Update for 15.2.2

In ast_websocket_read() we were not adequately checking that the
payload_len was non-zero before passing it to ws_safe_read(). Calling
ws_safe_read with a len argument of 0 will result in a busy loop until
the underlying socket is closed.

ASTERISK-27658 #close

Change-Id: I9d59f83bc563f711df1a6197c57de473f6b0663a

.lastclean

@@ -0,0 +1 @@
+40

.version

@@ -0,0 +1 @@
+15.2.2

CHANGES

@@ -8,6 +8,17 @@
 ===
 ==============================================================================
 
+------------------------------------------------------------------------------
+--- Functionality changes from Asterisk 15.2.1 to Asterisk 15.2.2 ------------
+------------------------------------------------------------------------------
+
+res_pjsip_transport_management
+------------------
+ * Since res_pjsip_transport_management provides several attack
+   mitigation features, its functionality moved to res_pjsip and
+   this module has been removed.  This way the features will always
+   be available if res_pjsip is loaded.
+
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 15.1.0 to Asterisk 15.2.0 ------------
 ------------------------------------------------------------------------------

UPGRADE.txt

@@ -23,6 +23,14 @@
 === UPGRADE-14.txt  -- Upgrade info for 13 to 14
 ===========================================================
 
+From 15.2.1 to 15.2.2:
+
+res_pjsip_transport_management:
+ - Since res_pjsip_transport_management provides several attack
+   mitigation features, its functionality moved to res_pjsip and
+   this module has been removed.  This way the features will always
+   be available if res_pjsip is loaded.
+
 New in 15.0.0:
 
 Build System:

asterisk-15.2.2-summary.html

@@ -0,0 +1,39 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-15.2.2</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-15.2.2</h3><h3 align="center">Date: 2018-02-21</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2018-001,AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005,AST-2018-006.html">AST-2018-001,AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005,AST-2018-006</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-15.2.1.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">3 George Joseph <gjoseph@digium.com><br/>2 Kevin Harwell <kharwell@digium.com><br/>2 Joshua Colp <jcolp@digium.com><br/>1 Sean Bright <sean.bright@gmail.com><br/></td><td width="33%"><td width="33%">6 Sandro Gauci <sandro@enablesecurity.com><br/>4 Sandro Gauci<br/>1 Sébastien Duthil <sduthil@wazo.community><br/>1 Sean Bright <sean.bright@gmail.com><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Channels/chan_pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27583">ASTERISK-27583</a>: Segmentation fault occurs in asterisk with an invalid SDP fmtp attribute<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=160513fee93b01b9bd8f8993b37e39571e679456">[160513fee9]</a> Kevin Harwell -- AST-2018-003: Crash with an invalid SDP fmtp attribute</li>
+</ul><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27582">ASTERISK-27582</a>: Segmentation fault occurs in Asterisk with an invalid SDP media format description<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=73bf38ceb910dd23a0b6adccfca871019a7dc7fe">[73bf38ceb9]</a> Kevin Harwell -- AST-2018-002: Crash with an invalid SDP media format description</li>
+</ul><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27640">ASTERISK-27640</a>: SUBSCRIBE message with a large Accept value causes stack corruption<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=3f3fff56b877835912713676e4941a3a75ddf665">[3f3fff56b8]</a> Joshua Colp -- AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.</li>
+</ul><br><h4>Category: Resources/res_http_websocket</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27658">ASTERISK-27658</a>: WebSocket frames with 0 sized payload causes DoS<br/>Reported by: Sean Bright<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=f26c5a2ea01b297932c7ebc9b6aa91bea68c743b">[f26c5a2ea0]</a> Sean Bright -- AST-2018-006: Properly handle WebSocket frames with 0 length payload.</li>
+</ul><br><h4>Category: pjproject/pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27618">ASTERISK-27618</a>: Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=77f0e6558cc0fcff4312e49201b00f6348fdeb8a">[77f0e6558c]</a> George Joseph -- AST-2018-005: res_pjsip_transport_management:  Move to core</li>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=6c51a8dfce341b2ead3688495bd315f7356acdf2">[6c51a8dfce]</a> George Joseph -- AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)</li>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=c16935f470956a67ca2f2f939d1e2bcd9808aaf7">[c16935f470]</a> George Joseph -- AST-2018-005: Add a check for NULL tdata in ast_sip_failover_request</li>
+</ul><br><h3>Bug</h3><h4>Category: Core/Streams</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27488">ASTERISK-27488</a>: core: If frame with unnegotiated format is read crash will occur<br/>Reported by: Sébastien Duthil<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=32f1b69aa49ac19af2c6f0c2989daa0c2ca8a4c9">[32f1b69aa4]</a> Joshua Colp -- AST-2018-001: rtp / channel: Don't allow an unnegotiated format to be passed up.</li>
+</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>b/CHANGES                                                |   11
+b/UPGRADE.txt                                            |    8
+b/main/channel.c                                         |   19
+b/main/rtp_engine.c                                      |    2
+b/res/res_http_websocket.c                               |   16
+b/res/res_pjsip.c                                        |   17
+b/res/res_pjsip/include/res_pjsip_private.h              |   28 +
+b/res/res_pjsip/pjsip_distributor.c                      |    8
+b/res/res_pjsip/pjsip_transport_management.c             |  376 ++++++++++++++
+b/res/res_pjsip_pubsub.c                                 |    5
+b/res/res_pjsip_session.c                                |    8
+b/third-party/pjproject/patches/0070-sdp_media_fmt.patch |   19
+b/third-party/pjproject/patches/0071-sdp_fmtp_attr.patch |   15
+res/res_pjsip_transport_management.c                     |  400 ---------------
+14 files changed, 518 insertions(+), 414 deletions(-)</pre><br></html>

