Update for 13.18.5

Those SIP messages that create dialogs require a contact header to be present.
If the contact header was missing from the message it could cause Asterisk to
crash.

This patch checks to make sure SIP messages that create a dialog contain the
contact header. If the message does not and it is required Asterisk now returns
a "400 Missing Contact header" response. Also added NULL checks when retrieving
the contact header that were missing as a "just in case".

ASTERISK-27480 #close

Change-Id: I1810db87683fc637a9e3e1384a746037fec20afe
(cherry picked from commit 53799318bc)

.version

@@ -1 +1 @@
-13.18.3
+13.18.5

ChangeLog

@@ -1,3 +1,52 @@
+2017-12-22 22:21 +0000  Asterisk Development Team <asteriskteam@digium.com>
+
+	* asterisk 13.18.5 Released.
+
+2017-12-20 16:17 +0000 [5b5cb3dfe8]  Kevin Harwell <kharwell@digium.com>
+
+	* AST-2017-014: res_pjsip - Missing contact header can cause crash
+
+	  Those SIP messages that create dialogs require a contact header to be present.
+	  If the contact header was missing from the message it could cause Asterisk to
+	  crash.
+
+	  This patch checks to make sure SIP messages that create a dialog contain the
+	  contact header. If the message does not and it is required Asterisk now returns
+	  a "400 Missing Contact header" response. Also added NULL checks when retrieving
+	  the contact header that were missing as a "just in case".
+
+	  ASTERISK-27480 #close
+
+	  Change-Id: I1810db87683fc637a9e3e1384a746037fec20afe
+	  (cherry picked from commit 53799318bc040a2082904df86d42ab08790b47ec)
+
+2017-12-13 14:33 +0000  Asterisk Development Team <asteriskteam@digium.com>
+
+	* asterisk 13.18.4 Released.
+
+2017-11-30 10:12 +0000 [8052b5d76e]  Joshua Colp <jcolp@digium.com>
+
+	* AST-2017-012: Place single RTCP report block at beginning of report.
+
+	  When the RTCP code was transitioned over to Stasis a code change
+	  was made to keep track of how many reports are present. This count
+	  controlled where report blocks were placed in the RTCP report.
+
+	  If a compound RTCP packet was received this logic would incorrectly
+	  place a report block in the wrong location resulting in a write
+	  to an invalid location.
+
+	  This change removes this counting logic and always places the report
+	  block at the first position. If in the future multiple reports are
+	  supported the logic can be extended but for now keeping a count
+	  serves no purpose.
+
+	  ASTERISK-27382
+	  ASTERISK-27429
+
+	  Change-Id: Iad6c8a9985c4b608ef493e19c421211615485116
+	  (cherry picked from commit 5705e8ae0e05602d5399faa561c3119cfb83eca3)
+
 2017-12-01 19:42 +0000  Asterisk Development Team <asteriskteam@digium.com>
 
 	* asterisk 13.18.3 Released.

asterisk-13.18.3-summary.html

@@ -1,13 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-13.18.3</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-13.18.3</h3><h3 align="center">Date: 2017-12-01</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
-<li><a href="#summary">Summary</a></li>
-<li><a href="#contributors">Contributors</a></li>
-<li><a href="#closed_issues">Closed Issues</a></li>
-<li><a href="#diffstat">Diffstat</a></li>
-</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
-<li><a href="http://downloads.asterisk.org/pub/security/AST-2017-013.html">AST-2017-013</a></li>
-</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-13.18.2.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
-<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
-<tr valign="top"><td width="33%">1 George Joseph <gjoseph@digium.com><br/></td><td width="33%"><td width="33%">1 Juan Sacco<br/>1 George Joseph <gjoseph@digium.com><br/></td></tr>
-</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Bug</h3><h4>Category: Channels/chan_skinny</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27452">ASTERISK-27452</a>: Security: chan_skinny:  Memory exhaustion if flooded with unauthenticated requests<br/>Reported by: George Joseph<ul>
-<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=65ca0785facae1dda45fffc9e6bc70ebcb2e5e08">[65ca0785fa]</a> George Joseph -- AST-2017-013: chan_skinny: Call pthread_detach when sess threads end</li>
-</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>0 files changed</pre><br></html>

