Simply establishing a TCP connection and never sending anything to the
configured HTTP port in http.conf will tie up a HTTP connection. Since
there is a maximum number of open HTTP sessions allowed at a time you can
block legitimate connections.
A similar problem exists if a HTTP request is started but never finished.
* Added http.conf session_inactivity timer option to close HTTP
connections that aren't doing anything. Defaults to 30000 ms.
* Removed the undocumented manager.conf block-sockets option. It
interferes with TCP/TLS inactivity timeouts.
* AMI and SIP TLS connections now have better authentication timeout
protection. Though I didn't remove the bizzare TLS timeout polling code
from chan_sip.
* chan_sip can now handle SSL certificate renegotiations in the middle of
a session. It couldn't do that before because the socket was non-blocking
and the SSL calls were not restarted as documented by the OpenSSL
documentation.
* Fixed an off nominal leak of the ssl struct in
handle_tcptls_connection() if the FILE stream failed to open and the SSL
certificate negotiations failed.
The patch creates a custom FILE stream handler to give the created FILE
streams inactivity timeout and timeout after a specific moment in time
capability. This approach eliminates the need for code using the FILE
stream to be redesigned to deal with the timeouts.
This patch indirectly fixes most of ASTERISK-18345 by fixing the usage of
the SSL_read/SSL_write operations.
ASTERISK-23673 #close
Reported by: Richard Mudgett
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@415841 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This resolves a large number of compiler warnings from GCC 4.10 which
cause the build to fail under dev mode. The vast majority are
signed/unsigned mismatches in printf-style format strings.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@413586 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This adds the TCP_NODELAY option to accepted connections on the HTTP
server built into Asterisk. This option disables the Nagle algorithm
which controls queueing of outbound data and in some cases can cause
delays on receipt of response by the client due to how the Nagle
algorithm interacts with TCP delayed ACK. This option is already set on
all non-HTTP AMI connections and this change would cover standard HTTP
requests, manager HTTP connections, and ARI HTTP requests and
websockets in Asterisk 12+ along with any future use of the HTTP
server.
Review: https://reviewboard.asterisk.org/r/3466/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@412745 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch works around a problem with the HTTP body
being dropped from the response to a specific client
and under specific circumstances:
a) Client request comes from node.js user agent
"Shred" via use of swagger-client library.
b) Asterisk and Client are *not* on the same
host or TCP/IP stack
In testing this problem, it has been determined that
the write of the HTTP body is lost, even if the data
is written using low level write function. The only
solution found is to instruct the TCP stack with the
shutdown function to flush the last write and finish
the transmission. See review for more details.
ASTERISK-23548 #close
(closes issue ASTERISK-23548)
Reported by: Sam Galarneau
Review: https://reviewboard.asterisk.org/r/3402/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@411462 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Made register atexit shutdown routine only once in __init_manager().
* Fixed some initial load failure conditions in __init_manager().
* Made reset options to defaults on reload when the reload will actually
happen.
* Fixed the order of unreferencing a session object in session_destroy().
* Removed unnecessary container traversals of the white/black filters
during session_destructor() and manager_free_user().
* ast_free() does not need a NULL check before calling.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@406359 65c4cc65-6c06-0410-ace0-fbb531ad65f3
ast_xmldoc_printable returns an allocated block that must be freed by the
caller. Fixed manager.c and res_agi.c to stop leaking these results.
(closes issue ASTERISK-22395)
Reported by: Corey Farrell
Patches:
manager-leaks-1.8.patch uploaded by coreyfarrell (license 5909)
res_agi-xmldoc-leaks.patch uploaded by coreyfarrell (license 5909)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@398060 65c4cc65-6c06-0410-ace0-fbb531ad65f3
AMI actions must never return non-zero unless they intend to close the AMI
connection. (Which is almost never.)
(closes issue ASTERISK-21779)
Reported by: Paul Goldbaum
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@388477 65c4cc65-6c06-0410-ace0-fbb531ad65f3
AMI, HTTP, and chan_sip all support TLS in some way, but none of them
support all the options that Asterisk's TLS core is capable of
interpreting. This prevents consumers of the TLS/SSL layer from setting
TLS/SSL options that they do not support.
This also gets tlsverifyclient closer to a working state by requesting
the client certificate when tlsverifyclient is set. Currently, there is
no consumer of main/tcptls.c in Asterisk that supports this feature and
so it can not be properly tested.
Review: https://reviewboard.asterisk.org/r/2370/
Reported-by: John Bigelow
Patch-by: Kinsey Moore
(closes issue AST-1093)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@383165 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When converting AMI class authorizations to a string representation, the
method always appends the ALL class authorization. This is especially
important for events, as they should always communicate that class
authorization - even if the event itself does not specify ALL as a class
authorization for itself. (Events have always assumed that the ALL class
authorization is implied when they are raised)
Unfortunately, this did mean that specifying a user with restricted class
authorizations would show up in the 'manager show user' CLI command as
having the ALL class authorization.
