
-    Category: Channels/chan_pjsip
+    Category: Resources/res_http_websocket
 
-   ASTERISK-27583: Segmentation fault occurs in asterisk with an invalid SDP
-   fmtp attribute
-   Reported by: Sandro Gauci
-     * [4e9849c4bc] Kevin Harwell -- AST-2018-003: Crash with an invalid SDP
-       fmtp attribute
-   ASTERISK-27582: Segmentation fault occurs in Asterisk with an invalid SDP
-   media format description
-   Reported by: Sandro Gauci
-     * [37eb30e1d2] Kevin Harwell -- AST-2018-002: Crash with an invalid SDP
-       media format description
-   ASTERISK-27640: SUBSCRIBE message with a large Accept value causes stack
-   corruption
-   Reported by: Sandro Gauci
-     * [dd3e3153ea] Joshua Colp -- AST-2018-004: Restrict the number of
-       Accept headers in a SUBSCRIBE.
-
-    Category: pjproject/pjsip
-
-   ASTERISK-27618: Crash occurs when sending a repeated number of INVITE
-   messages over TCP or TLS transport
-   Reported by: Sandro Gauci
-     * [45db14178f] George Joseph -- AST-2018-005:
-       res_pjsip_transport_management: Move to core
-     * [de0b026c4d] George Joseph -- AST-2018-005: Fix tdata leaks when
-       calling pjsip_endpt_send_response(2)
-     * [b5657daf8b] George Joseph -- AST-2018-005: Add a check for NULL tdata
-       in ast_sip_failover_request
+   ASTERISK-28013: res_http_websocket: Crash when reading HTTP Upgrade
+   requests
+   Reported by: Sean Bright
+     * [31bde10351] Sean Bright -- AST-2018-009: Fix crash processing
+       websocket HTTP Upgrade requests
 
      ----------------------------------------------------------------------
 
@@ -105,14 +81,11 @@
    This is a summary of the changes to the source code that went into this
    release that was generated using the diffstat utility.
 
- b/CHANGES                                                |   11
- b/UPGRADE.txt                                            |    8
- b/res/res_pjsip.c                                        |   17
- b/res/res_pjsip/include/res_pjsip_private.h              |   28 +
- b/res/res_pjsip/pjsip_distributor.c                      |    8
- b/res/res_pjsip/pjsip_transport_management.c             |  376 ++++++++++++++
- b/res/res_pjsip_pubsub.c                                 |    5
- b/res/res_pjsip_session.c                                |    8
- b/third-party/pjproject/patches/0070-sdp_media_fmt.patch |   19
- res/res_pjsip_transport_management.c                     |  400 ---------------
- 10 files changed, 472 insertions(+), 408 deletions(-)
+ asterisk-14.7.7-summary.html   |   24 --------
+ asterisk-14.7.7-summary.txt    |  107 -------------------------------------
+ b/.version                     |    2
+ b/ChangeLog                    |   27 ---------
+ b/asterisk-14.7.6-summary.html |   31 ++++++++++
+ b/asterisk-14.7.6-summary.txt  |  118 +++++++++++++++++++++++++++++++++++++++++
+ b/res/res_http_websocket.c     |   23 ++++---
+ 7 files changed, 162 insertions(+), 170 deletions(-)

