Update for 18.2.2

When Asterisk sends a reinvite negotiating T38 faxing, it's possible a
crash can occur if the response contains a m=image and zero port. The
reinvite callback code now checks session_media to see if it is null or
not before trying to access the udptl variable on it.

ASTERISK-29305

Change-Id: I1dfc51c5fa586e38579ede4bc228edee213ccaa9
(cherry picked from commit 77328142b4)

.lastclean

@@ -0,0 +1 @@
+40

.version

@@ -0,0 +1 @@
+18.2.2

asterisk-18.2.2-summary.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-18.2.2</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-18.2.2</h3><h3 align="center">Date: 2021-03-04</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2021-006.html">AST-2021-006</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-18.2.1.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">1 Ben Ford <bford@digium.com><br/></td><td width="33%"><td width="33%">1 Gregory Massel <greg@csurf.co.za><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Resources/res_pjsip_t38</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-29305">ASTERISK-29305</a>: ASTERISK-29203 / AST-2021-002 -- Another scenario is causing a crash<br/>Reported by: Gregory Massel<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=8c5fe5aac59577bed94b2b75ece0a4d505b56f59">[8c5fe5aac5]</a> Ben Ford -- AST-2021-006 - res_pjsip_t38.c: Check for session_media on reinvite.</li>
+</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>0 files changed</pre><br></html>

asterisk-18.2.2-summary.txt

@@ -0,0 +1,84 @@
+                                Release Summary
+
+                                asterisk-18.2.2
+
+                                Date: 2021-03-04
+
+                           <asteriskteam@digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Closed Issues
+    4. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release has been made to address one or more security vulnerabilities
+   that have been identified. A security advisory document has been published
+   for each vulnerability that includes additional information. Users of
+   versions of Asterisk that are affected are strongly encouraged to review
+   the advisories and determine what action they should take to protect their
+   systems from these issues.
+
+   Security Advisories:
+
+     * AST-2021-006
+
+   The data in this summary reflects changes that have been made since the
+   previous release, asterisk-18.2.1.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were affected by commits that went into
+   this release.
+
+   Coders                   Testers                  Reporters                
+   1 Ben Ford                                        1 Gregory Massel         
+
+     ----------------------------------------------------------------------
+
+                                 Closed Issues
+
+                                 [Back to Top]
+
+   This is a list of all issues from the issue tracker that were closed by
+   changes that went into this release.
+
+  Security
+
+    Category: Resources/res_pjsip_t38
+
+   ASTERISK-29305: ASTERISK-29203 / AST-2021-002 -- Another scenario is
+   causing a crash
+   Reported by: Gregory Massel
+     * [8c5fe5aac5] Ben Ford -- AST-2021-006 - res_pjsip_t38.c: Check for
+       session_media on reinvite.
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ 0 files changed

configs/samples/rtp.conf.sample

@@ -45,6 +45,18 @@ rtpend=20000
 ; connected. This option is set to 4 by default.
 ; probation=8
 ;
+; Enable sRTP replay protection. Buggy SIP user agents (UAs) reset the
+; sequence number (RTP-SEQ) on a re-INVITE, for example, with Session Timers
+; or on Call Hold/Resume, but keep the synchronization source (RTP-SSRC). If
+; the new RTP-SEQ is higher than the previous one, the call continues if the
+; roll-over counter (sRTP-ROC) is zero (the call lasted less than 22 minutes).
+; In all other cases, the call faces one-way audio or even no audio at all.
+; "replay check failed (index too old)" gets printed continuously. This is a
+; software bug. You have to report this to the creator of that UA. Until it is
+; fixed, you could disable sRTP replay protection (see RFC 3711 section 3.3.2).
+; This option is enabled by default.
+; srtpreplayprotection=yes
+;
 ; Whether to enable or disable ICE support. This option is enabled by default.
 ; icesupport=false
 ;