asterisk-13.18.5-summary.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-13.18.5</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-13.18.5</h3><h3 align="center">Date: 2017-12-22</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release is a point release of an existing major version. The changes included were made to address problems that have been identified in this release series, or are minor, backwards compatible new features or improvements. Users should be able to safely upgrade to this version if this release series is already in use. Users considering upgrading from a previous version are strongly encouraged to review the UPGRADE.txt document as well as the CHANGES document for information about upgrading to this release series.</p><p>The data in this summary reflects changes that have been made since the previous release, asterisk-13.18.4.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">1 Kevin Harwell <kharwell@digium.com><br/></td><td width="33%"><td width="33%">1 Ross Beer <ross.beer@voicehost.co.uk><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Bug</h3><h4>Category: Channels/chan_pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27480">ASTERISK-27480</a>: Security: Authenticated SUBSCRIBE without Contact crashes asterisk<br/>Reported by: Ross Beer<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=5b5cb3dfe8725afba13c70b32ae8d028eedf90bc">[5b5cb3dfe8]</a> Kevin Harwell -- AST-2017-014: res_pjsip - Missing contact header can cause crash</li>
+</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>0 files changed</pre><br></html>

asterisk-13.18.5-summary.txt

@@ -1,8 +1,8 @@
                                 Release Summary
 
-                                asterisk-13.18.3
+                                asterisk-13.18.5
 
-                                Date: 2017-12-01
+                                Date: 2017-12-22
 
                            <asteriskteam@digium.com>
 
@@ -21,19 +21,17 @@
 
                                  [Back to Top]
 
-   This release has been made to address one or more security vulnerabilities
-   that have been identified. A security advisory document has been published
-   for each vulnerability that includes additional information. Users of
-   versions of Asterisk that are affected are strongly encouraged to review
-   the advisories and determine what action they should take to protect their
-   systems from these issues.
-
-   Security Advisories:
-
-     * AST-2017-013
+   This release is a point release of an existing major version. The changes
+   included were made to address problems that have been identified in this
+   release series, or are minor, backwards compatible new features or
+   improvements. Users should be able to safely upgrade to this version if
+   this release series is already in use. Users considering upgrading from a
+   previous version are strongly encouraged to review the UPGRADE.txt
+   document as well as the CHANGES document for information about upgrading
+   to this release series.
 
    The data in this summary reflects changes that have been made since the
-   previous release, asterisk-13.18.2.
+   previous release, asterisk-13.18.4.
 
      ----------------------------------------------------------------------
 
@@ -51,8 +49,7 @@
    this release.
 
    Coders                   Testers                  Reporters                
-   1 George Joseph                                   1 Juan Sacco             
-                                                     1 George Joseph          
+   1 Kevin Harwell                                   1 Ross Beer              
 
      ----------------------------------------------------------------------
 
@@ -65,13 +62,13 @@
 
   Bug
 
-    Category: Channels/chan_skinny
+    Category: Channels/chan_pjsip
 
-   ASTERISK-27452: Security: chan_skinny: Memory exhaustion if flooded with
-   unauthenticated requests
-   Reported by: George Joseph
-     * [65ca0785fa] George Joseph -- AST-2017-013: chan_skinny: Call
-       pthread_detach when sess threads end
+   ASTERISK-27480: Security: Authenticated SUBSCRIBE without Contact crashes
+   asterisk
+   Reported by: Ross Beer
+     * [5b5cb3dfe8] Kevin Harwell -- AST-2017-014: res_pjsip - Missing
+       contact header can cause crash
 
      ----------------------------------------------------------------------
 

res/res_pjsip.c

@@ -3233,7 +3233,7 @@ pjsip_dialog *ast_sip_create_dialog_uas(const struct ast_sip_endpoint *endpoint,
 	ast_assert(status != NULL);
 
 	contact_hdr = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, NULL);
-	if (ast_sip_set_tpselector_from_ep_or_uri(endpoint, pjsip_uri_get_uri(contact_hdr->uri),
+	if (!contact_hdr || ast_sip_set_tpselector_from_ep_or_uri(endpoint, pjsip_uri_get_uri(contact_hdr->uri),
 		&selector)) {
 		return NULL;
 	}

res/res_pjsip/pjsip_message_filter.c

@@ -429,15 +429,27 @@ static pj_bool_t on_rx_process_uris(pjsip_rx_data *rdata)
 		return PJ_TRUE;
 	}
 