res/res_http_websocket.c

@@ -740,7 +740,8 @@ static void websocket_bad_request(struct ast_tcptls_session_instance *ser)
 int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *get_vars, struct ast_variable *headers)
 {
 	struct ast_variable *v;
-	char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL, *requested_protocols = NULL, *protocol = NULL;
+	const char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL;
+	char *requested_protocols = NULL, *protocol = NULL;
 	int version = 0, flags = 1;
 	struct ast_websocket_protocol *protocol_handler = NULL;
 	struct ast_websocket *session;
@@ -759,16 +760,15 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
 	/* Get the minimum headers required to satisfy our needs */
 	for (v = headers; v; v = v->next) {
 		if (!strcasecmp(v->name, "Upgrade")) {
-			upgrade = ast_strip(ast_strdupa(v->value));
+			upgrade = v->value;
 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key")) {
-			key = ast_strip(ast_strdupa(v->value));
+			key = v->value;
 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key1")) {
-			key1 = ast_strip(ast_strdupa(v->value));
+			key1 = v->value;
 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Key2")) {
-			key2 = ast_strip(ast_strdupa(v->value));
+			key2 = v->value;
 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Protocol")) {
-			requested_protocols = ast_strip(ast_strdupa(v->value));
-			protos = ast_strdupa(requested_protocols);
+			protos = v->value;
 		} else if (!strcasecmp(v->name, "Sec-WebSocket-Version")) {
 			if (sscanf(v->value, "%30d", &version) != 1) {
 				version = 0;
@@ -782,7 +782,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
 			ast_sockaddr_stringify(&ser->remote_address));
 		ast_http_error(ser, 426, "Upgrade Required", NULL);
 		return 0;
-	} else if (ast_strlen_zero(requested_protocols)) {
+	} else if (ast_strlen_zero(protos)) {
 		/* If there's only a single protocol registered, and the
 		 * client doesn't specify what protocol it's using, go ahead
 		 * and accept the connection */
@@ -803,9 +803,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan
 		return 0;
 	}
 
-	/* Iterate through the requested protocols trying to find one that we have a handler for */
-	while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
-		protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
+	if (!protocol_handler && protos) {
+		requested_protocols = ast_strdupa(protos);
+		/* Iterate through the requested protocols trying to find one that we have a handler for */
+		while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) {
+			protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY);
+		}
 	}
 
 	/* If no protocol handler exists bump this back to the requester */

res/res_pjsip/pjsip_distributor.c

@@ -676,6 +676,26 @@ static void check_endpoint(pjsip_rx_data *rdata, struct unidentified_request *un
 	ao2_unlock(unid);
 }
 
+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
+
+static void apply_acls(pjsip_rx_data *rdata)
+{
+	struct ast_sip_endpoint *endpoint;
+
+	/* Is the endpoint allowed with the source or contact address? */
+	endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];
+	if (endpoint != artificial_endpoint
+		&& (apply_endpoint_acl(rdata, endpoint)
+			|| apply_endpoint_contact_acl(rdata, endpoint))) {
+		ast_debug(1, "Endpoint '%s' not allowed by ACL\n",
+			ast_sorcery_object_get_id(endpoint));
+
+		/* Replace the rdata endpoint with the artificial endpoint. */
+		ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);
+	}
+}
+
 static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
 {
 	struct ast_sip_endpoint *endpoint;
@@ -694,6 +714,7 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
 			ao2_unlink(unidentified_requests, unid);
 			ao2_ref(unid, -1);
 		}
+		apply_acls(rdata);
 		return PJ_FALSE;
 	}
 
@@ -753,6 +774,8 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
 			ast_sip_report_invalid_endpoint(name, rdata);
 		}
 	}
+
+	apply_acls(rdata);
 	return PJ_FALSE;
 }
 
@@ -836,16 +859,11 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
 
 	ast_assert(endpoint != NULL);
 
-	if (endpoint!=artificial_endpoint) {
-		if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {
-			if (!is_ack) {
-				pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
-			}
-			return PJ_TRUE;
-		}
+	if (is_ack) {
+		return PJ_FALSE;
 	}
 
-	if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {
+	if (ast_sip_requires_authentication(endpoint, rdata)) {
 		pjsip_tx_data *tdata;
 		struct unidentified_request *unid;
 
@@ -881,6 +899,10 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
 			return PJ_TRUE;
 		}
 		pjsip_tx_data_dec_ref(tdata);
+	} else if (endpoint == artificial_endpoint) {
+		/* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */
+		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
+		return PJ_TRUE;
 	}
 
 	return PJ_FALSE;