contrib/realtime/mysql/mysql_cdr.sql

@@ -0,0 +1,41 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL, 
+    CONSTRAINT alembic_version_pkc PRIMARY KEY (version_num)
+);
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20), 
+    src VARCHAR(80), 
+    dst VARCHAR(80), 
+    dcontext VARCHAR(80), 
+    clid VARCHAR(80), 
+    channel VARCHAR(80), 
+    dstchannel VARCHAR(80), 
+    lastapp VARCHAR(80), 
+    lastdata VARCHAR(80), 
+    start DATETIME, 
+    answer DATETIME, 
+    end DATETIME, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR(45), 
+    amaflags VARCHAR(45), 
+    userfield VARCHAR(256), 
+    uniqueid VARCHAR(150), 
+    linkedid VARCHAR(150), 
+    peeraccount VARCHAR(20), 
+    sequence INTEGER
+);
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr MODIFY accountcode VARCHAR(80) NULL;
+
+ALTER TABLE cdr MODIFY peeraccount VARCHAR(80) NULL;
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d';
+

contrib/realtime/mysql/mysql_voicemail.sql

@@ -0,0 +1,35 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL, 
+    CONSTRAINT alembic_version_pkc PRIMARY KEY (version_num)
+);
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80), 
+    macrocontext VARCHAR(80), 
+    callerid VARCHAR(80), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BLOB, 
+    flag VARCHAR(30), 
+    category VARCHAR(30), 
+    mailboxuser VARCHAR(30), 
+    mailboxcontext VARCHAR(30), 
+    msg_id VARCHAR(40)
+);
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages MODIFY recording BLOB(4294967295) NULL;
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+

contrib/realtime/postgresql/postgresql_cdr.sql

@@ -0,0 +1,45 @@
+BEGIN;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL, 
+    CONSTRAINT alembic_version_pkc PRIMARY KEY (version_num)
+);
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20), 
+    src VARCHAR(80), 
+    dst VARCHAR(80), 
+    dcontext VARCHAR(80), 
+    clid VARCHAR(80), 
+    channel VARCHAR(80), 
+    dstchannel VARCHAR(80), 
+    lastapp VARCHAR(80), 
+    lastdata VARCHAR(80), 
+    start TIMESTAMP WITHOUT TIME ZONE, 
+    answer TIMESTAMP WITHOUT TIME ZONE, 
+    "end" TIMESTAMP WITHOUT TIME ZONE, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR(45), 
+    amaflags VARCHAR(45), 
+    userfield VARCHAR(256), 
+    uniqueid VARCHAR(150), 
+    linkedid VARCHAR(150), 
+    peeraccount VARCHAR(20), 
+    sequence INTEGER
+);
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr ALTER COLUMN accountcode TYPE VARCHAR(80);
+
+ALTER TABLE cdr ALTER COLUMN peeraccount TYPE VARCHAR(80);
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d';
+
+COMMIT;
+

contrib/realtime/postgresql/postgresql_voicemail.sql

@@ -0,0 +1,39 @@
+BEGIN;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL, 
+    CONSTRAINT alembic_version_pkc PRIMARY KEY (version_num)
+);
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80), 
+    macrocontext VARCHAR(80), 
+    callerid VARCHAR(80), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BYTEA, 
+    flag VARCHAR(30), 
+    category VARCHAR(30), 
+    mailboxuser VARCHAR(30), 
+    mailboxcontext VARCHAR(30), 
+    msg_id VARCHAR(40)
+);
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages ALTER COLUMN recording TYPE BYTEA;
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+
+COMMIT;
+

doc/CHANGES-staging/srtp_replay_protection.txt

@@ -0,0 +1,9 @@
+Subject: res_srtp
+
+SRTP replay protection has been added to res_srtp and
+a new configuration option "srtpreplayprotection" has
+been added to the rtp.conf config file.  For security
+reasons, the default setting is "yes".  Buggy clients
+may not handle this correctly which could result in
+no, or one way, audio and Asterisk error messages like
+"replay check failed".

doc/UPGRADE-staging/srtp_replay_protection.txt

@@ -0,0 +1,9 @@
+Subject: res_srtp
+
+SRTP replay protection has been added to res_srtp and
+a new configuration option "srtpreplayprotection" has
+been added to the rtp.conf config file.  For security
+reasons, the default setting is "yes".  Buggy clients
+may not handle this correctly which could result in
+no, or one way, audio and Asterisk error messages like
+"replay check failed".