asterisk-15.2.2-summary.txt

@@ -0,0 +1,140 @@
+                                Release Summary
+
+                                asterisk-15.2.2
+
+                                Date: 2018-02-21
+
+                           <asteriskteam@digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Closed Issues
+    4. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release has been made to address one or more security vulnerabilities
+   that have been identified. A security advisory document has been published
+   for each vulnerability that includes additional information. Users of
+   versions of Asterisk that are affected are strongly encouraged to review
+   the advisories and determine what action they should take to protect their
+   systems from these issues.
+
+   Security Advisories:
+
+     * AST-2018-001,AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005,AST-2018-006
+
+   The data in this summary reflects changes that have been made since the
+   previous release, asterisk-15.2.1.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were affected by commits that went into
+   this release.
+
+   Coders                   Testers                  Reporters                
+   3 George Joseph                                   6 Sandro Gauci           
+   2 Kevin Harwell                                   4 Sandro Gauci           
+   2 Joshua Colp                                     1 SA(c)bastien Duthil    
+   1 Sean Bright                                     1 Sean Bright            
+
+     ----------------------------------------------------------------------
+
+                                 Closed Issues
+
+                                 [Back to Top]
+
+   This is a list of all issues from the issue tracker that were closed by
+   changes that went into this release.
+
+  Security
+
+    Category: Channels/chan_pjsip
+
+   ASTERISK-27583: Segmentation fault occurs in asterisk with an invalid SDP
+   fmtp attribute
+   Reported by: Sandro Gauci
+     * [160513fee9] Kevin Harwell -- AST-2018-003: Crash with an invalid SDP
+       fmtp attribute
+   ASTERISK-27582: Segmentation fault occurs in Asterisk with an invalid SDP
+   media format description
+   Reported by: Sandro Gauci
+     * [73bf38ceb9] Kevin Harwell -- AST-2018-002: Crash with an invalid SDP
+       media format description
+   ASTERISK-27640: SUBSCRIBE message with a large Accept value causes stack
+   corruption
+   Reported by: Sandro Gauci
+     * [3f3fff56b8] Joshua Colp -- AST-2018-004: Restrict the number of
+       Accept headers in a SUBSCRIBE.
+
+    Category: Resources/res_http_websocket
+
+   ASTERISK-27658: WebSocket frames with 0 sized payload causes DoS
+   Reported by: Sean Bright
+     * [f26c5a2ea0] Sean Bright -- AST-2018-006: Properly handle WebSocket
+       frames with 0 length payload.
+
+    Category: pjproject/pjsip
+
+   ASTERISK-27618: Crash occurs when sending a repeated number of INVITE
+   messages over TCP or TLS transport
+   Reported by: Sandro Gauci
+     * [77f0e6558c] George Joseph -- AST-2018-005:
+       res_pjsip_transport_management: Move to core
+     * [6c51a8dfce] George Joseph -- AST-2018-005: Fix tdata leaks when
+       calling pjsip_endpt_send_response(2)
+     * [c16935f470] George Joseph -- AST-2018-005: Add a check for NULL tdata
+       in ast_sip_failover_request
+
+  Bug
+
+    Category: Core/Streams
+
+   ASTERISK-27488: core: If frame with unnegotiated format is read crash will
+   occur
+   Reported by: SA(c)bastien Duthil
+     * [32f1b69aa4] Joshua Colp -- AST-2018-001: rtp / channel: Don't allow
+       an unnegotiated format to be passed up.
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ b/CHANGES                                                |   11
+ b/UPGRADE.txt                                            |    8
+ b/main/channel.c                                         |   19
+ b/main/rtp_engine.c                                      |    2
+ b/res/res_http_websocket.c                               |   16
+ b/res/res_pjsip.c                                        |   17
+ b/res/res_pjsip/include/res_pjsip_private.h              |   28 +
+ b/res/res_pjsip/pjsip_distributor.c                      |    8
+ b/res/res_pjsip/pjsip_transport_management.c             |  376 ++++++++++++++
+ b/res/res_pjsip_pubsub.c                                 |    5
+ b/res/res_pjsip_session.c                                |    8
+ b/third-party/pjproject/patches/0070-sdp_media_fmt.patch |   19
+ b/third-party/pjproject/patches/0071-sdp_fmtp_attr.patch |   15
+ res/res_pjsip_transport_management.c                     |  400 ---------------
+ 14 files changed, 518 insertions(+), 414 deletions(-)