Rather then modifying the existing string manipulation function, this patch
adds a function that will only return a string if the field being compared
explicitly matches class authorization field it is being compared against.
This prevents ALL from being returned unless it is actually specified for
the user.
(closes issue ASTERISK-20397)
Reported by: Johan Wilfer
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@381939 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The AMI redirect action can fail to redirect two channels that are bridged
together. There is a race between the AMI thread redirecting the two
channels and the bridge thread noticing that a channel is hungup from the
redirects.
* Made the bridge wait for both channels to be redirected before exiting.
* Made the AMI redirect check that all required headers are present before
proceeding with the redirection.
* Made the AMI redirect require that any supplied ExtraChannel exist
before proceeding. Previously the code fell back to a single channel
redirect operation.
(closes issue ASTERISK-18975)
Reported by: Ben Klang
(closes issue ASTERISK-19948)
Reported by: Brent Dalgleish
Patches:
jira_asterisk_19948_v11.patch (license #5621) patch uploaded by rmudgett
Tested by: rmudgett, Thomas Sevestre, Deepak Lohani, Kayode
Review: https://reviewboard.asterisk.org/r/2243/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@378356 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Prior to this patch, challenge would yield a multiple logins error if used
without providing the username (which isn't really supposed to be an argument
to challenge) if allowmultiplelogin was set to no because allowmultiplelogin
finds a user with a zero length login name. This check is simply disabled for
the challenge action when the username is empty by this patch.
(closes issue ASTERISK-20677)
Reported by: Vladimir
Patches:
challenge_action_nomultiplelogin.diff uploaded by Jonathan Rose (license 6182)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@376725 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Manager's tcp/tls objects have a periodic function that purge old manager
sessions periodically. During shutdown, the underlying container holding
those sessions can be disposed of and set to NULL before the tcp/tls periodic
function is stopped. If the periodic function fires, it will attempt to
iterate over a NULL container.
This patch checks for whether or not the sessions container exists before
attempting to purge sessions out of it. If the sessions container is NULL,
we simply return.
Note that this error was also caught by the Asterisk Test Suite.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@375800 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch does two things:
1) It properly unregisters the manager CLI commands
2) It cleans up AMI users on exit. Prior to this patch, the AMI users
were not being disposed of properly, resulting in a memory leak.
(closes issue ASTERISK-20646)
Reported by: Corey Farrell
patches:
manager_shutdown.patch uploaded by Corey Farrell (license 5909)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@375793 65c4cc65-6c06-0410-ace0-fbb531ad65f3
In AMI's parser, when it receives a long line (> 1024 characters), it discards
that line, but continues to process the message normally.
Typically, this is not a problem because a) who has lines that long and b)
usually a discarded line results in an invalid message. But if that line is
specifying an optional field, then the message will be processed, you get a
'Response: Success', but things don't work the way you expected them to.
This patch changes the behavior when a line-too-long parse error occurs.
* Changes the log message to avoid way-too-long (and truncated anyways) log
messages
* Adds a 'parsing' status flag to Response: Success
* Sets parsing = MESSAGE_LINE_TOO_LONG if, well, a line is too long
* Responds with an appropriate error if parsing != MESSAGE_OKAY
(closes issue AST-961)
Reported by: John Bigelow
Review: https://reviewboard.asterisk.org/r/2142/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@374570 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Before this commit, __astman_get_header would blindly dereference the passed in
'struct message *' to traverse the header list. There are cases, however, such
as '*CLI> sip qualify peer foo' where the message pointer is NULL, so we need
to check for that.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@373131 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The documentation incorrectly listed 'rtp' as a reloadable subsystem
and left out many other reloadable subsystems. It is now also
documented that subsystems may only be reloaded, not loaded or
unloaded.
(closes issue AST-977)
Reported-by: John Bigelow
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@372354 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The AMI Originate action can allow a remote user to specify information that can
be used to execute shell commands on the system hosting Asterisk. This can
result in an unwanted escalation of permissions, as the Originate action, which
requires the "originate" class authorization, can be used to perform actions
that would typically require the "system" class authorization. Previous attempts
to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought
to do so by inspecting the names of applications and functions passed in with
the Originate action and, if those applications/functions matched a predefined
set of values, rejecting the command if the user lacked the "system" class
authorization. As noted by IBM X-Force Research, the "ExternalIVR"
application is not listed in the predefined set of values. The solution for
this particular vulnerability is to include the "ExternalIVR" application in the
set of defined applications/functions that require "system" class authorization.