res/res_pjsip_diversion.c

@@ -120,6 +120,7 @@ static enum AST_REDIRECTING_REASON cause_to_reason(const unsigned long cause) {
 static int add_supported(pjsip_tx_data *tdata)
 {
 	pjsip_supported_hdr *hdr;
+	unsigned int i;
 
 	hdr = pjsip_msg_find_hdr(tdata->msg, PJSIP_H_SUPPORTED, NULL);
 	if (!hdr) {
@@ -132,6 +133,19 @@ static int add_supported(pjsip_tx_data *tdata)
 		pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *)hdr);
 	}
 
+	/* Asterisk can send multiple "181 Call forwarded" in a single session,
+	 * we might have already modified Supported before
+	 */
+	for (i = 0; i < hdr->count; ++i) {
+		if (pj_stricmp(&hdr->values[i], &HISTINFO_SUPPORTED_NAME) == 0) {
+			return 0;
+		}
+	}
+
+	if (hdr->count >= PJSIP_GENERIC_ARRAY_MAX_COUNT) {
+		return -1;
+	}
+
 	/* add on to the existing Supported header */
 	pj_strassign(&hdr->values[hdr->count++], &HISTINFO_SUPPORTED_NAME);
 

res/res_pjsip_outbound_registration.c

@@ -615,6 +615,7 @@ static pj_status_t registration_client_send(struct sip_outbound_registration_cli
 static int add_to_supported_header(pjsip_tx_data *tdata, pj_str_t *name)
 {
 	pjsip_supported_hdr *hdr;
+	int i;
 
 	hdr = pjsip_msg_find_hdr(tdata->msg, PJSIP_H_SUPPORTED, NULL);
 	if (!hdr) {
@@ -628,6 +629,17 @@ static int add_to_supported_header(pjsip_tx_data *tdata, pj_str_t *name)
 		pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *)hdr);
 	}
 
+	/* Don't add the value if it's already there */
+	for (i = 0; i < hdr->count; ++i) {
+		if (pj_stricmp(&hdr->values[i], name) == 0) {
+			return 1;
+		}
+	}
+
+	if (hdr->count >= PJSIP_GENERIC_ARRAY_MAX_COUNT) {
+		return 0;
+	}
+
 	/* add on to the existing Supported header */
 	pj_strassign(&hdr->values[hdr->count++], name);
 

res/res_pjsip_path.c

@@ -123,6 +123,7 @@ static int path_get_string(pj_pool_t *pool, struct ast_sip_contact *contact, pj_
 static int add_supported(pjsip_tx_data *tdata)
 {
 	pjsip_supported_hdr *hdr;
+	int i;
 
 	hdr = pjsip_msg_find_hdr(tdata->msg, PJSIP_H_SUPPORTED, NULL);
 	if (!hdr) {
@@ -135,6 +136,17 @@ static int add_supported(pjsip_tx_data *tdata)
 		pjsip_msg_add_hdr(tdata->msg, (pjsip_hdr *)hdr);
 	}
 
+	/* Don't add the value if it's already there */
+	for (i = 0; i < hdr->count; ++i) {
+		if (pj_stricmp(&hdr->values[i], &PATH_SUPPORTED_NAME) == 0) {
+			return 0;
+		}
+	}
+
+	if (hdr->count >= PJSIP_GENERIC_ARRAY_MAX_COUNT) {
+		return -1;
+	}
+
 	/* add on to the existing Supported header */
 	pj_strassign(&hdr->values[hdr->count++], &PATH_SUPPORTED_NAME);
 

res/res_pjsip_session.c

@@ -2280,7 +2280,14 @@ static int sip_session_refresh(struct ast_sip_session *session,
 					ast_sip_session_get_name(session));
 			}
 