codecs/codecs.xml

@@ -3,7 +3,6 @@
 	<depend>xmlstarlet</depend>
 	<depend>bash</depend>
 	<depend>res_format_attr_opus</depend>
-	<depend>curl</depend>
 	<defaultenabled>no</defaultenabled>
 </member>
 <member name="codec_silk" displayname="Download the SILK codec from Digium.  See http://downloads.digium.com/pub/telephony/codec_silk/README.">

contrib/realtime/mssql/mssql_cdr.sql

@@ -0,0 +1,58 @@
+BEGIN TRANSACTION;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+GO
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20) NULL, 
+    src VARCHAR(80) NULL, 
+    dst VARCHAR(80) NULL, 
+    dcontext VARCHAR(80) NULL, 
+    clid VARCHAR(80) NULL, 
+    channel VARCHAR(80) NULL, 
+    dstchannel VARCHAR(80) NULL, 
+    lastapp VARCHAR(80) NULL, 
+    lastdata VARCHAR(80) NULL, 
+    start DATETIME NULL, 
+    answer DATETIME NULL, 
+    [end] DATETIME NULL, 
+    duration INTEGER NULL, 
+    billsec INTEGER NULL, 
+    disposition VARCHAR(45) NULL, 
+    amaflags VARCHAR(45) NULL, 
+    userfield VARCHAR(256) NULL, 
+    uniqueid VARCHAR(150) NULL, 
+    linkedid VARCHAR(150) NULL, 
+    peeraccount VARCHAR(20) NULL, 
+    sequence INTEGER NULL
+);
+
+GO
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+GO
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr ALTER COLUMN accountcode VARCHAR(80);
+
+GO
+
+ALTER TABLE cdr ALTER COLUMN peeraccount VARCHAR(80);
+
+GO
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d';
+
+GO
+
+COMMIT;
+
+GO
+

contrib/realtime/mssql/mssql_voicemail.sql

@@ -0,0 +1,54 @@
+BEGIN TRANSACTION;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+GO
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80) NULL, 
+    macrocontext VARCHAR(80) NULL, 
+    callerid VARCHAR(80) NULL, 
+    origtime INTEGER NULL, 
+    duration INTEGER NULL, 
+    recording IMAGE NULL, 
+    flag VARCHAR(30) NULL, 
+    category VARCHAR(30) NULL, 
+    mailboxuser VARCHAR(30) NULL, 
+    mailboxcontext VARCHAR(30) NULL, 
+    msg_id VARCHAR(40) NULL
+);
+
+GO
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+GO
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+GO
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+GO
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages ALTER COLUMN recording IMAGE;
+
+GO
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+
+GO
+
+COMMIT;
+
+GO
+

contrib/realtime/mysql/mysql_cdr.sql

@@ -0,0 +1,40 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20), 
+    src VARCHAR(80), 
+    dst VARCHAR(80), 
+    dcontext VARCHAR(80), 
+    clid VARCHAR(80), 
+    channel VARCHAR(80), 
+    dstchannel VARCHAR(80), 
+    lastapp VARCHAR(80), 
+    lastdata VARCHAR(80), 
+    start DATETIME, 
+    answer DATETIME, 
+    end DATETIME, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR(45), 
+    amaflags VARCHAR(45), 
+    userfield VARCHAR(256), 
+    uniqueid VARCHAR(150), 
+    linkedid VARCHAR(150), 
+    peeraccount VARCHAR(20), 
+    sequence INTEGER
+);
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr MODIFY accountcode VARCHAR(80) NULL;
+
+ALTER TABLE cdr MODIFY peeraccount VARCHAR(80) NULL;
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d';
+

contrib/realtime/mysql/mysql_voicemail.sql

@@ -0,0 +1,34 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80), 
+    macrocontext VARCHAR(80), 
+    callerid VARCHAR(80), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BLOB, 
+    flag VARCHAR(30), 
+    category VARCHAR(30), 
+    mailboxuser VARCHAR(30), 
+    mailboxcontext VARCHAR(30), 
+    msg_id VARCHAR(40)
+);
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages MODIFY recording BLOB(4294967295) NULL;
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+