Unfortunately, the approach of inspecting fields in the Originate action against
known applications/functions has a significant flaw. The predefined set of
values can be bypassed by creative use of the Originate action or by certain
dialplan configurations, which is beyond the ability of Asterisk to analyze at
run-time. Attempting to work around these scenarios would result in severely
restricting the applications or functions and prevent their usage for legitimate
means. As such, any additional security vulnerabilities, where an
application/function that would normally require the "system" class
authorization can be executed by users with the "originate" class authorization,
will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has
been updated to reflect that the AMI Originate action can result in commands
requiring the "system" class authorization to be executed. Proper system
configuration can limit the impact of such scenarios.
(closes issue ASTERISK-20132)
Reported by: Zubair Ashraf of IBM X-Force Research
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@371998 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The "Waiting" field was misdocumented as reporting the number of
messages waiting. In reality, it simply indicated the presence or
absence of waiting messages.
(closes issue AST-975)
reported by John Bigelow
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@371782 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This replaces all calls to alloca() with ast_alloca() which calls gcc's
__builtin_alloca() to avoid BSD semantics and removes all NULL checks
on memory allocated via ast_alloca() and ast_strdupa().
(closes issue ASTERISK-20125)
Review: https://reviewboard.asterisk.org/r/2032/
Patch-by: Walter Doekes (wdoekes)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@370642 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This resolves core findings from ASTERISK-19650 numbers 0-2, 6, 7, 9-11, 14-20,
22-24, 28, 30-32, 34-36, 42-56, 82-84, 87, 89-90, 93-102, 104, 105, 109-111,
and 115. Finding numbers 26, 33, and 29 were already resolved. Those skipped
were either extended/deprecated or in areas of code that shouldn't be
disturbed.
(Closes issue ASTERISK-19650)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@366167 65c4cc65-6c06-0410-ace0-fbb531ad65f3
As detailed in the advisory, AMI users without write authorization for SYSTEM class AMI
actions were able to run system commands by going through other AMI commands which did
not require that authorization. Specifically, GetVar and Status allowed users to do this
by setting their variable/s options to the SHELL or EVAL functions.
Also, within 1.8, 10, and trunk there was a similar flaw with the Originate action that
allowed users with originate permission to run MixMonitor and supply a shell command
in the Data argument. That flaw is fixed in those versions of this patch.
(closes issue ASTERISK-17465)
Reported By: David Woolley
Patches:
162_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
18_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
10_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
........
Merged revisions 363117 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@363141 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch addresses a number of modules in main that did not handle the
negative return value from function calls adequately, or were not sufficiently
clear that the conditions leading to improper handling of the return values
could not occur. This includes:
* asterisk.c: A negative return value from the read function would be used
directly as an index into a buffer. We now check for success of the read
function prior to using its result as an index.
* manager.c: Check for failures in mkstemp and lseek when handling the
temporary file created for processing data returned from a CLI command in
action_command. Also check that the result of an lseek is sanitized prior
to using it as the size of a memory map to allocate.
* translate.c: Note in the appropriate locations where powerof cannot return
a negative value, due to proper checks placed on the inputs to that function.
(issue ASTERISK-19655)
Reported by: Matt Jordan
Review: https://reviewboard.asterisk.org/r/1863/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@362359 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Fix AMI module reload deadlock regression from ASTERISK-18479 when it
tried to fix the race between calling an AMI action callback and
unregistering that action. Refixes ASTERISK-13784 broken by
ASTERISK-17785 change.
Locking the ao2 object guaranteed that there were no active callbacks that
mattered when ast_manager_unregister() was called. Unfortunately, this
causes the deadlock situation. The patch stops locking the ao2 object to
allow multiple threads to invoke the callback re-entrantly. There is no
way to guarantee a module unload will not crash because of an active
callback. The code attempts to minimize the chance with the registered
flag and the maximum 5 second delay before ast_manager_unregister()
returns.
The trunk version of the patch changes the API to fix the race condition
correctly to prevent the module code from unloading from memory while an
action callback is active.
* Don't hold the lock while calling the AMI action callback.
(closes issue ASTERISK-19487)
Reported by: Philippe Lindheimer
Review: https://reviewboard.asterisk.org/r/1818/
Review: https://reviewboard.asterisk.org/r/1820/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@359979 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The process_output function in manager.c attempted to call fclose and close immediately
afterwards. Since fclose implies close, this resulted in a potential double free on file
descriptors. This patch changes that behavior and also adds error checking to fclose and
close depending on which was deemed necessary. Also error messages. Thanks to Rosen
Iliev for pointing out the location of the problem.
(closes issue ASTERISK-18453)
Reported By: Jaco Kroon
Review: https://reviewboard.asterisk.org/r/1793/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@358214 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The astman_get_header() never returns NULL so the check by the code for
NULL would never fail.
(closes issue ASTERISK-16974)
Reported by: Nuno Borges
Patches:
0018325.patch (license #6116) patch uploaded by Nuno Borges (modified)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@354835 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Removes references to tlsbindport from http.conf.sample and manager.conf.sample
* Properly bind to port specified in tlsbindaddr, using the default port if specified.
* On a reload, properly close socket if the service has been disabled.
A note has been added to UPGRADE.txt to indicate how ports must be set for TLS.
(closes issue ASTERISK-16959)
reported by Olaf Holthausen
(closes issue ASTERISK-19201)
reported by Chris Mylonas
(closes issue ASTERISK-19204)
reported by Chris Mylonas
Review: https://reviewboard.asterisk.org/r/1709
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@353770 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Fix memory leak of vars in error paths for action_originate().
* Moved struct fast_originate_helper tech and data members to stringfields.
* Simplified ActionID header handling for fast_originate().
* Added doxygen note to ast_request() and ast_call() and the associated
channel callbacks that the data/addr parameters should be treated as const
char *.
Review: https://reviewboard.asterisk.org/r/1690/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@353454 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Fixed race between calling an AMI action callback and unregistering that
action. Refixes ASTERISK-13784 broken by ASTERISK-17785 change.
* Fixed potential memory leak if an AMI action failed to get registered
because is already was registered. Part of the ao2 conversion.
* Fixed AMI ListCommands action not walking the actions list with a lock
held.
* Fix usage of ast_strdupa() and alloca() in loops. Excess stack usage.
* Fix AMI Originate action Variable header requiring a space after the
header colon. Reported by Yaroslav Panych on the asterisk-dev list.
* Increased the number of listed variables allowed per AMI Originate
action Variable header to 64.
* Fixed AMI GetConfigJSON action output format.
* Fixed usage of res contents outside of scope in append_channel_vars().
* Fixed inconsistency of config file channelvars option. The values no
longer accumulate with every channelvars option in the config file. Only
the last value is kept to be consistent with the CLI "manager show
settings" command.
(closes issue ASTERISK-18479)
Reported by: Jaco Kroon
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@340279 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch adds an optional "module" attribute to the XML documentation spec
that allows the documentation processor to match apps with identical names from
different modules to their documentation. This patch also fixes a number of
bugs with the documentation processor and should make it a little more
efficient. Support for multiple languages has also been properly implemented.
ASTERISK-18130
Review: https://reviewboard.asterisk.org/r/1485/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@340108 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Dummy channels created by ast_dummy_channel_alloc() should be destoyed by
ast_channel_unref(). Using ast_channel_release() needlessly grabs the
channel container lock and can cause a deadlock as a result.
* Analyzed use of ast_dummy_channel_alloc() and made use
ast_channel_unref() when done with the dummy channel. (Primary reason for
the reported deadlock.)
* Made app_dial.c:dial_exec_full() not call ast_call() holding any channel
locks. Chan_local could not perform deadlock avoidance correctly.
(Potential deadlock exposed by this issue. Secondary reason for the
reported deadlock since the held lock was part of the deadlock chain.)
* Fixed some uses of ast_dummy_channel_alloc() not checking the returned
channel pointer for failure.
* Fixed some potential chan=NULL pointer usage in func_odbc.c. Protected
by testing the bogus_chan value.
* Fixed needlessly clearing a 1024 char auto array when setting the first
char to zero is enough in manager.c:action_getvar().
(closes issue ASTERISK-18613)
Reported by: Thomas Arimont
Patches:
jira_asterisk_18613_v1.8.patch (license #5621) patch uploaded by rmudgett
Tested by: Thomas Arimont
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@337973 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This update adds a new AMI event, TestEvent, which is enabled when the TEST_FRAMEWORK compiler flag is defined. It also adds initial usage of this event to app_voicemail. The TestEvent AMI event is used extensively by the voicemail tests in the Asterisk Test Suite.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@332817 65c4cc65-6c06-0410-ace0-fbb531ad65f3
An empty string was not being checked for properly causing identification of
the module to be reloaded to fail and return an Error with message
"No such module."
(closes issue AST-616)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@331315 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The process_output() function calls ast_str_append() and xml_translate() on its
'out' parameter, which is a pointer to an ast_str buffer. If either of these
functions need to reallocate the ast_str so it will have more space, they will
free the existing buffer and allocate a new one, returning the address of the
new one. However, because process_output only receives a pointer to the ast_str,
not a pointer to its caller's variable holding the pointer, if the original
ast_str is freed, the caller will not know, and will continue to use it (and
later attempt to free it).
(reported by jkroon on #asterisk-dev)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@327950 65c4cc65-6c06-0410-ace0-fbb531ad65f3