-			if (active_media_state && active_media_state->topology) {
+			/*
+			 * Attempt to resolve only if objects are available, and it's not
+			 * switching to or from an image type.
+			 */
+			if (active_media_state && active_media_state->topology &&
+				(!active_media_state->default_session[AST_MEDIA_TYPE_IMAGE] ==
+				 !pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE])) {
+
 				struct ast_sip_session_media_state *new_pending_state;
 				/*
 				 * We need to check if the passed in active and pending states are equal

res/res_pjsip_t38.c

@@ -320,6 +320,15 @@ static int t38_reinvite_response_cb(struct ast_sip_session *session, pjsip_rx_da
 		int index;
 
 		session_media = session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+
+		/*
+		 * If there is a session_media object, but no udptl object available
+		 * then it's assumed the stream was declined.
+		 */
+		if (session_media && !session_media->udptl) {
+			session_media = NULL;
+		}
+
 		if (!session_media) {
 			ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but no active session media\n",
 					status.code, session->channel ? ast_channel_name(session->channel) : "unknown channel");

res/res_rtp_asterisk.c

@@ -181,6 +181,7 @@ enum strict_rtp_mode {
 #define STRICT_RTP_LEARN_TIMEOUT	5000
 
 #define DEFAULT_STRICT_RTP STRICT_RTP_YES	/*!< Enabled by default */
+#define DEFAULT_SRTP_REPLAY_PROTECTION 1
 #define DEFAULT_ICESUPPORT 1
 #define DEFAULT_DTLS_MTU 1200
 
@@ -203,6 +204,7 @@ static int nochecksums;
 static int strictrtp = DEFAULT_STRICT_RTP; /*!< Only accept RTP frames from a defined source. If we receive an indication of a changing source, enter learning mode. */
 static int learning_min_sequential = DEFAULT_LEARNING_MIN_SEQUENTIAL; /*!< Number of sequential RTP frames needed from a single source during learning mode to accept new source. */
 static int learning_min_duration = DEFAULT_LEARNING_MIN_DURATION; /*!< Lowest acceptable timeout between the first and the last sequential RTP frame. */
+static int srtp_replay_protection = DEFAULT_SRTP_REPLAY_PROTECTION;
 #if defined(HAVE_OPENSSL) && (OPENSSL_VERSION_NUMBER >= 0x10001000L) && !defined(OPENSSL_NO_SRTP)
 static int dtls_mtu = DEFAULT_DTLS_MTU;
 #endif
@@ -6082,7 +6084,7 @@ static struct ast_frame *ast_rtcp_interpret(struct ast_rtp_instance *instance, s
 
 	/* If this is encrypted then decrypt the payload */
 	if ((*rtcpheader & 0xC0) && res_srtp && srtp && res_srtp->unprotect(
-		    srtp, rtcpheader, &len, 1) < 0) {
+		    srtp, rtcpheader, &len, 1 | (srtp_replay_protection << 1)) < 0) {
 	   return &ast_null_frame;
 	}
 
@@ -6932,7 +6934,7 @@ static int rtp_transport_wide_cc_feedback_produce(const void *data)
 			/* If there is no more room left for storing packets stop now, we leave 20
 			 * extra bits at the end just in case.
 			 */
-			if ((sizeof(bdata) - (packet_len + delta_len + 20)) < 0) {
+			if (packet_len + delta_len + 20 > sizeof(bdata)) {
 				res = -1;
 				break;
 			}
@@ -6966,7 +6968,7 @@ static int rtp_transport_wide_cc_feedback_produce(const void *data)
 		previous_packet = statistics;
 
 		/* If there is no more room left in the packet stop handling of any subsequent packets */
-		if ((sizeof(bdata) - (packet_len + delta_len + 20)) < 0) {
+		if (packet_len + delta_len + 20 > sizeof(bdata)) {
 			break;
 		}
 	}
@@ -7170,7 +7172,7 @@ static struct ast_frame *ast_rtp_interpret(struct ast_rtp_instance *instance, st
 
 	/* If this payload is encrypted then decrypt it using the given SRTP instance */
 	if ((*read_area & 0xC0) && res_srtp && srtp && res_srtp->unprotect(
-		    srtp, read_area, &res, 0) < 0) {
+		    srtp, read_area, &res, 0 | (srtp_replay_protection << 1)) < 0) {
 		return &ast_null_frame;
 	}
 