contrib/realtime/oracle/oracle_cdr.sql

@@ -0,0 +1,52 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR2(32 CHAR) NOT NULL
+)
+
+/
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR2(20 CHAR), 
+    src VARCHAR2(80 CHAR), 
+    dst VARCHAR2(80 CHAR), 
+    dcontext VARCHAR2(80 CHAR), 
+    clid VARCHAR2(80 CHAR), 
+    channel VARCHAR2(80 CHAR), 
+    dstchannel VARCHAR2(80 CHAR), 
+    lastapp VARCHAR2(80 CHAR), 
+    lastdata VARCHAR2(80 CHAR), 
+    "start" DATE, 
+    answer DATE, 
+    end DATE, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR2(45 CHAR), 
+    amaflags VARCHAR2(45 CHAR), 
+    userfield VARCHAR2(256 CHAR), 
+    uniqueid VARCHAR2(150 CHAR), 
+    linkedid VARCHAR2(150 CHAR), 
+    peeraccount VARCHAR2(20 CHAR), 
+    sequence INTEGER
+)
+
+/
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d')
+
+/
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr MODIFY accountcode VARCHAR2(80 CHAR)
+
+/
+
+ALTER TABLE cdr MODIFY peeraccount VARCHAR2(80 CHAR)
+
+/
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d'
+
+/
+

contrib/realtime/oracle/oracle_voicemail.sql

@@ -0,0 +1,48 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR2(32 CHAR) NOT NULL
+)
+
+/
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR2(255 CHAR) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR2(80 CHAR), 
+    macrocontext VARCHAR2(80 CHAR), 
+    callerid VARCHAR2(80 CHAR), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BLOB, 
+    flag VARCHAR2(30 CHAR), 
+    category VARCHAR2(30 CHAR), 
+    mailboxuser VARCHAR2(30 CHAR), 
+    mailboxcontext VARCHAR2(30 CHAR), 
+    msg_id VARCHAR2(40 CHAR)
+)
+
+/
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum)
+
+/
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir)
+
+/
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e')
+
+/
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages MODIFY recording BLOB
+
+/
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e'
+
+/
+

contrib/realtime/postgresql/postgresql_cdr.sql

@@ -0,0 +1,44 @@
+BEGIN;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20), 
+    src VARCHAR(80), 
+    dst VARCHAR(80), 
+    dcontext VARCHAR(80), 
+    clid VARCHAR(80), 
+    channel VARCHAR(80), 
+    dstchannel VARCHAR(80), 
+    lastapp VARCHAR(80), 
+    lastdata VARCHAR(80), 
+    start TIMESTAMP WITHOUT TIME ZONE, 
+    answer TIMESTAMP WITHOUT TIME ZONE, 
+    "end" TIMESTAMP WITHOUT TIME ZONE, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR(45), 
+    amaflags VARCHAR(45), 
+    userfield VARCHAR(256), 
+    uniqueid VARCHAR(150), 
+    linkedid VARCHAR(150), 
+    peeraccount VARCHAR(20), 
+    sequence INTEGER
+);
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr ALTER COLUMN accountcode TYPE VARCHAR(80);
+
+ALTER TABLE cdr ALTER COLUMN peeraccount TYPE VARCHAR(80);
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d';
+
+COMMIT;
+

contrib/realtime/postgresql/postgresql_voicemail.sql

@@ -0,0 +1,38 @@
+BEGIN;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80), 
+    macrocontext VARCHAR(80), 
+    callerid VARCHAR(80), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BYTEA, 
+    flag VARCHAR(30), 
+    category VARCHAR(30), 
+    mailboxuser VARCHAR(30), 
+    mailboxcontext VARCHAR(30), 
+    msg_id VARCHAR(40)
+);
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages ALTER COLUMN recording TYPE BYTEA;
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+
+COMMIT;
+

main/cdr.c

@@ -371,7 +371,7 @@ static ast_cond_t cdr_pending_cond;
 /*! \brief A container of the active master CDRs indexed by Party A channel uniqueid */
 static struct ao2_container *active_cdrs_master;
 
-/*! \brief A container of all active CDRs indexed by Party B channel name */
+/*! \brief A container of all active CDRs with a Party B indexed by Party B channel name */
 static struct ao2_container *active_cdrs_all;
 
 /*! \brief Message router for stasis messages regarding channel state */
@@ -971,13 +971,21 @@ static void cdr_all_unlink(struct cdr_object *cdr)
 
 	ast_assert(cdr->is_root);
 
+	/* Hold a ref to the root CDR to ensure the list members don't go away on us. */
+	ao2_ref(cdr, +1);
 	ao2_lock(active_cdrs_all);
-	for (cur = cdr->next; cur; cur = next) {
+	for (cur = cdr; cur; cur = next) {
 		next = cur->next;
 		ao2_unlink_flags(active_cdrs_all, cur, OBJ_NOLOCK);
+		/*
+		 * It is safe to still use cur after unlinking because the
+		 * root CDR holds a ref to all the CDRs in the list and we
+		 * have a ref to the root CDR.
+		 */
 		ast_string_field_set(cur, party_b_name, "");
 	}
 	ao2_unlock(active_cdrs_all);
+	ao2_ref(cdr, -1);
 }
 
 /*!

