AMI actions must never return non-zero unless they intend to close the AMI
connection. (Which is almost never.)
(closes issue ASTERISK-21779)
Reported by: Paul Goldbaum
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@388477 65c4cc65-6c06-0410-ace0-fbb531ad65f3
AMI, HTTP, and chan_sip all support TLS in some way, but none of them
support all the options that Asterisk's TLS core is capable of
interpreting. This prevents consumers of the TLS/SSL layer from setting
TLS/SSL options that they do not support.
This also gets tlsverifyclient closer to a working state by requesting
the client certificate when tlsverifyclient is set. Currently, there is
no consumer of main/tcptls.c in Asterisk that supports this feature and
so it can not be properly tested.
Review: https://reviewboard.asterisk.org/r/2370/
Reported-by: John Bigelow
Patch-by: Kinsey Moore
(closes issue AST-1093)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@383165 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When converting AMI class authorizations to a string representation, the
method always appends the ALL class authorization. This is especially
important for events, as they should always communicate that class
authorization - even if the event itself does not specify ALL as a class
authorization for itself. (Events have always assumed that the ALL class
authorization is implied when they are raised)
Unfortunately, this did mean that specifying a user with restricted class
authorizations would show up in the 'manager show user' CLI command as
having the ALL class authorization.
Rather then modifying the existing string manipulation function, this patch
adds a function that will only return a string if the field being compared
explicitly matches class authorization field it is being compared against.
This prevents ALL from being returned unless it is actually specified for
the user.
(closes issue ASTERISK-20397)
Reported by: Johan Wilfer
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@381939 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The AMI redirect action can fail to redirect two channels that are bridged
together. There is a race between the AMI thread redirecting the two
channels and the bridge thread noticing that a channel is hungup from the
redirects.
* Made the bridge wait for both channels to be redirected before exiting.
* Made the AMI redirect check that all required headers are present before
proceeding with the redirection.
* Made the AMI redirect require that any supplied ExtraChannel exist
before proceeding. Previously the code fell back to a single channel
redirect operation.
(closes issue ASTERISK-18975)
Reported by: Ben Klang
(closes issue ASTERISK-19948)
Reported by: Brent Dalgleish
Patches:
jira_asterisk_19948_v11.patch (license #5621) patch uploaded by rmudgett
Tested by: rmudgett, Thomas Sevestre, Deepak Lohani, Kayode
Review: https://reviewboard.asterisk.org/r/2243/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@378356 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Prior to this patch, challenge would yield a multiple logins error if used
without providing the username (which isn't really supposed to be an argument
to challenge) if allowmultiplelogin was set to no because allowmultiplelogin
finds a user with a zero length login name. This check is simply disabled for
the challenge action when the username is empty by this patch.
(closes issue ASTERISK-20677)
Reported by: Vladimir
Patches:
challenge_action_nomultiplelogin.diff uploaded by Jonathan Rose (license 6182)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@376725 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Manager's tcp/tls objects have a periodic function that purge old manager
sessions periodically. During shutdown, the underlying container holding
those sessions can be disposed of and set to NULL before the tcp/tls periodic
function is stopped. If the periodic function fires, it will attempt to
iterate over a NULL container.
This patch checks for whether or not the sessions container exists before
attempting to purge sessions out of it. If the sessions container is NULL,
we simply return.
Note that this error was also caught by the Asterisk Test Suite.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@375800 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch does two things:
1) It properly unregisters the manager CLI commands
2) It cleans up AMI users on exit. Prior to this patch, the AMI users
were not being disposed of properly, resulting in a memory leak.
(closes issue ASTERISK-20646)
Reported by: Corey Farrell
patches:
manager_shutdown.patch uploaded by Corey Farrell (license 5909)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@375793 65c4cc65-6c06-0410-ace0-fbb531ad65f3
In AMI's parser, when it receives a long line (> 1024 characters), it discards
that line, but continues to process the message normally.
Typically, this is not a problem because a) who has lines that long and b)
usually a discarded line results in an invalid message. But if that line is
specifying an optional field, then the message will be processed, you get a
'Response: Success', but things don't work the way you expected them to.
This patch changes the behavior when a line-too-long parse error occurs.