@@ -8958,6 +8960,8 @@ static char *handle_cli_rtp_settings(struct ast_cli_entry *e, int cmd, struct as
 	if (strictrtp) {
 		ast_cli(a->fd, "  Probation:       %d frames\n", learning_min_sequential);
 	}
+
+	ast_cli(a->fd, "  Replay Protect:  %s\n", AST_CLI_YESNO(srtp_replay_protection));
 #ifdef HAVE_PJPROJECT
 	ast_cli(a->fd, "  ICE support:     %s\n", AST_CLI_YESNO(icesupport));
 #endif
@@ -9060,6 +9064,7 @@ static int rtp_reload(int reload, int by_external_config)
 	strictrtp = DEFAULT_STRICT_RTP;
 	learning_min_sequential = DEFAULT_LEARNING_MIN_SEQUENTIAL;
 	learning_min_duration = DEFAULT_LEARNING_MIN_DURATION;
+	srtp_replay_protection = DEFAULT_SRTP_REPLAY_PROTECTION;
 
 	/** This resource is not "reloaded" so much as unloaded and loaded again.
 	 * In the case of the TURN related variables, the memory referenced by a
@@ -9139,6 +9144,9 @@ static int rtp_reload(int reload, int by_external_config)
 		}
 		learning_min_duration = CALC_LEARNING_MIN_DURATION(learning_min_sequential);
 	}
+	if ((s = ast_variable_retrieve(cfg, "general", "srtpreplayprotection"))) {
+		srtp_replay_protection = ast_true(s);
+	}
 #ifdef HAVE_PJPROJECT
 	if ((s = ast_variable_retrieve(cfg, "general", "icesupport"))) {
 		icesupport = ast_true(s);

res/res_srtp.c

@@ -364,11 +364,12 @@ static void ast_srtp_set_cb(struct ast_srtp *srtp, const struct ast_srtp_cb *cb,
 }
 
 /* Vtable functions */
-static int ast_srtp_unprotect(struct ast_srtp *srtp, void *buf, int *len, int rtcp)
+static int ast_srtp_unprotect(struct ast_srtp *srtp, void *buf, int *len, int flags)
 {
 	int res = 0;
 	int i;
-	int retry = 0;
+	int rtcp  = (flags & 0x01) >> 0;
+	int retry = (flags & 0x02) >> 1;
 	struct ast_rtp_instance_stats stats = {0,};
 
 tryagain:

third-party/pjproject/patches/0080-fix-sdp-neg-modify-local-offer.patch

@@ -0,0 +1,33 @@
+diff --git a/pjmedia/src/pjmedia/sdp_neg.c b/pjmedia/src/pjmedia/sdp_neg.c
+index 3b85b4273..a14009662 100644
+--- a/pjmedia/src/pjmedia/sdp_neg.c
++++ b/pjmedia/src/pjmedia/sdp_neg.c
+@@ -304,7 +304,6 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2(
+ {
+     pjmedia_sdp_session *new_offer;
+     pjmedia_sdp_session *old_offer;
+-    char media_used[PJMEDIA_MAX_SDP_MEDIA];
+     unsigned oi; /* old offer media index */
+     pj_status_t status;
+ 
+@@ -323,8 +322,19 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2(
+     /* Change state to STATE_LOCAL_OFFER */
+     neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER;
+ 
++    /* When there is no active local SDP in state PJMEDIA_SDP_NEG_STATE_DONE,
++     * it means that the previous initial SDP nego must have been failed,
++     * so we'll just set the local SDP offer here.
++     */
++    if (!neg->active_local_sdp) {
++	neg->initial_sdp_tmp = NULL;
++	neg->initial_sdp = pjmedia_sdp_session_clone(pool, local);
++	neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local);
++
++	return PJ_SUCCESS;
++    }
++
+     /* Init vars */
+-    pj_bzero(media_used, sizeof(media_used));
+     old_offer = neg->active_local_sdp;
+     new_offer = pjmedia_sdp_session_clone(pool, local);
+