main/channel.c

@@ -3667,7 +3667,17 @@ static struct ast_frame *__ast_read(struct ast_channel *chan, int dropaudio, int
 				 * originated from and update the frame to include it.
 				 */
 				stream = default_stream = ast_channel_get_default_stream(chan, ast_format_get_type(f->subclass.format));
-				f->stream_num = ast_stream_get_position(stream);
+				/* In order to allow media to be passed up the underlying media type has to have a format negotiated on
+				 * the channel itself. In cases where this hasn't happened the channel driver is incorrectly passing up
+				 * a frame for a format that has not been negotiated. If this occurs just drop the frame as we have no
+				 * stream that it came from.
+				 */
+				if (!stream) {
+					ast_frfree(f);
+					f = &ast_null_frame;
+				} else {
+					f->stream_num = ast_stream_get_position(stream);
+				}
 			}
 		}
 	} else {
@@ -3700,7 +3710,12 @@ static struct ast_frame *__ast_read(struct ast_channel *chan, int dropaudio, int
 			 */
 			if (f && (f->frametype == AST_FRAME_VOICE || f->frametype == AST_FRAME_VIDEO)) {
 				stream = default_stream = ast_channel_get_default_stream(chan, ast_format_get_type(f->subclass.format));
-				f->stream_num = ast_stream_get_position(stream);
+				if (!stream) {
+					ast_frfree(f);
+					f = &ast_null_frame;
+				} else {
+					f->stream_num = ast_stream_get_position(stream);
+				}
 			}
 		}
 		else

main/loader.c

@@ -198,7 +198,7 @@ static AST_DLLIST_HEAD_STATIC(reload_queue, reload_queue_item);
  *
  * This is protected by the module_list lock.
  */
-static struct ast_module *resource_being_loaded;
+static struct ast_module * volatile resource_being_loaded;
 
 /*!
  * \internal

main/rtp_engine.c

@@ -1210,7 +1210,7 @@ struct ast_rtp_payload_type *ast_rtp_codecs_get_payload(struct ast_rtp_codecs *c
 	}
 	ast_rwlock_unlock(&codecs->codecs_lock);
 
-	if (!type) {
+	if (!type && payload <= AST_RTP_PT_LAST_STATIC) {
 		ast_rwlock_rdlock(&static_RTP_PT_lock);
 		type = ao2_bump(static_RTP_PT[payload]);
 		ast_rwlock_unlock(&static_RTP_PT_lock);

main/translate.c

@@ -32,7 +32,6 @@
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <math.h>
-#include <stdlib.h>
 
 #include "asterisk/lock.h"
 #include "asterisk/channel.h"
@@ -1331,6 +1330,13 @@ void ast_translator_deactivate(struct ast_translator *t)
 	AST_RWLIST_UNLOCK(&translators);
 }
 
+/*! Calculate the absolute difference between sample rate of two formats. */
+#define format_sample_rate_absdiff(fmt1, fmt2) ({ \
+	unsigned int rate1 = ast_format_get_sample_rate(fmt1); \
+	unsigned int rate2 = ast_format_get_sample_rate(fmt2); \
+	(rate1 > rate2 ? rate1 - rate2 : rate2 - rate1); \
+})
+
 /*! \brief Calculate our best translator source format, given costs, and a desired destination */
 int ast_translator_best_choice(struct ast_format_cap *dst_cap,
 	struct ast_format_cap *src_cap,
@@ -1415,10 +1421,8 @@ int ast_translator_best_choice(struct ast_format_cap *dst_cap,
 				beststeps = matrix_get(x, y)->multistep;
 			} else if (matrix_get(x, y)->table_cost == besttablecost
 					&& matrix_get(x, y)->multistep == beststeps) {
-				int gap_selected = abs(ast_format_get_sample_rate(best)
-					- ast_format_get_sample_rate(bestdst));
-				int gap_current = abs(ast_format_get_sample_rate(src)
-					- ast_format_get_sample_rate(dst));
+				unsigned int gap_selected = format_sample_rate_absdiff(best, bestdst);
+				unsigned int gap_current = format_sample_rate_absdiff(src, dst);
 
 				if (gap_current < gap_selected) {
 					/* better than what we have so far */

res/res_http_websocket.c

@@ -494,13 +494,20 @@ const char * AST_OPTIONAL_API_NAME(ast_websocket_session_id)(struct ast_websocke
  * Note during the header parsing stage we try to read in small chunks just what we need, this
  * is buffered data anyways, no expensive syscall required most of the time ...
  */
-static inline int ws_safe_read(struct ast_websocket *session, char *buf, int len, enum ast_websocket_opcode *opcode)
+static inline int ws_safe_read(struct ast_websocket *session, char *buf, size_t len, enum ast_websocket_opcode *opcode)
 {
 	ssize_t rlen;
 	int xlen = len;
 	char *rbuf = buf;
 	int sanity = 10;
 
+	ast_assert(len > 0);
+
+	if (!len) {
+		errno = EINVAL;
+		return -1;
+	}
+
 	ao2_lock(session);
 	if (!session->stream) {
 		ao2_unlock(session);
@@ -614,9 +621,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_read)(struct ast_websocket *session, cha
 			return -1;
 		}
 