-	while ((contact =
-		(pjsip_contact_hdr *) pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT,
-			contact ? contact->next : NULL))) {
+
+	contact = (pjsip_contact_hdr *) pjsip_msg_find_hdr(
+		rdata->msg_info.msg, PJSIP_H_CONTACT, NULL);
+
+	if (!contact && pjsip_method_creates_dialog(&rdata->msg_info.msg->line.req.method)) {
+		/* A contact header is required for dialog creating methods */
+		static const pj_str_t missing_contact = { "Missing Contact header", 22 };
+		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 400,
+				&missing_contact, NULL, NULL);
+		return PJ_TRUE;
+	}
+
+	while (contact) {
 		if (!contact->star && !is_sip_uri(contact->uri)) {
 			print_uri_debug(URI_TYPE_CONTACT, rdata, (pjsip_hdr *)contact);
 			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata,
 				PJSIP_SC_UNSUPPORTED_URI_SCHEME, NULL, NULL, NULL);
 			return PJ_TRUE;
 		}
+		contact = (pjsip_contact_hdr *) pjsip_msg_find_hdr(
+			rdata->msg_info.msg, PJSIP_H_CONTACT, contact->next);
 	}
 
 	return PJ_FALSE;

res/res_pjsip_pubsub.c

@@ -613,8 +613,12 @@ static void subscription_persistence_update(struct sip_subscription_tree *sub_tr
 		expires = expires_hdr ? expires_hdr->ivalue : DEFAULT_PUBLISH_EXPIRES;
 		sub_tree->persistence->expires = ast_tvadd(ast_tvnow(), ast_samp2tv(expires, 1));
 
-		pjsip_uri_print(PJSIP_URI_IN_CONTACT_HDR, contact_hdr->uri,
-			sub_tree->persistence->contact_uri, sizeof(sub_tree->persistence->contact_uri));
+		if (contact_hdr) {
+			pjsip_uri_print(PJSIP_URI_IN_CONTACT_HDR, contact_hdr->uri,
+					sub_tree->persistence->contact_uri, sizeof(sub_tree->persistence->contact_uri));
+		} else {
+			ast_log(LOG_WARNING, "Contact not updated due to missing contact header\n");
+		}
 
 		/* When receiving a packet on an streaming transport, it's possible to receive more than one SIP
 		 * message at a time into the rdata->pkt_info.packet buffer. However, the rdata->msg_info.msg_buf

res/res_rtp_asterisk.c

@@ -4704,7 +4704,6 @@ static struct ast_frame *ast_rtcp_interpret(struct ast_rtp_instance *instance, c
 	unsigned int first_word;
 	/*! True if we have seen an acceptable SSRC to learn the remote RTCP address */
 	unsigned int ssrc_seen;
-	int report_counter = 0;
 	struct ast_rtp_rtcp_report_block *report_block;
 	struct ast_frame *f = &ast_null_frame;
 
@@ -4918,7 +4917,7 @@ static struct ast_frame *ast_rtcp_interpret(struct ast_rtp_instance *instance, c
 				if (!report_block) {
 					return &ast_null_frame;
 				}
-				rtcp_report->report_block[report_counter] = report_block;
+				rtcp_report->report_block[0] = report_block;
 				report_block->source_ssrc = ntohl(rtcpheader[i]);
 				report_block->lost_count.packets = ntohl(rtcpheader[i + 1]) & 0x00ffffff;
 				report_block->lost_count.fraction = ((ntohl(rtcpheader[i + 1]) & 0xff000000) >> 24);
@@ -4955,7 +4954,6 @@ static struct ast_frame *ast_rtcp_interpret(struct ast_rtp_instance *instance, c
 					ast_verbose("  DLSR: %4.4f (sec)\n",(double)report_block->dlsr / 65536.0);
 					ast_verbose("  RTT: %4.4f(sec)\n", rtp->rtcp->rtt);
 				}
-				report_counter++;
 			}
 			/* If and when we handle more than one report block, this should occur outside
 			 * this loop.