* Changes the log message to avoid way-too-long (and truncated anyways) log
messages
* Adds a 'parsing' status flag to Response: Success
* Sets parsing = MESSAGE_LINE_TOO_LONG if, well, a line is too long
* Responds with an appropriate error if parsing != MESSAGE_OKAY
(closes issue AST-961)
Reported by: John Bigelow
Review: https://reviewboard.asterisk.org/r/2142/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@374570 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Before this commit, __astman_get_header would blindly dereference the passed in
'struct message *' to traverse the header list. There are cases, however, such
as '*CLI> sip qualify peer foo' where the message pointer is NULL, so we need
to check for that.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@373131 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The documentation incorrectly listed 'rtp' as a reloadable subsystem
and left out many other reloadable subsystems. It is now also
documented that subsystems may only be reloaded, not loaded or
unloaded.
(closes issue AST-977)
Reported-by: John Bigelow
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@372354 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The AMI Originate action can allow a remote user to specify information that can
be used to execute shell commands on the system hosting Asterisk. This can
result in an unwanted escalation of permissions, as the Originate action, which
requires the "originate" class authorization, can be used to perform actions
that would typically require the "system" class authorization. Previous attempts
to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought
to do so by inspecting the names of applications and functions passed in with
the Originate action and, if those applications/functions matched a predefined
set of values, rejecting the command if the user lacked the "system" class
authorization. As noted by IBM X-Force Research, the "ExternalIVR"
application is not listed in the predefined set of values. The solution for
this particular vulnerability is to include the "ExternalIVR" application in the
set of defined applications/functions that require "system" class authorization.
Unfortunately, the approach of inspecting fields in the Originate action against
known applications/functions has a significant flaw. The predefined set of
values can be bypassed by creative use of the Originate action or by certain
dialplan configurations, which is beyond the ability of Asterisk to analyze at
run-time. Attempting to work around these scenarios would result in severely
restricting the applications or functions and prevent their usage for legitimate
means. As such, any additional security vulnerabilities, where an
application/function that would normally require the "system" class
authorization can be executed by users with the "originate" class authorization,
will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has
been updated to reflect that the AMI Originate action can result in commands
requiring the "system" class authorization to be executed. Proper system
configuration can limit the impact of such scenarios.
(closes issue ASTERISK-20132)
Reported by: Zubair Ashraf of IBM X-Force Research
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@371998 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The "Waiting" field was misdocumented as reporting the number of
messages waiting. In reality, it simply indicated the presence or
absence of waiting messages.
(closes issue AST-975)
reported by John Bigelow
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@371782 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This replaces all calls to alloca() with ast_alloca() which calls gcc's
__builtin_alloca() to avoid BSD semantics and removes all NULL checks
on memory allocated via ast_alloca() and ast_strdupa().
(closes issue ASTERISK-20125)
Review: https://reviewboard.asterisk.org/r/2032/
Patch-by: Walter Doekes (wdoekes)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@370642 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This resolves core findings from ASTERISK-19650 numbers 0-2, 6, 7, 9-11, 14-20,
22-24, 28, 30-32, 34-36, 42-56, 82-84, 87, 89-90, 93-102, 104, 105, 109-111,
and 115. Finding numbers 26, 33, and 29 were already resolved. Those skipped
were either extended/deprecated or in areas of code that shouldn't be
disturbed.
(Closes issue ASTERISK-19650)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@366167 65c4cc65-6c06-0410-ace0-fbb531ad65f3
As detailed in the advisory, AMI users without write authorization for SYSTEM class AMI
actions were able to run system commands by going through other AMI commands which did
not require that authorization. Specifically, GetVar and Status allowed users to do this
by setting their variable/s options to the SHELL or EVAL functions.
Also, within 1.8, 10, and trunk there was a similar flaw with the Originate action that
allowed users with originate permission to run MixMonitor and supply a shell command
in the Data argument. That flaw is fixed in those versions of this patch.
(closes issue ASTERISK-17465)
Reported By: David Woolley
Patches:
162_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
18_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
10_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
........
Merged revisions 363117 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@363141 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch addresses a number of modules in main that did not handle the
negative return value from function calls adequately, or were not sufficiently
clear that the conditions leading to improper handling of the return values
could not occur. This includes:
* asterisk.c: A negative return value from the read function would be used
directly as an index into a buffer. We now check for success of the read
function prior to using its result as an index.
* manager.c: Check for failures in mkstemp and lseek when handling the
temporary file created for processing data returned from a CLI command in
action_command. Also check that the result of an lseek is sanitized prior
to using it as the size of a memory map to allocate.
* translate.c: Note in the appropriate locations where powerof cannot return
a negative value, due to proper checks placed on the inputs to that function.
(issue ASTERISK-19655)
Reported by: Matt Jordan
Review: https://reviewboard.asterisk.org/r/1863/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@362359 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Fix AMI module reload deadlock regression from ASTERISK-18479 when it
tried to fix the race between calling an AMI action callback and
unregistering that action. Refixes ASTERISK-13784 broken by
ASTERISK-17785 change.
Locking the ao2 object guaranteed that there were no active callbacks that
mattered when ast_manager_unregister() was called. Unfortunately, this
causes the deadlock situation. The patch stops locking the ao2 object to
allow multiple threads to invoke the callback re-entrantly. There is no
way to guarantee a module unload will not crash because of an active
callback. The code attempts to minimize the chance with the registered
flag and the maximum 5 second delay before ast_manager_unregister()
returns.
The trunk version of the patch changes the API to fix the race condition
correctly to prevent the module code from unloading from memory while an
action callback is active.
* Don't hold the lock while calling the AMI action callback.
(closes issue ASTERISK-19487)
Reported by: Philippe Lindheimer
Review: https://reviewboard.asterisk.org/r/1818/
Review: https://reviewboard.asterisk.org/r/1820/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@359979 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The process_output function in manager.c attempted to call fclose and close immediately
afterwards. Since fclose implies close, this resulted in a potential double free on file
descriptors. This patch changes that behavior and also adds error checking to fclose and
close depending on which was deemed necessary. Also error messages. Thanks to Rosen
Iliev for pointing out the location of the problem.
(closes issue ASTERISK-18453)
Reported By: Jaco Kroon
Review: https://reviewboard.asterisk.org/r/1793/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@358214 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The astman_get_header() never returns NULL so the check by the code for
NULL would never fail.
(closes issue ASTERISK-16974)
Reported by: Nuno Borges
Patches:
0018325.patch (license #6116) patch uploaded by Nuno Borges (modified)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@354835 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Removes references to tlsbindport from http.conf.sample and manager.conf.sample
* Properly bind to port specified in tlsbindaddr, using the default port if specified.
* On a reload, properly close socket if the service has been disabled.
A note has been added to UPGRADE.txt to indicate how ports must be set for TLS.
(closes issue ASTERISK-16959)
reported by Olaf Holthausen
(closes issue ASTERISK-19201)
reported by Chris Mylonas
(closes issue ASTERISK-19204)
reported by Chris Mylonas
Review: https://reviewboard.asterisk.org/r/1709
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@353770 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Fix memory leak of vars in error paths for action_originate().
* Moved struct fast_originate_helper tech and data members to stringfields.
* Simplified ActionID header handling for fast_originate().
* Added doxygen note to ast_request() and ast_call() and the associated
channel callbacks that the data/addr parameters should be treated as const
char *.
Review: https://reviewboard.asterisk.org/r/1690/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@353454 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Fixed race between calling an AMI action callback and unregistering that
action. Refixes ASTERISK-13784 broken by ASTERISK-17785 change.
* Fixed potential memory leak if an AMI action failed to get registered
because is already was registered. Part of the ao2 conversion.
* Fixed AMI ListCommands action not walking the actions list with a lock
held.
* Fix usage of ast_strdupa() and alloca() in loops. Excess stack usage.
* Fix AMI Originate action Variable header requiring a space after the
header colon. Reported by Yaroslav Panych on the asterisk-dev list.
* Increased the number of listed variables allowed per AMI Originate
action Variable header to 64.
* Fixed AMI GetConfigJSON action output format.
* Fixed usage of res contents outside of scope in append_channel_vars().
* Fixed inconsistency of config file channelvars option. The values no
longer accumulate with every channelvars option in the config file. Only
the last value is kept to be consistent with the CLI "manager show
settings" command.
(closes issue ASTERISK-18479)
Reported by: Jaco Kroon
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@340279 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch adds an optional "module" attribute to the XML documentation spec
that allows the documentation processor to match apps with identical names from
different modules to their documentation. This patch also fixes a number of
bugs with the documentation processor and should make it a little more
efficient. Support for multiple languages has also been properly implemented.
ASTERISK-18130
Review: https://reviewboard.asterisk.org/r/1485/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@340108 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Dummy channels created by ast_dummy_channel_alloc() should be destoyed by
ast_channel_unref(). Using ast_channel_release() needlessly grabs the
channel container lock and can cause a deadlock as a result.
* Analyzed use of ast_dummy_channel_alloc() and made use
ast_channel_unref() when done with the dummy channel. (Primary reason for
the reported deadlock.)
* Made app_dial.c:dial_exec_full() not call ast_call() holding any channel
locks. Chan_local could not perform deadlock avoidance correctly.
(Potential deadlock exposed by this issue. Secondary reason for the
reported deadlock since the held lock was part of the deadlock chain.)
* Fixed some uses of ast_dummy_channel_alloc() not checking the returned
channel pointer for failure.
* Fixed some potential chan=NULL pointer usage in func_odbc.c. Protected
by testing the bogus_chan value.
* Fixed needlessly clearing a 1024 char auto array when setting the first
char to zero is enough in manager.c:action_getvar().
(closes issue ASTERISK-18613)
Reported by: Thomas Arimont
Patches:
jira_asterisk_18613_v1.8.patch (license #5621) patch uploaded by rmudgett
Tested by: Thomas Arimont
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@337973 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This update adds a new AMI event, TestEvent, which is enabled when the TEST_FRAMEWORK compiler flag is defined. It also adds initial usage of this event to app_voicemail. The TestEvent AMI event is used extensively by the voicemail tests in the Asterisk Test Suite.
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@332817 65c4cc65-6c06-0410-ace0-fbb531ad65f3
An empty string was not being checked for properly causing identification of
the module to be reloaded to fail and return an Error with message
"No such module."
(closes issue AST-616)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@331315 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The process_output() function calls ast_str_append() and xml_translate() on its
'out' parameter, which is a pointer to an ast_str buffer. If either of these
functions need to reallocate the ast_str so it will have more space, they will
free the existing buffer and allocate a new one, returning the address of the
new one. However, because process_output only receives a pointer to the ast_str,
not a pointer to its caller's variable holding the pointer, if the original
ast_str is freed, the caller will not know, and will continue to use it (and
later attempt to free it).
(reported by jkroon on #asterisk-dev)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@327950 65c4cc65-6c06-0410-ace0-fbb531ad65f3
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
................
r323579 | seanbright | 2011-06-15 11:22:50 -0400 (Wed, 15 Jun 2011) | 32 lines
Merged revisions 323559 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r323559 | seanbright | 2011-06-15 11:15:30 -0400 (Wed, 15 Jun 2011) | 25 lines
Resolve a segfault/bus error when we try to map memory that falls on a page
boundary.
The fix for ASTERISK-15359 was incorrect in that it added 1 to the length of the
mmap'd region. The problem with this is that reading/writing to that extra byte
outside of the bounds of the underlying fd causes a bus error.
The real issue is that we are working with both a FILE * and the raw fd
underneath it and not synchronizing between them. The code that was removed in
ASTERISK-15359 was correct, but we weren't flushing the FILE * before mapping
the fd.
Looking at the manager code in 1.4 reveals that the FILE * in 'struct
mansession' is never used except to create a temporary file that we immediately
fdopen. This means we just need to write a 0 byte to the fd and everything will
just work. The other branches require a call to fflush() which, while not a
guaranteed fix, should reduce the likelihood of a crash.
This all makes sense in my head.
(closes issue ASTERISK-16460)
Reported by: Ravelomanantsoa Hoby (hoby)
Patches:
issue17747_1.4_svn_markII.patch uploaded by Sean Bright (license #5060)
........
................
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@323608 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The addition of connected line support in v1.8 changes the behavior of the
channel caller ID somewhat. The channel caller ID value no longer time
shares with the connected line ID on outgoing call legs. The timing of
some AMI events/responses output the connected line ID as caller ID.
These party ID's are now separate.
* The ConnectedLineNum and ConnectedLineName headers were added to many
AMI events/responses if the CallerIDNum/CallerIDName headers were also
present.
(closes issue #18252)
Reported by: gje
Tested by: rmudgett
Review: https://reviewboard.asterisk.org/r/1227/
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@320823 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Add ConnectedLineNum and ConnectedLineName headers to the output of the
AMI action Status. This makes it easier to find out who the channel is
connected to without having to lookup BridgedChannel or when they are
connected to an application (e.g.: VoiceMail) which has no bridged
channel.
* Bridged channels with no CallerID had "" instead of "<unknown>" output,
that might be a bug as "<unknown>" was what older versions used.
(closes issue #18158)
Reported by: gareth
Patches:
svn-292308.diff uploaded by gareth (license 208)
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@320650 65c4cc65-6c06-0410-ace0-fbb531ad65f3