-		if (ws_safe_read(session, *payload, *payload_len, opcode)) {
-			return -1;
+		if (*payload_len) {
+			if (ws_safe_read(session, *payload, *payload_len, opcode)) {
+				return -1;
+			}
 		}
+
 		/* If a mask is present unmask the payload */
 		if (mask_present) {
 			unsigned int pos;

res/res_pjsip.c

@@ -3290,7 +3290,7 @@ pjsip_dialog *ast_sip_create_dialog_uas(const struct ast_sip_endpoint *endpoint,
 	ast_assert(status != NULL);
 
 	contact_hdr = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, NULL);
-	if (ast_sip_set_tpselector_from_ep_or_uri(endpoint, pjsip_uri_get_uri(contact_hdr->uri),
+	if (!contact_hdr || ast_sip_set_tpselector_from_ep_or_uri(endpoint, pjsip_uri_get_uri(contact_hdr->uri),
 		&selector)) {
 		return NULL;
 	}
@@ -3953,7 +3953,8 @@ int ast_sip_failover_request(pjsip_tx_data *tdata)
 {
 	pjsip_via_hdr *via;
 
-	if (!tdata->dest_info.addr.count || (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) {
+	if (!tdata || !tdata->dest_info.addr.count
+		|| (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) {
 		/* No more addresses to try */
 		return 0;
 	}
@@ -4501,9 +4502,15 @@ static void supplement_outgoing_response(pjsip_tx_data *tdata, struct ast_sip_en
 
 int ast_sip_send_response(pjsip_response_addr *res_addr, pjsip_tx_data *tdata, struct ast_sip_endpoint *sip_endpoint)
 {
-	supplement_outgoing_response(tdata, sip_endpoint);
+	pj_status_t status;
 
-	return pjsip_endpt_send_response(ast_sip_get_pjsip_endpoint(), res_addr, tdata, NULL, NULL);
+	supplement_outgoing_response(tdata, sip_endpoint);
+	status = pjsip_endpt_send_response(ast_sip_get_pjsip_endpoint(), res_addr, tdata, NULL, NULL);
+	if (status != PJ_SUCCESS) {
+		pjsip_tx_data_dec_ref(tdata);
+	}
+
+	return status == PJ_SUCCESS ? 0 : -1;
 }
 
 int ast_sip_send_stateful_response(pjsip_rx_data *rdata, pjsip_tx_data *tdata, struct ast_sip_endpoint *sip_endpoint)
@@ -4745,6 +4752,7 @@ static int unload_pjsip(void *data)
 		ast_res_pjsip_cleanup_options_handling();
 		ast_res_pjsip_cleanup_message_filter();
 		ast_sip_destroy_distributor();
+		ast_sip_destroy_transport_management();
 		ast_res_pjsip_destroy_configuration();
 		ast_sip_destroy_system();
 		ast_sip_destroy_global_headers();
@@ -4910,6 +4918,11 @@ static int load_module(void)
 	ast_sip_initialize_resolver();
 	ast_sip_initialize_dns();
 
+	if (ast_sip_initialize_transport_management()) {
+		ast_log(LOG_ERROR, "Failed to initialize SIP transport management. Aborting load\n");
+		goto error;
+	}
+
 	if (ast_sip_initialize_distributor()) {
 		ast_log(LOG_ERROR, "Failed to register distributor module. Aborting load\n");
 		goto error;

res/res_pjsip/include/res_pjsip_private.h

@@ -395,4 +395,32 @@ int ast_sip_initialize_scheduler(void);
  */
 int ast_sip_destroy_scheduler(void);
 
+/*!
+ * \internal
+ * \brief Initialize the transport management module
+ * \since 13.20.0
+ *
+ * The transport management module is responsible for 3 things...
+ * 1.  It automatically destroys any reliable transport that does not
+ * receive a valid request within system/timer_b milliseconds of the
+ * connection being opened. (Attack mitigation)
+ * 2.  Since it increments the reliable transport's reference count
+ * for that period of time, it also prevents issues if the transport
+ * disconnects while we're still trying to process a response.
+ *  (Attack mitigation)
+ * 3.  If enabled by global/keep_alive_interval, it sends '\r\n'
+ * keepalives on reliable transports at the interval specified.
+ *
+ * \retval -1 Failure
+ * \retval 0 Success
+ */
+int ast_sip_initialize_transport_management(void);
+
+/*!
+ * \internal
+ * \brief Destruct the transport management module.
+ * \since 13.20.0
+ */
+void ast_sip_destroy_transport_management(void);
+
 #endif /* RES_PJSIP_PRIVATE_H_ */

res/res_pjsip/pjsip_distributor.c

@@ -854,7 +854,9 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
 		case AST_SIP_AUTHENTICATION_CHALLENGE:
 			/* Send the 401 we created for them */
 			ast_sip_report_auth_challenge_sent(endpoint, rdata, tdata);
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 			return PJ_TRUE;
 		case AST_SIP_AUTHENTICATION_SUCCESS:
 			/* See note in endpoint_lookup about not holding an unnecessary write lock */
@@ -867,7 +869,9 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
 		case AST_SIP_AUTHENTICATION_FAILED:
 			log_failed_request(rdata, "Failed to authenticate", 0, 0);
 			ast_sip_report_auth_failed_challenge_response(endpoint, rdata);
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 			return PJ_TRUE;
 		case AST_SIP_AUTHENTICATION_ERROR:
 			log_failed_request(rdata, "Error to authenticate", 0, 0);

res/res_pjsip/pjsip_message_filter.c

@@ -429,15 +429,27 @@ static pj_bool_t on_rx_process_uris(pjsip_rx_data *rdata)
 		return PJ_TRUE;
 	}
 
-	while ((contact =
-		(pjsip_contact_hdr *) pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT,
-			contact ? contact->next : NULL))) {
+
+	contact = (pjsip_contact_hdr *) pjsip_msg_find_hdr(
+		rdata->msg_info.msg, PJSIP_H_CONTACT, NULL);
+
+	if (!contact && pjsip_method_creates_dialog(&rdata->msg_info.msg->line.req.method)) {
+		/* A contact header is required for dialog creating methods */
+		static const pj_str_t missing_contact = { "Missing Contact header", 22 };
+		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 400,
+				&missing_contact, NULL, NULL);
+		return PJ_TRUE;
+	}
+
+	while (contact) {
 		if (!contact->star && !is_sip_uri(contact->uri)) {
 			print_uri_debug(URI_TYPE_CONTACT, rdata, (pjsip_hdr *)contact);
 			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata,
 				PJSIP_SC_UNSUPPORTED_URI_SCHEME, NULL, NULL, NULL);
 			return PJ_TRUE;
 		}
+		contact = (pjsip_contact_hdr *) pjsip_msg_find_hdr(
+			rdata->msg_info.msg, PJSIP_H_CONTACT, contact->next);
 	}
 
 	return PJ_FALSE;

res/res_pjsip/pjsip_transport_management.c

@@ -16,12 +16,6 @@
  * at the top of the source tree.
  */
 
-/*** MODULEINFO
-	<depend>pjproject</depend>
-	<depend>res_pjsip</depend>
-	<support_level>core</support_level>
- ***/
-
 #include "asterisk.h"
 
 #include <signal.h>
@@ -32,6 +26,7 @@
 #include "asterisk/res_pjsip.h"
 #include "asterisk/module.h"
 #include "asterisk/astobj2.h"
+#include "include/res_pjsip_private.h"
 
 /*! \brief Number of buckets for monitored transports */
 #define TRANSPORTS_BUCKETS 127
@@ -319,12 +314,10 @@ static pjsip_module idle_monitor_module = {
 	.on_rx_request = idle_monitor_on_rx_request,
 };
 
-static int load_module(void)
+int ast_sip_initialize_transport_management(void)
 {
 	struct ao2_container *transports;
 
-	CHECK_PJSIP_MODULE_LOADED();
-
 	transports = ao2_container_alloc(TRANSPORTS_BUCKETS, monitored_transport_hash_fn,
 		monitored_transport_cmp_fn);
 	if (!transports) {
@@ -356,11 +349,10 @@ static int load_module(void)
 	ast_sorcery_observer_add(ast_sip_get_sorcery(), "global", &keepalive_global_observer);
 	ast_sorcery_reload_object(ast_sip_get_sorcery(), "global");
 
-	ast_module_shutdown_ref(ast_module_info->self);
 	return AST_MODULE_LOAD_SUCCESS;
 }
 
-static int unload_module(void)
+void ast_sip_destroy_transport_management(void)
 {
 	if (keepalive_interval) {
 		keepalive_interval = 0;
@@ -381,20 +373,4 @@ static int unload_module(void)
 	sched = NULL;
 
 	ao2_global_obj_release(monitored_transports);
-
-	return 0;
 }
-
-static int reload_module(void)
-{
-	ast_sorcery_reload_object(ast_sip_get_sorcery(), "global");
-	return 0;
-}
-
-AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP Reliable Transport Management",
-	.support_level = AST_MODULE_SUPPORT_CORE,
-	.load = load_module,
-	.reload = reload_module,
-	.unload = unload_module,
-	.load_pri = AST_MODPRI_CHANNEL_DEPEND - 4,
-);

res/res_pjsip_pubsub.c

@@ -613,8 +613,12 @@ static void subscription_persistence_update(struct sip_subscription_tree *sub_tr
 		expires = expires_hdr ? expires_hdr->ivalue : DEFAULT_PUBLISH_EXPIRES;
 		sub_tree->persistence->expires = ast_tvadd(ast_tvnow(), ast_samp2tv(expires, 1));
 
-		pjsip_uri_print(PJSIP_URI_IN_CONTACT_HDR, contact_hdr->uri,
-			sub_tree->persistence->contact_uri, sizeof(sub_tree->persistence->contact_uri));
+		if (contact_hdr) {
+			pjsip_uri_print(PJSIP_URI_IN_CONTACT_HDR, contact_hdr->uri,
+					sub_tree->persistence->contact_uri, sizeof(sub_tree->persistence->contact_uri));
+		} else {
+			ast_log(LOG_WARNING, "Contact not updated due to missing contact header\n");
+		}
 
 		/* When receiving a packet on an streaming transport, it's possible to receive more than one SIP
 		 * message at a time into the rdata->pkt_info.packet buffer. However, the rdata->msg_info.msg_buf
@@ -728,10 +732,11 @@ static struct ast_sip_pubsub_body_generator *subscription_get_generator_from_rda
 	char accept[AST_SIP_MAX_ACCEPT][64];
 	size_t num_accept_headers = 0;
 
-	while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next))) {
+	while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next)) &&
+		(num_accept_headers < AST_SIP_MAX_ACCEPT)) {
 		int i;
 
-		for (i = 0; i < accept_header->count; ++i) {
+		for (i = 0; i < accept_header->count && num_accept_headers < AST_SIP_MAX_ACCEPT; ++i) {
 			if (!exceptional_accept(&accept_header->values[i])) {
 				ast_copy_pj_str(accept[num_accept_headers], &accept_header->values[i], sizeof(accept[num_accept_headers]));
 				++num_accept_headers;

res/res_pjsip_session.c

@@ -1860,7 +1860,9 @@ static pj_bool_t session_reinvite_on_rx_request(pjsip_rx_data *rdata)
 
 		/* Otherwise this is a new re-invite, so reject it */
 		if (pjsip_dlg_create_response(dlg, rdata, 491, NULL, &tdata) == PJ_SUCCESS) {
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 		}
 
 		return PJ_TRUE;
@@ -2850,7 +2852,9 @@ static pjsip_inv_session *pre_session_setup(pjsip_rx_data *rdata, const struct a
 
 	if (pjsip_inv_verify_request(rdata, &options, NULL, NULL, ast_sip_get_pjsip_endpoint(), &tdata) != PJ_SUCCESS) {
 		if (tdata) {
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 		} else {
 			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
 		}

third-party/pjproject/patches/0070-sdp_media_fmt.patch

@@ -0,0 +1,19 @@
+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
+index a3dd80b..0a13206 100644
+--- a/pjmedia/src/pjmedia/sdp.c
++++ b/pjmedia/src/pjmedia/sdp.c
+@@ -1516,11 +1516,12 @@ PJ_DEF(pj_status_t) pjmedia_sdp_validate2(const pjmedia_sdp_session *sdp,
+ 	     * RTC based programs sends "null" for instant messaging!
+ 	     */
+ 	    if (pj_isdigit(*m->desc.fmt[j].ptr)) {
+-		unsigned pt = pj_strtoul(&m->desc.fmt[j]);
++		unsigned long pt;
++		pj_status_t status = pj_strtoul3(&m->desc.fmt[j], &pt, 10);
+ 
+ 		/* Payload type is between 0 and 127. 
+ 		 */
+-		CHECK( pt <= 127, PJMEDIA_SDP_EINPT);
++		CHECK( status == PJ_SUCCESS && pt <= 127, PJMEDIA_SDP_EINPT);
+ 
+ 		/* If port is not zero, then for each dynamic payload type, an
+ 		 * rtpmap attribute must be specified.

third-party/pjproject/patches/0071-sdp_fmtp_attr.patch

@@ -0,0 +1,34 @@
+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
+index a3dd80b..6117e07 100644
+--- a/pjmedia/src/pjmedia/sdp.c
++++ b/pjmedia/src/pjmedia/sdp.c
+@@ -256,7 +256,8 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_rtpmap( const pjmedia_sdp_attr *attr,
+ 
+     PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "rtpmap")==0, PJ_EINVALIDOP);
+ 
+-    PJ_ASSERT_RETURN(attr->value.slen != 0, PJMEDIA_SDP_EINATTR);
++    if (attr->value.slen == 0)
++        return PJMEDIA_SDP_EINATTR;
+ 
+     init_sdp_parser();
+ 
+@@ -341,6 +342,9 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_fmtp( const pjmedia_sdp_attr *attr,
+ 
+     PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "fmtp")==0, PJ_EINVALIDOP);
+ 
++    if (attr->value.slen == 0)
++        return PJMEDIA_SDP_EINATTR;
++
+     /* fmtp BNF:
+      *	a=fmtp:<format> <format specific parameter>
+      */
+@@ -379,6 +383,9 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_rtcp(const pjmedia_sdp_attr *attr,
+ 
+     PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "rtcp")==0, PJ_EINVALIDOP);
+ 
++    if (attr->value.slen == 0)
++        return PJMEDIA_SDP_EINATTR;
++
+     init_sdp_parser();
+ 
+     /* fmtp BNF: