Update for 20.0.1

Backports two security fixes (c4d3498 and 450baca) from pjproject 2.13.

ASTERISK-30338

Change-Id: I86fdc003d5d22cb66e7cc6dc3313a8194f27eb69

.lastclean

@@ -0,0 +1 @@
+40

.version

@@ -0,0 +1 @@
+20.0.1

UPGRADE.txt

@@ -18,6 +18,19 @@
 ===
 ===========================================================
 
+------------------------------------------------------------------------------
+--- Functionality changes from Asterisk 20.0.0 to Asterisk 20.0.1 ------------
+------------------------------------------------------------------------------
+
+AMI (Asterisk Manager Interface)
+------------------
+ * Previously, GetConfig and UpdateConfig were able to access files outside of
+   the Asterisk configuration directory. Now this access is put behind the
+   live_dangerously configuration option in asterisk.conf, which is disabled by
+   default. If access to configuration files outside of the Asterisk configuation
+   directory is required via AMI, then the live_dangerously configuration option
+   must be set to yes.
+
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 19.0.0 to Asterisk 20.0.0 ------------
 ------------------------------------------------------------------------------

addons/ooh323c/src/ooq931.c

@@ -192,11 +192,13 @@ EXTERN int ooQ931Decode
          screening indicators ;-) */
       if(ie->discriminator == Q931CallingPartyNumberIE)
       {
+         int numoffset=1;
          OOTRACEDBGB1("   CallingPartyNumber IE = {\n");
-         if(ie->length < OO_MAX_NUMBER_LENGTH)
+         if(!(0x80 & ie->data[0])) numoffset = 2;
+
+         if( (ie->length >= numoffset) &&
+             (ie->length < OO_MAX_NUMBER_LENGTH) )
          {
-            int numoffset=1;
-            if(!(0x80 & ie->data[0])) numoffset = 2;
             memcpy(number, ie->data+numoffset,ie->length-numoffset);
             number[ie->length-numoffset]='\0';
             OOTRACEDBGB2("      %s\n", number);
@@ -204,7 +206,7 @@ EXTERN int ooQ931Decode
                ooCallSetCallingPartyNumber(call, number);
          }
          else{
-            OOTRACEERR3("Error:Calling party number too long. (%s, %s)\n",
+            OOTRACEERR3("Error:Calling party number outside range. (%s, %s)\n",
                            call->callType, call->callToken);
          }
          OOTRACEDBGB1("   }\n");
@@ -214,7 +216,8 @@ EXTERN int ooQ931Decode
       if(ie->discriminator == Q931CalledPartyNumberIE)
       {
          OOTRACEDBGB1("   CalledPartyNumber IE = {\n");
-         if(ie->length < OO_MAX_NUMBER_LENGTH)
+         if( (ie->length >= 1) &&
+             (ie->length < OO_MAX_NUMBER_LENGTH) )
          {
             memcpy(number, ie->data+1,ie->length-1);
             number[ie->length-1]='\0';
@@ -223,7 +226,7 @@ EXTERN int ooQ931Decode
                ooCallSetCalledPartyNumber(call, number);
          }
          else{
-            OOTRACEERR3("Error:Calling party number too long. (%s, %s)\n",
+            OOTRACEERR3("Error:Calling party number outside range. (%s, %s)\n",
                            call->callType, call->callToken);
          }
          OOTRACEDBGB1("   }\n");

asterisk-20.0.1-summary.html

@@ -0,0 +1,34 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-20.0.1</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-20.0.1</h3><h3 align="center">Date: 2022-12-01</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#commits">Other Changes</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2022-007,AST-2022-008,AST-2022-009.html">AST-2022-007,AST-2022-008,AST-2022-009</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-20.0.0.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">2 Mike Bradeen <mbradeen@sangoma.com><br/>1 Asterisk Development Team <asteriskteam@digium.com><br/>1 George Joseph <gjoseph@digium.com><br/>1 Ben Ford <bford@digium.com><br/></td><td width="33%"><td width="33%">1 shawty <shawty.d.ds@googlemail.com><br/>1 nappsoft <infos@nappsoft.ch><br/>1 Benjamin Keith Ford <bford@digium.com><br/>1 Michael Bradeen <mbradeen@sangoma.com><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Addons/chan_ooh323</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-30103">ASTERISK-30103</a>: chan_ooh323 Vulnerability in calling/called party IE<br/>Reported by: Michael Bradeen<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=d420314ffdba7cb143b98a8cc501719e915dc4f7">[d420314ffd]</a> Mike Bradeen -- ooh323c: not checking for IE minimum length</li>
+</ul><br><h4>Category: Core/ManagerInterface</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-30176">ASTERISK-30176</a>: manager: GetConfig can read files outside of Asterisk<br/>Reported by: shawty<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=0f44cd885a3723774f63a25048057a8bd7acd94b">[0f44cd885a]</a> Mike Bradeen -- manager: prevent file access outside of config dir</li>
+</ul><br><h4>Category: pjproject/pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-30338">ASTERISK-30338</a>: pjproject: Backport security fixes from 2.13<br/>Reported by: Benjamin Keith Ford<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=702f400e3e2ae2e301d3399906e246487b2f517f">[702f400e3e]</a> Ben Ford -- pjproject: 2.13 security fixes</li>
+</ul><br><h3>Bug</h3><h4>Category: Resources/res_pjsip_pubsub</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-30244">ASTERISK-30244</a>: res_pjsip_pubsub: Occasional crash when TCP/TLS connection terminated and subscription persistence is removed<br/>Reported by: nappsoft<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=ed45a9182d17b27fb78546da4ef392210f19464c">[ed45a9182d]</a> George Joseph -- pjsip_transport_events: Fix possible use after free on transport</li>
+</ul><br><hr><a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all changes that went into this release that did not reference a JIRA issue.</p><table width="100%" border="1">
+<tr><th>Revision</th><th>Author</th><th>Summary</th></tr>
+<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=cdc655b2a6804aedc279d5fd0a5e2317a3c146a9">cdc655b2a6</a></td><td>Asterisk Development Team</td><td>Update CHANGES and UPGRADE.txt for 20.0.1</td></tr>
+</table><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>UPGRADE.txt                                                                                     |   13
+addons/ooh323c/src/ooq931.c                                                                     |   15
+configs/samples/asterisk.conf.sample                                                            |   11
+include/asterisk/manager.h                                                                      |   12
+include/asterisk/res_pjsip.h                                                                    |   83 ++
+main/manager.c                                                                                  |   42 +
+main/options.c                                                                                  |    1
+res/res_pjsip/pjsip_transport_events.c                                                          |  214 ++++++-
+res/res_pjsip_outbound_registration.c                                                           |   28
+res/res_pjsip_pubsub.c                                                                          |   25
+third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch |  289 ++++++++++
+11 files changed, 680 insertions(+), 53 deletions(-)</pre><br></html>

asterisk-20.0.1-summary.txt

@@ -0,0 +1,137 @@
+                                Release Summary
+
+                                asterisk-20.0.1
+
+                                Date: 2022-12-01
+
+                           <asteriskteam@digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Closed Issues
+    4. Other Changes
+    5. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release has been made to address one or more security vulnerabilities
+   that have been identified. A security advisory document has been published
+   for each vulnerability that includes additional information. Users of
+   versions of Asterisk that are affected are strongly encouraged to review
+   the advisories and determine what action they should take to protect their
+   systems from these issues.
+
+   Security Advisories:
+
+     * AST-2022-007,AST-2022-008,AST-2022-009
+
+   The data in this summary reflects changes that have been made since the
+   previous release, asterisk-20.0.0.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were affected by commits that went into
+   this release.
+
+   Coders                      Testers               Reporters                
+   2 Mike Bradeen                                    1 shawty                 
+   1 Asterisk Development Team                       1 nappsoft               
+   1 George Joseph                                   1 Benjamin Keith Ford    
+   1 Ben Ford                                        1 Michael Bradeen        
+
+     ----------------------------------------------------------------------
+
+                                 Closed Issues
+
+                                 [Back to Top]
+
+   This is a list of all issues from the issue tracker that were closed by
+   changes that went into this release.
+
+  Security
+
+    Category: Addons/chan_ooh323
+
+   ASTERISK-30103: chan_ooh323 Vulnerability in calling/called party IE
+   Reported by: Michael Bradeen
+     * [d420314ffd] Mike Bradeen -- ooh323c: not checking for IE minimum
+       length
+
+    Category: Core/ManagerInterface
+
+   ASTERISK-30176: manager: GetConfig can read files outside of Asterisk
+   Reported by: shawty
+     * [0f44cd885a] Mike Bradeen -- manager: prevent file access outside of
+       config dir
+
+    Category: pjproject/pjsip
+
+   ASTERISK-30338: pjproject: Backport security fixes from 2.13
+   Reported by: Benjamin Keith Ford
+     * [702f400e3e] Ben Ford -- pjproject: 2.13 security fixes
+
+  Bug
+
+    Category: Resources/res_pjsip_pubsub
+
+   ASTERISK-30244: res_pjsip_pubsub: Occasional crash when TCP/TLS connection
+   terminated and subscription persistence is removed
+   Reported by: nappsoft
+     * [ed45a9182d] George Joseph -- pjsip_transport_events: Fix possible use
+       after free on transport
+
+     ----------------------------------------------------------------------
+
+                      Commits Not Associated with an Issue
+
+                                 [Back to Top]
+
+   This is a list of all changes that went into this release that did not
+   reference a JIRA issue.
+
+   +------------------------------------------------------------------------+
+   | Revision   | Author                    | Summary                       |
+   |------------+---------------------------+-------------------------------|
+   | cdc655b2a6 | Asterisk Development Team | Update CHANGES and            |
+   |            |                           | UPGRADE.txt for 20.0.1        |
+   +------------------------------------------------------------------------+
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ UPGRADE.txt                                                                                     |   13
+ addons/ooh323c/src/ooq931.c                                                                     |   15
+ configs/samples/asterisk.conf.sample                                                            |   11
+ include/asterisk/manager.h                                                                      |   12
+ include/asterisk/res_pjsip.h                                                                    |   83 ++
+ main/manager.c                                                                                  |   42 +
+ main/options.c                                                                                  |    1
+ res/res_pjsip/pjsip_transport_events.c                                                          |  214 ++++++-
+ res/res_pjsip_outbound_registration.c                                                           |   28
+ res/res_pjsip_pubsub.c                                                                          |   25
+ third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch |  289 ++++++++++
+ 11 files changed, 680 insertions(+), 53 deletions(-)

configs/samples/asterisk.conf.sample

@@ -95,10 +95,13 @@ documentation_language = en_US	; Set the language you want documentation
 				;         documented in extensions.conf.sample.
 				; Default gosub.
 ;live_dangerously = no		; Enable the execution of 'dangerous' dialplan
-				; functions from external sources (AMI,
-				; etc.) These functions (such as SHELL) are
-				; considered dangerous because they can allow
-				; privilege escalation.
+				; functions and configuration file access from
+				; external sources (AMI, etc.) These functions
+				; (such as SHELL) are considered dangerous
+				; because they can allow privilege escalation.
+				; Configuration files are considered dangerous
+				; if they exist outside of the Asterisk
+				; configuration directory.
 				; Default no
 ;entityid=00:11:22:33:44:55	; Entity ID.
 				; This is in the form of a MAC address.

contrib/realtime/mysql/mysql_cdr.sql

@@ -0,0 +1,41 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL, 
+    CONSTRAINT alembic_version_pkc PRIMARY KEY (version_num)
+);
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20), 
+    src VARCHAR(80), 
+    dst VARCHAR(80), 
+    dcontext VARCHAR(80), 
+    clid VARCHAR(80), 
+    channel VARCHAR(80), 
+    dstchannel VARCHAR(80), 
+    lastapp VARCHAR(80), 
+    lastdata VARCHAR(80), 
+    start DATETIME, 
+    answer DATETIME, 
+    end DATETIME, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR(45), 
+    amaflags VARCHAR(45), 
+    userfield VARCHAR(256), 
+    uniqueid VARCHAR(150), 
+    linkedid VARCHAR(150), 
+    peeraccount VARCHAR(20), 
+    sequence INTEGER
+);
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr MODIFY accountcode VARCHAR(80) NULL;
+
+ALTER TABLE cdr MODIFY peeraccount VARCHAR(80) NULL;
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d';
+

contrib/realtime/mysql/mysql_voicemail.sql

@@ -0,0 +1,35 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL, 
+    CONSTRAINT alembic_version_pkc PRIMARY KEY (version_num)
+);
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80), 
+    macrocontext VARCHAR(80), 
+    callerid VARCHAR(80), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BLOB, 
+    flag VARCHAR(30), 
+    category VARCHAR(30), 
+    mailboxuser VARCHAR(30), 
+    mailboxcontext VARCHAR(30), 
+    msg_id VARCHAR(40)
+);
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages MODIFY recording BLOB(4294967295) NULL;
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+

contrib/realtime/postgresql/postgresql_cdr.sql

@@ -0,0 +1,45 @@
+BEGIN;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL, 
+    CONSTRAINT alembic_version_pkc PRIMARY KEY (version_num)
+);
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20), 
+    src VARCHAR(80), 
+    dst VARCHAR(80), 
+    dcontext VARCHAR(80), 
+    clid VARCHAR(80), 
+    channel VARCHAR(80), 
+    dstchannel VARCHAR(80), 
+    lastapp VARCHAR(80), 
+    lastdata VARCHAR(80), 
+    start TIMESTAMP WITHOUT TIME ZONE, 
+    answer TIMESTAMP WITHOUT TIME ZONE, 
+    "end" TIMESTAMP WITHOUT TIME ZONE, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR(45), 
+    amaflags VARCHAR(45), 
+    userfield VARCHAR(256), 
+    uniqueid VARCHAR(150), 
+    linkedid VARCHAR(150), 
+    peeraccount VARCHAR(20), 
+    sequence INTEGER
+);
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+-- Running upgrade 210693f3123d -> 54cde9847798
+
+ALTER TABLE cdr ALTER COLUMN accountcode TYPE VARCHAR(80);
+
+ALTER TABLE cdr ALTER COLUMN peeraccount TYPE VARCHAR(80);
+
+UPDATE alembic_version SET version_num='54cde9847798' WHERE alembic_version.version_num = '210693f3123d';
+
+COMMIT;
+

contrib/realtime/postgresql/postgresql_voicemail.sql

@@ -0,0 +1,39 @@
+BEGIN;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL, 
+    CONSTRAINT alembic_version_pkc PRIMARY KEY (version_num)
+);
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80), 
+    macrocontext VARCHAR(80), 
+    callerid VARCHAR(80), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BYTEA, 
+    flag VARCHAR(30), 
+    category VARCHAR(30), 
+    mailboxuser VARCHAR(30), 
+    mailboxcontext VARCHAR(30), 
+    msg_id VARCHAR(40)
+);
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages ALTER COLUMN recording TYPE BYTEA;
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+
+COMMIT;
+

include/asterisk/manager.h

@@ -350,6 +350,18 @@ void astman_send_list_complete_start(struct mansession *s, const struct message
  */
 void astman_send_list_complete_end(struct mansession *s);
 
+/*!
+ * \brief Enable/disable the inclusion of 'dangerous' configurations outside
+ * of the ast_config_AST_CONFIG_DIR
+ *
+ * This function can globally enable/disable the loading of configuration files
+ * outside of ast_config_AST_CONFIG_DIR.
+ *
+ * \param new_live_dangerously If true, enable the access of files outside
+ * ast_config_AST_CONFIG_DIR from astman.
+ */
+void astman_live_dangerously(int new_live_dangerously);
+
 void __attribute__((format(printf, 2, 3))) astman_append(struct mansession *s, const char *fmt, ...);
 
 /*! \brief Determine if a manager session ident is authenticated */

include/asterisk/res_pjsip.h

@@ -87,6 +87,26 @@
 #define AST_STIR_SHAKEN_RESPONSE_STR_UNSUPPORTED_CREDENTIAL "Unsupported Credential"
 #define AST_STIR_SHAKEN_RESPONSE_STR_INVALID_IDENTITY_HEADER "Invalid Identity Header"
 
+/* ":12345" */
+#define COLON_PORT_STRLEN 6
+/*
+ * "<ipaddr>:<port>"
+ * PJ_INET6_ADDRSTRLEN includes the NULL terminator
+ */
+#define IP6ADDR_COLON_PORT_BUFLEN (PJ_INET6_ADDRSTRLEN + COLON_PORT_STRLEN)
+
+/*!
+ * \brief Fill a buffer with a pjsip transport's remote ip address and port
+ *
+ * \param transport The pjsip_transport to use
+ * \param dest The destination buffer of at least IP6ADDR_COLON_PORT_BUFLEN bytes
+ */
+#define AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(_transport, _dest) \
+	snprintf(_dest, IP6ADDR_COLON_PORT_BUFLEN, \
+		PJSTR_PRINTF_SPEC ":%d", \
+		PJSTR_PRINTF_VAR(_transport->remote_name.host), \
+		_transport->remote_name.port);
+
 /* Forward declarations of PJSIP stuff */
 struct pjsip_rx_data;
 struct pjsip_module;
@@ -3598,6 +3618,7 @@ enum ast_transport_monitor_reg {
 
 /*!
  * \brief Register a reliable transport shutdown monitor callback.
+ * \deprecated Replaced with ast_sip_transport_monitor_register_key().
  * \since 13.20.0
  *
  * \param transport Transport to monitor for shutdown.
@@ -3615,8 +3636,29 @@ enum ast_transport_monitor_reg {
 enum ast_transport_monitor_reg ast_sip_transport_monitor_register(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *ao2_data);
 
+/*!
+ * \brief Register a reliable transport shutdown monitor callback.
+ *
+ * \param transport_key Key for the transport to monitor for shutdown.
+ *                      Create the key with AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR.
+ * \param cb Who to call when transport is shutdown.
+ * \param ao2_data Data to pass with the callback.
+ *
+ * \note The data object passed will have its reference count automatically
+ * incremented by this call and automatically decremented after the callback
+ * runs or when the callback is unregistered.
+ *
+ * There is no checking for duplicate registrations.
+ *
+ * \return enum ast_transport_monitor_reg
+ */
+enum ast_transport_monitor_reg ast_sip_transport_monitor_register_key(
+	const char *transport_key, ast_transport_monitor_shutdown_cb cb,
+	void *ao2_data);
+
 /*!
  * \brief Register a reliable transport shutdown monitor callback replacing any duplicate.
+ * \deprecated Replaced with ast_sip_transport_monitor_register_replace_key().
  * \since 13.26.0
  * \since 16.3.0
  *
@@ -3638,8 +3680,32 @@ enum ast_transport_monitor_reg ast_sip_transport_monitor_register(pjsip_transpor
 enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *ao2_data, ast_transport_monitor_data_matcher matches);
 
+/*!
+ * \brief Register a reliable transport shutdown monitor callback replacing any duplicate.
+ *
+ * \param transport_key Key for the transport to monitor for shutdown.
+ *                      Create the key with AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR.
+ * \param cb Who to call when transport is shutdown.
+ * \param ao2_data Data to pass with the callback.
+ * \param matches Matcher function that returns true if data matches a previously
+ *                registered data object
+ *
+ * \note The data object passed will have its reference count automatically
+ * incremented by this call and automatically decremented after the callback
+ * runs or when the callback is unregistered.
+ *
+ * This function checks for duplicates, and overwrites/replaces the old monitor
+ * with the given one.
+ *
+ * \return enum ast_transport_monitor_reg
+ */
+enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace_key(
+	const char *transport_key, ast_transport_monitor_shutdown_cb cb,
+	void *ao2_data, ast_transport_monitor_data_matcher matches);
+
 /*!
  * \brief Unregister a reliable transport shutdown monitor
+ * \deprecated Replaced with ast_sip_transport_monitor_unregister_key().
  * \since 13.20.0
  *
  * \param transport Transport to monitor for shutdown.
@@ -3655,6 +3721,23 @@ enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace(pjsip_
 void ast_sip_transport_monitor_unregister(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *data, ast_transport_monitor_data_matcher matches);
 
+/*!
+ * \brief Unregister a reliable transport shutdown monitor
+ *
+ * \param transport_key Key for the transport to monitor for shutdown.
+ *                      Create the key with AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR.
+ * \param cb The callback that was used for the original register.
+ * \param data Data to pass to the matcher. May be NULL and does NOT need to be an ao2 object.
+ *             If NULL, all monitors with the provided callback are unregistered.
+ * \param matches Matcher function that returns true if data matches the previously
+ *                registered data object.  If NULL, a simple pointer comparison is done.
+ *
+ * \note The data object passed into the original register will have its reference count
+ * automatically decremented.
+ */
+void ast_sip_transport_monitor_unregister_key(const char *transport_key,
+	ast_transport_monitor_shutdown_cb cb, void *data, ast_transport_monitor_data_matcher matches);
+
 /*!
  * \brief Unregister a transport shutdown monitor from all reliable transports
  * \since 13.20.0

main/manager.c

@@ -1490,6 +1490,11 @@ static struct stasis_forward *rtp_topic_forwarder;
 /*! \brief The \ref stasis_subscription for forwarding the Security topic to the AMI topic */
 static struct stasis_forward *security_topic_forwarder;
 
+/*!
+ * \brief Set to true (non-zero) to globally allow all dangerous AMI actions to run
+ */
+static int live_dangerously;
+
 #ifdef TEST_FRAMEWORK
 /*! \brief The \ref stasis_subscription for forwarding the Test topic to the AMI topic */
 static struct stasis_forward *test_suite_forwarder;
@@ -3609,6 +3614,29 @@ static int action_ping(struct mansession *s, const struct message *m)
 	return 0;
 }
 
+void astman_live_dangerously(int new_live_dangerously)
+{
+	if (new_live_dangerously && !live_dangerously)
+	{
+		ast_log(LOG_WARNING, "Manager Configuration load protection disabled.\n");
+	}
+
+	if (!new_live_dangerously && live_dangerously)
+	{
+		ast_log(LOG_NOTICE, "Manager Configuration load protection enabled.\n");
+	}
+	live_dangerously = new_live_dangerously;
+}
+
+static int restrictedFile(const char *filename)
+{
+	if (!live_dangerously && !strncasecmp(filename, "/", 1) &&
+		 strncasecmp(filename, ast_config_AST_CONFIG_DIR, strlen(ast_config_AST_CONFIG_DIR))) {
+		return 1;
+	}
+	return 0;
+}
+
 static int action_getconfig(struct mansession *s, const struct message *m)
 {
 	struct ast_config *cfg;
@@ -3627,6 +3655,11 @@ static int action_getconfig(struct mansession *s, const struct message *m)
 		return 0;
 	}
 
+	if (restrictedFile(fn)) {
+		astman_send_error(s, m, "File requires escalated priveledges");
+		return 0;
+	}
+
 	cfg = ast_config_load2(fn, "manager", config_flags);
 	if (cfg == CONFIG_STATUS_FILEMISSING) {
 		astman_send_error(s, m, "Config file not found");
@@ -3754,6 +3787,11 @@ static int action_getconfigjson(struct mansession *s, const struct message *m)
 		return 0;
 	}
 
+	if (restrictedFile(fn)) {
+		astman_send_error(s, m, "File requires escalated priveledges");
+		return 0;
+	}
+
 	if (!(cfg = ast_config_load2(fn, "manager", config_flags))) {
 		astman_send_error(s, m, "Config file not found");
 		return 0;
@@ -4105,6 +4143,10 @@ static int action_updateconfig(struct mansession *s, const struct message *m)
 		astman_send_error(s, m, "Filename not specified");
 		return 0;
 	}
+	if (restrictedFile(sfn) || restrictedFile(dfn)) {
+		astman_send_error(s, m, "File requires escalated priveledges");
+		return 0;
+	}
 	if (!(cfg = ast_config_load2(sfn, "manager", config_flags))) {
 		astman_send_error(s, m, "Config file not found");
 		return 0;

main/options.c

@@ -476,6 +476,7 @@ void load_asterisk_conf(void)
 	}
 	if (!ast_opt_remote) {
 		pbx_live_dangerously(live_dangerously);
+		astman_live_dangerously(live_dangerously);
 	}
 
 	option_debug += option_debug_new;

main/test.c

@@ -316,9 +316,13 @@ void ast_test_set_result(struct ast_test *test, enum ast_test_result_state state
 void ast_test_capture_free(struct ast_test_capture *capture)
 {
 	if (capture) {
-		free(capture->outbuf);
+		/*
+		 * Need to use ast_std_free because this memory wasn't
+		 * allocated by the astmm functions.
+		 */
+		ast_std_free(capture->outbuf);
 		capture->outbuf = NULL;
-		free(capture->errbuf);
+		ast_std_free(capture->errbuf);
 		capture->errbuf = NULL;
 	}
 	capture->pid = -1;
@@ -330,6 +334,7 @@ int ast_test_capture_command(struct ast_test_capture *capture, const char *file,
 	int fd0[2] = { -1, -1 }, fd1[2] = { -1, -1 }, fd2[2] = { -1, -1 };
 	pid_t pid = -1;
 	int status = 0;
+	FILE *cmd = NULL, *out = NULL, *err = NULL;
 
 	memset(capture, 0, sizeof(*capture));
 	capture->pid = capture->exitcode = -1;
@@ -379,8 +384,6 @@ int ast_test_capture_command(struct ast_test_capture *capture, const char *file,
 		exit(1);
 
 	} else {
-		FILE *cmd = NULL, *out = NULL, *err = NULL;
-
 		char buf[BUFSIZ];
 		int wstatus, n, nfds;
 		fd_set readfds, writefds;

res/res_geolocation/geoloc_config.c

@@ -187,7 +187,7 @@ static int geoloc_profile_apply_handler(const struct ast_sorcery *sorcery, void
 	struct ast_geoloc_location *location;
 	const char *id = ast_sorcery_object_get_id(profile);
 	enum ast_geoloc_validate_result result;
-	enum ast_geoloc_format format;
+	enum ast_geoloc_format format = AST_GEOLOC_FORMAT_NONE;
 	int rc = 0;
 
 	if (!ast_strlen_zero(profile->location_reference)) {

res/res_pjsip/pjsip_transport_events.c

@@ -30,6 +30,7 @@
 #include "asterisk.h"
 
 #include "asterisk/res_pjsip.h"
+#include "asterisk/res_pjsip_cli.h"
 #include "include/res_pjsip_private.h"
 #include "asterisk/linkedlists.h"
 #include "asterisk/vector.h"
@@ -49,8 +50,14 @@ struct transport_monitor_notifier {
 
 /*! \brief Structure for transport to be monitored */
 struct transport_monitor {
+	/*! \brief Key <ipaddr>:<port> */
+	char key[IP6ADDR_COLON_PORT_BUFLEN];
 	/*! \brief The underlying PJSIP transport */
 	pjsip_transport *transport;
+	/*! For debugging purposes, we save the obj_name
+	 * in case the transport goes away.
+	 */
+	char *transport_obj_name;
 	/*! Who is interested in when this transport shuts down. */
 	AST_VECTOR(, struct transport_monitor_notifier) monitors;
 };
@@ -64,12 +71,14 @@ static pjsip_tp_state_callback tpmgr_state_callback;
 /*! List of registered transport state callbacks. */
 static AST_RWLIST_HEAD(, ast_sip_tpmgr_state_callback) transport_state_list;
 
-
 /*! \brief Hashing function for struct transport_monitor */
-AO2_STRING_FIELD_HASH_FN(transport_monitor, transport->obj_name);
+AO2_STRING_FIELD_HASH_FN(transport_monitor, key);
 
 /*! \brief Comparison function for struct transport_monitor */
-AO2_STRING_FIELD_CMP_FN(transport_monitor, transport->obj_name);
+AO2_STRING_FIELD_CMP_FN(transport_monitor, key);
+
+/*! \brief Sort function for struct transport_monitor */
+AO2_STRING_FIELD_SORT_FN(transport_monitor, key);
 
 static const char *transport_state2str(pjsip_transport_state state)
 {
@@ -112,6 +121,11 @@ static void transport_monitor_dtor(void *vdoomed)
 		ao2_cleanup(notifier->data);
 	}
 	AST_VECTOR_FREE(&monitored->monitors);
+	ast_debug(3, "Transport %s(%s,%s) RefCnt: %ld : state:MONITOR_DESTROYED\n",
+		monitored->key, monitored->transport->obj_name,
+		monitored->transport->type_name,pj_atomic_get(monitored->transport->ref_cnt));
+	ast_free(monitored->transport_obj_name);
+	pjsip_transport_dec_ref(monitored->transport);
 }
 
 /*!
@@ -125,8 +139,11 @@ static void transport_monitor_dtor(void *vdoomed)
 static void transport_state_do_reg_callbacks(struct ao2_container *transports, pjsip_transport *transport)
 {
 	struct transport_monitor *monitored;
+	char key[IP6ADDR_COLON_PORT_BUFLEN];
 
-	monitored = ao2_find(transports, transport->obj_name, OBJ_SEARCH_KEY | OBJ_UNLINK);
+	AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(transport, key);
+
+	monitored = ao2_find(transports, key, OBJ_SEARCH_KEY | OBJ_UNLINK);
 	if (monitored) {
 		int idx;
 
@@ -134,8 +151,10 @@ static void transport_state_do_reg_callbacks(struct ao2_container *transports, p
 			struct transport_monitor_notifier *notifier;
 
 			notifier = AST_VECTOR_GET_ADDR(&monitored->monitors, idx);
-			ast_debug(3, "running callback %p(%p) for transport %s\n",
-				notifier->cb, notifier->data, transport->obj_name);
+			ast_debug(3, "Transport %s(%s,%s) RefCnt: %ld : running callback %p(%p)\n",
+				monitored->key, monitored->transport->obj_name,
+				monitored->transport->type_name,
+				pj_atomic_get(monitored->transport->ref_cnt), notifier->cb, notifier->data);
 			notifier->cb(notifier->data);
 		}
 		ao2_ref(monitored, -1);
@@ -269,8 +288,11 @@ static void transport_state_callback(pjsip_transport *transport,
 		&& (transports = ao2_global_obj_ref(active_transports))) {
 		struct transport_monitor *monitored;
 
-		ast_debug(3, "Reliable transport '%s' state:%s\n",
-			transport->obj_name, transport_state2str(state));
+		ast_debug(3, "Transport " PJSTR_PRINTF_SPEC ":%d(%s,%s): RefCnt: %ld state:%s\n",
+			PJSTR_PRINTF_VAR(transport->remote_name.host),
+			transport->remote_name.port, transport->obj_name,
+			transport->type_name,
+			pj_atomic_get(transport->ref_cnt), transport_state2str(state));
 		switch (state) {
 		case PJSIP_TP_STATE_CONNECTED:
 			if (PJSIP_TRANSPORT_IS_SECURE(transport) &&
@@ -285,10 +307,18 @@ static void transport_state_callback(pjsip_transport *transport,
 				break;
 			}
 			monitored->transport = transport;
+			AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(transport, monitored->key);
+			monitored->transport_obj_name = ast_strdup(transport->obj_name);
+
 			if (AST_VECTOR_INIT(&monitored->monitors, 5)) {
 				ao2_ref(monitored, -1);
 				break;
 			}
+			pjsip_transport_add_ref(monitored->transport);
+			ast_debug(3, "Transport %s(%s,%s): RefCnt: %ld state:MONITOR_CREATED\n",
+				monitored->key,	monitored->transport_obj_name,
+				monitored->transport->type_name,
+				pj_atomic_get(monitored->transport->ref_cnt));
 
 			ao2_link(transports, monitored);
 			ao2_ref(monitored, -1);
@@ -362,8 +392,10 @@ static int transport_monitor_unregister_cb(void *obj, void *arg, int flags)
 			|| cb_data->matches(cb_data->data, notifier->data))) {
 			ao2_cleanup(notifier->data);
 			AST_VECTOR_REMOVE_UNORDERED(&monitored->monitors, idx);
-			ast_debug(3, "Unregistered monitor %p(%p) from transport %s\n",
-				notifier->cb, notifier->data, monitored->transport->obj_name);
+			ast_debug(3, "Transport %s(%s,%s) RefCnt: %ld : Unregistered monitor %p(%p)\n",
+				monitored->key, monitored->transport_obj_name,
+				monitored->transport->type_name,
+				pj_atomic_get(monitored->transport->ref_cnt), notifier->cb, notifier->data);
 		}
 	}
 	return 0;
@@ -396,11 +428,19 @@ void ast_sip_transport_monitor_unregister_all(ast_transport_monitor_shutdown_cb
 
 void ast_sip_transport_monitor_unregister(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *data, ast_transport_monitor_data_matcher matches)
+{
+	char key[IP6ADDR_COLON_PORT_BUFLEN];
+	AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(transport, key);
+	ast_sip_transport_monitor_unregister_key(key, cb, data, matches);
+}
+
+void ast_sip_transport_monitor_unregister_key(const char *transport_key,
+	ast_transport_monitor_shutdown_cb cb, void *data, ast_transport_monitor_data_matcher matches)
 {
 	struct ao2_container *transports;
 	struct transport_monitor *monitored;
 
-	ast_assert(transport != NULL && cb != NULL);
+	ast_assert(transport_key != NULL && cb != NULL);
 
 	transports = ao2_global_obj_ref(active_transports);
 	if (!transports) {
@@ -408,7 +448,7 @@ void ast_sip_transport_monitor_unregister(pjsip_transport *transport,
 	}
 
 	ao2_lock(transports);
-	monitored = ao2_find(transports, transport->obj_name, OBJ_SEARCH_KEY | OBJ_NOLOCK);
+	monitored = ao2_find(transports, transport_key, OBJ_SEARCH_KEY | OBJ_NOLOCK);
 	if (monitored) {
 		struct callback_data cb_data = {
 			.cb = cb,
@@ -426,17 +466,35 @@ void ast_sip_transport_monitor_unregister(pjsip_transport *transport,
 enum ast_transport_monitor_reg ast_sip_transport_monitor_register(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *ao2_data)
 {
-	return ast_sip_transport_monitor_register_replace(transport, cb, ao2_data, NULL);
+	char key[IP6ADDR_COLON_PORT_BUFLEN];
+	AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(transport, key);
+
+	return ast_sip_transport_monitor_register_replace_key(key, cb, ao2_data, NULL);
+}
+
+enum ast_transport_monitor_reg ast_sip_transport_monitor_register_key(const char *transport_key,
+	ast_transport_monitor_shutdown_cb cb, void *ao2_data)
+{
+	return ast_sip_transport_monitor_register_replace_key(transport_key, cb, ao2_data, NULL);
 }
 
 enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *ao2_data, ast_transport_monitor_data_matcher matches)
+{
+	char key[IP6ADDR_COLON_PORT_BUFLEN];
+
+	AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(transport, key);
+	return ast_sip_transport_monitor_register_replace_key(key, cb, ao2_data, NULL);
+}
+
+enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace_key(const char *transport_key,
+	ast_transport_monitor_shutdown_cb cb, void *ao2_data, ast_transport_monitor_data_matcher matches)
 {
 	struct ao2_container *transports;
 	struct transport_monitor *monitored;
 	enum ast_transport_monitor_reg res = AST_TRANSPORT_MONITOR_REG_NOT_FOUND;
 
-	ast_assert(transport != NULL && cb != NULL);
+	ast_assert(transport_key != NULL && cb != NULL);
 
 	transports = ao2_global_obj_ref(active_transports);
 	if (!transports) {
@@ -444,7 +502,7 @@ enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace(pjsip_
 	}
 
 	ao2_lock(transports);
-	monitored = ao2_find(transports, transport->obj_name, OBJ_SEARCH_KEY | OBJ_NOLOCK);
+	monitored = ao2_find(transports, transport_key, OBJ_SEARCH_KEY | OBJ_NOLOCK);
 	if (monitored) {
 		struct transport_monitor_notifier new_monitor;
 		struct callback_data cb_data = {
@@ -461,12 +519,15 @@ enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace(pjsip_
 		if (AST_VECTOR_APPEND(&monitored->monitors, new_monitor)) {
 			ao2_cleanup(ao2_data);
 			res = AST_TRANSPORT_MONITOR_REG_FAILED;
-			ast_debug(3, "Register monitor %p(%p) to transport %s FAILED\n",
-				cb, ao2_data, transport->obj_name);
+			ast_debug(3, "Transport %s(%s) RefCnt: %ld : Monitor registration failed %p(%p)\n",
+				monitored->key, monitored->transport_obj_name,
+				pj_atomic_get(monitored->transport->ref_cnt), cb, ao2_data);
 		} else {
 			res = AST_TRANSPORT_MONITOR_REG_SUCCESS;
-			ast_debug(3, "Registered monitor %p(%p) to transport %s\n",
-				cb, ao2_data, transport->obj_name);
+			ast_debug(3, "Transport %s(%s,%s) RefCnt: %ld : Registered monitor %p(%p)\n",
+				monitored->key, monitored->transport_obj_name,
+				monitored->transport->type_name,
+				pj_atomic_get(monitored->transport->ref_cnt), cb, ao2_data);
 		}
 
 		ao2_ref(monitored, -1);
@@ -499,10 +560,120 @@ void ast_sip_transport_state_register(struct ast_sip_tpmgr_state_callback *eleme
 	AST_RWLIST_UNLOCK(&transport_state_list);
 }
 
+static char *cli_show_monitors(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
+{
+	char *cli_rc = CLI_FAILURE;
+	int rc = 0;
+	int using_regex = 0;
+	regex_t regex = { 0, };
+	int container_count;
+	struct ao2_iterator iter;
+	struct ao2_container *sorted_monitors = NULL;
+	struct ao2_container *transports;
+	struct transport_monitor *monitored;
+
+	switch (cmd) {
+	case CLI_INIT:
+		e->command = "pjsip show transport-monitors";
+		e->usage = "Usage: pjsip show transport-monitors [ like <pattern> ]\n"
+		            "      Show pjsip transport monitors\n";
+		return NULL;
+	case CLI_GENERATE:
+		return NULL;
+	}
+
+	if (a->argc != 3 && a->argc != 5) {
+		return CLI_SHOWUSAGE;
+	}
+
+	if (a->argc == 5) {
+		int regrc;
+		if (strcasecmp(a->argv[3], "like")) {
+			return CLI_SHOWUSAGE;
+		}
+		regrc = regcomp(&regex, a->argv[4], REG_EXTENDED | REG_ICASE | REG_NOSUB);
+		if (regrc) {
+			char err[256];
+			regerror(regrc, &regex, err, 256);
+			ast_cli(a->fd, "PJSIP Transport Monitor: Error: %s\n", err);
+			return CLI_FAILURE;
+		}
+		using_regex = 1;
+	}
+
+	/* Get a sorted snapshot of the scheduled tasks */
+	sorted_monitors = ao2_container_alloc_rbtree(AO2_ALLOC_OPT_LOCK_NOLOCK, 0,
+		transport_monitor_sort_fn, NULL);
+	if (!sorted_monitors) {
+		ast_cli(a->fd, "PJSIP Transport Monitor: Unable to allocate temporary container\n");
+		goto error;
+	}
+
+	transports = ao2_global_obj_ref(active_transports);
+	if (!transports) {
+		ast_cli(a->fd, "PJSIP Transport Monitor: Unable to get transports\n");
+		goto error;
+	}
+
+	ao2_lock(transports);
+	rc = ao2_container_dup(sorted_monitors, transports, 0);
+	ao2_unlock(transports);
+	ao2_ref(transports, -1);
+	if (rc != 0) {
+		ast_cli(a->fd, "PJSIP Transport Monitors: Unable to sort temporary container\n");
+		goto error;
+	}
+	container_count = ao2_container_count(sorted_monitors);
+
+	ast_cli(a->fd, "PJSIP Transport Monitors:\n\n");
+
+	ast_cli(a->fd,
+		"<Remote Host...................................> <State.....> <Direction> <RefCnt> <Monitors> <ObjName............>\n");
+
+	iter = ao2_iterator_init(sorted_monitors, AO2_ITERATOR_UNLINK);
+	for (; (monitored = ao2_iterator_next(&iter)); ao2_ref(monitored, -1)) {
+		char *state;
+
+		if (using_regex && regexec(&regex, monitored->key, 0, NULL, 0) == REG_NOMATCH) {
+			continue;
+		}
+
+		if (monitored->transport->is_destroying) {
+			state = "DESTROYING";
+		} else if (monitored->transport->is_shutdown) {
+			state = "SHUTDOWN";
+		} else {
+			state = "ACTIVE";
+		}
+
+		ast_cli(a->fd, " %-46.46s   %-10s   %-9s   %6ld   %8" PRIu64 "   %s\n",
+			monitored->key, state,
+			monitored->transport->dir == PJSIP_TP_DIR_OUTGOING ? "Outgoing" : "Incoming",
+			pj_atomic_get(monitored->transport->ref_cnt),
+			AST_VECTOR_SIZE(&monitored->monitors), monitored->transport->obj_name);
+	}
+	ao2_iterator_destroy(&iter);
+	ast_cli(a->fd, "\nTotal Transport Monitors: %d\n\n", container_count);
+	cli_rc = CLI_SUCCESS;
+error:
+	if (using_regex) {
+		regfree(&regex);
+	}
+	ao2_cleanup(sorted_monitors);
+
+	return cli_rc;
+}
+
+static struct ast_cli_entry cli_commands[] = {
+	AST_CLI_DEFINE(cli_show_monitors, "Show pjsip transport monitors"),
+};
+
 void ast_sip_destroy_transport_events(void)
 {
 	pjsip_tpmgr *tpmgr;
 
+	ast_cli_unregister_multiple(cli_commands, ARRAY_LEN(cli_commands));
+
 	tpmgr = pjsip_endpt_get_tpmgr(ast_sip_get_pjsip_endpoint());
 	if (tpmgr) {
 		pjsip_tpmgr_set_state_cb(tpmgr, tpmgr_state_callback);
@@ -522,7 +693,7 @@ int ast_sip_initialize_transport_events(void)
 	}
 
 	transports = ao2_container_alloc_hash(AO2_ALLOC_OPT_LOCK_MUTEX, 0,
-		ACTIVE_TRANSPORTS_BUCKETS, transport_monitor_hash_fn, NULL,
+		ACTIVE_TRANSPORTS_BUCKETS, transport_monitor_hash_fn, transport_monitor_sort_fn,
 		transport_monitor_cmp_fn);
 	if (!transports) {
 		return -1;
@@ -533,5 +704,8 @@ int ast_sip_initialize_transport_events(void)
 	tpmgr_state_callback = pjsip_tpmgr_get_state_cb(tpmgr);
 	pjsip_tpmgr_set_state_cb(tpmgr, &transport_state_callback);
 
+	ast_cli_register_multiple(cli_commands, ARRAY_LEN(cli_commands));
+
+
 	return 0;
 }

res/res_pjsip_geolocation.c

@@ -145,7 +145,7 @@ static int handle_incoming_request(struct ast_sip_session *session, struct pjsip
 	char *geoloc_routing_hdr_value = NULL;
 	char *geoloc_uri = NULL;
 	int rc = 0;
-	RAII_VAR(struct ast_str *, buf, ast_str_create(1024), ast_free);
+	RAII_VAR(struct ast_str *, buf, NULL, ast_free);
 	pjsip_generic_string_hdr *geoloc_hdr = NULL;
 	pjsip_generic_string_hdr *geoloc_routing_hdr = NULL;
 	SCOPE_ENTER(3, "%s\n", session_name);
@@ -191,7 +191,7 @@ static int handle_incoming_request(struct ast_sip_session *session, struct pjsip
 				"Done.\n", session_name,
 				PJSTR_PRINTF_VAR(geoloc_hdr->hvalue));
 		} else {
-			SCOPE_EXIT_LOG_RTN_VALUE(0, LOG_NOTICE, "%s: Endpoint has no geoloc_incoming_call_profile. "
+			SCOPE_EXIT_RTN_VALUE(0, "%s: Endpoint has no geoloc_incoming_call_profile. "
 				"Done.\n", session_name);
 		}
 	}
@@ -209,6 +209,11 @@ static int handle_incoming_request(struct ast_sip_session *session, struct pjsip
 		}
 	}
 
+	buf = ast_str_create(1024);
+	if (!buf) {
+		SCOPE_EXIT_LOG_RTN_VALUE(0, LOG_WARNING, "%s: Unable to allocate buf\n", session_name);
+	}
+
 	if (config_profile->precedence != AST_GEOLOC_PRECED_DISCARD_CONFIG) {
 		config_eprofile = ast_geoloc_eprofile_create_from_profile(config_profile);
 		if (!config_eprofile) {
@@ -469,7 +474,7 @@ static void handle_outgoing_request(struct ast_sip_session *session, struct pjsi
 	RAII_VAR(struct ast_geoloc_eprofile *, config_eprofile, NULL, ao2_cleanup);
 	RAII_VAR(struct ast_geoloc_eprofile *, incoming_eprofile, NULL, ao2_cleanup);
 	struct ast_geoloc_eprofile *final_eprofile = NULL;
-	RAII_VAR(struct ast_str *, buf, ast_str_create(1024), ast_free);
+	RAII_VAR(struct ast_str *, buf, NULL, ast_free);
 	struct ast_datastore *ds = NULL;  /* The channel cleans up ds */
 	pjsip_msg_body *orig_body = NULL;
 	pjsip_generic_string_hdr *geoloc_hdr = NULL;
@@ -478,11 +483,6 @@ static void handle_outgoing_request(struct ast_sip_session *session, struct pjsi
 	const char *uri;
 	SCOPE_ENTER(3, "%s\n", session_name);
 
-	if (!buf) {
-		SCOPE_EXIT_LOG_RTN(LOG_WARNING, "%s: Unable to allocate buf\n",
-			session_name);
-	}
-
 	if (!endpoint) {
 		SCOPE_EXIT_LOG_RTN(LOG_WARNING, "%s: Session has no endpoint.  Skipping.\n",
 			session_name);
@@ -494,8 +494,8 @@ static void handle_outgoing_request(struct ast_sip_session *session, struct pjsi
 	}
 
 	if (ast_strlen_zero(endpoint->geoloc_outgoing_call_profile)) {
-			SCOPE_EXIT_LOG_RTN(LOG_NOTICE, "%s: Endpoint has no geoloc_outgoing_call_profile. "
-				"Skipping.\n", session_name);
+		SCOPE_EXIT_RTN("%s: Endpoint has no geoloc_outgoing_call_profile. Skipping.\n",
+			session_name);
 	}
 
 	config_profile = ast_geoloc_get_profile(endpoint->geoloc_outgoing_call_profile);
@@ -578,6 +578,11 @@ static void handle_outgoing_request(struct ast_sip_session *session, struct pjsi
 		ast_geoloc_eprofile_refresh_location(final_eprofile);
 	}
 
+	buf = ast_str_create(1024);
+	if (!buf) {
+		SCOPE_EXIT_LOG_RTN(LOG_WARNING, "%s: Unable to allocate buf\n", session_name);
+	}
+
 	if (final_eprofile->format == AST_GEOLOC_FORMAT_URI) {
 		uri = ast_geoloc_eprofile_to_uri(final_eprofile, channel, &buf, session_name);
 		if (!uri) {

res/res_pjsip_outbound_registration.c

@@ -851,6 +851,8 @@ struct registration_response {
 	pjsip_rx_data *rdata;
 	/*! \brief Request for which the response was received */
 	pjsip_tx_data *old_request;
+	/*! \brief Key for the reliable transport in use */
+	char transport_key[IP6ADDR_COLON_PORT_BUFLEN];
 };
 
 /*! \brief Registration response structure destructor */
@@ -966,13 +968,10 @@ static int monitor_matcher(void *a, void *b)
 	return strcmp(ma, mb) == 0;
 }
 
-static void registration_transport_monitor_setup(pjsip_transport *transport, const char *registration_name)
+static void registration_transport_monitor_setup(const char *transport_key, const char *registration_name)
 {
 	char *monitor;
 
-	if (!PJSIP_TRANSPORT_IS_RELIABLE(transport)) {
-		return;
-	}
 	monitor = ao2_alloc_options(strlen(registration_name) + 1, NULL,
 		AO2_ALLOC_OPT_LOCK_NOLOCK);
 	if (!monitor) {
@@ -985,8 +984,8 @@ static void registration_transport_monitor_setup(pjsip_transport *transport, con
 	 * register the monitor.  We might get into a message spamming infinite
 	 * loop of registration, shutdown, reregistration...
 	 */
-	ast_sip_transport_monitor_register(transport, registration_transport_shutdown_cb,
-		monitor);
+	ast_sip_transport_monitor_register_replace_key(transport_key, registration_transport_shutdown_cb,
+		monitor, monitor_matcher);
 	ao2_ref(monitor, -1);
 }
 
@@ -1139,14 +1138,18 @@ static int handle_registration_response(void *data)
 			schedule_registration(response->client_state, next_registration_round);
 
 			/* See if we should monitor for transport shutdown */
-			registration_transport_monitor_setup(response->rdata->tp_info.transport,
-				response->client_state->registration_name);
+			if (PJSIP_TRANSPORT_IS_RELIABLE(response->rdata->tp_info.transport)) {
+				registration_transport_monitor_setup(response->transport_key,
+					response->client_state->registration_name);
+			}
 		} else {
 			ast_debug(1, "Outbound unregistration to '%s' with client '%s' successful\n", server_uri, client_uri);
 			update_client_state_status(response->client_state, SIP_REGISTRATION_UNREGISTERED);
-			ast_sip_transport_monitor_unregister(response->rdata->tp_info.transport,
-				registration_transport_shutdown_cb, response->client_state->registration_name,
-				monitor_matcher);
+			if (PJSIP_TRANSPORT_IS_RELIABLE(response->rdata->tp_info.transport)) {
+				ast_sip_transport_monitor_unregister_key(response->transport_key,
+					registration_transport_shutdown_cb, response->client_state->registration_name,
+					monitor_matcher);
+			}
 		}
 
 		save_response_fields_to_transport(response);
@@ -1262,6 +1265,9 @@ static void sip_outbound_registration_response_cb(struct pjsip_regc_cbparam *par
 		response->old_request = tsx->last_tx;
 		pjsip_tx_data_add_ref(response->old_request);
 		pjsip_rx_data_clone(param->rdata, 0, &response->rdata);
+		AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(param->rdata->tp_info.transport,
+			response->transport_key);
+
 	} else {
 		/* old_request steals the reference */
 		response->old_request = client_state->last_tdata;

res/res_pjsip_pubsub.c

@@ -389,8 +389,8 @@ struct subscription_persistence {
 	char src_name[PJ_INET6_ADDRSTRLEN];
 	/*! Source port of the message */
 	int src_port;
-	/*! Local transport key type */
-	char transport_key[32];
+	/*! Local transport type (UDP,TCP,TLS)*/
+	char transport_type[32];
 	/*! Local transport address */
 	char local_name[PJ_INET6_ADDRSTRLEN];
 	/*! Local transport port */
@@ -474,7 +474,7 @@ struct sip_subscription_tree {
 	/*! The transport the subscription was received on.
 	 * Only used for reliable transports.
 	 */
-	pjsip_transport *transport;
+	char transport_key[IP6ADDR_COLON_PORT_BUFLEN];
 	/*! Indicator if initial notify should be generated.
 	 * Used to refresh modified RLS.
 	 */
@@ -711,8 +711,9 @@ static void subscription_persistence_update(struct sip_subscription_tree *sub_tr
 							rdata->tp_info.transport->obj_name,
 							sub_tree->persistence->endpoint, sub_tree->root->resource,
 							sub_tree->persistence->prune_on_boot);
-						sub_tree->transport = rdata->tp_info.transport;
-						ast_sip_transport_monitor_register(rdata->tp_info.transport,
+						AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(rdata->tp_info.transport,
+							sub_tree->transport_key);
+						ast_sip_transport_monitor_register_key(sub_tree->transport_key,
 							sub_tree_transport_cb, sub_tree);
 						/*
 						 * FYI: ast_sip_transport_monitor_register holds a reference to the sub_tree
@@ -746,8 +747,8 @@ static void subscription_persistence_update(struct sip_subscription_tree *sub_tr
 		ast_copy_string(sub_tree->persistence->src_name, rdata->pkt_info.src_name,
 				sizeof(sub_tree->persistence->src_name));
 		sub_tree->persistence->src_port = rdata->pkt_info.src_port;
-		ast_copy_string(sub_tree->persistence->transport_key, rdata->tp_info.transport->type_name,
-			sizeof(sub_tree->persistence->transport_key));
+		ast_copy_string(sub_tree->persistence->transport_type, rdata->tp_info.transport->type_name,
+			sizeof(sub_tree->persistence->transport_type));
 		ast_copy_pj_str(sub_tree->persistence->local_name, &rdata->tp_info.transport->local_name.host,
 			sizeof(sub_tree->persistence->local_name));
 		sub_tree->persistence->local_port = rdata->tp_info.transport->local_name.port;
@@ -763,12 +764,12 @@ static void subscription_persistence_remove(struct sip_subscription_tree *sub_tr
 		return;
 	}
 
-	if (sub_tree->persistence->prune_on_boot && sub_tree->transport) {
+	if (sub_tree->persistence->prune_on_boot && !ast_strlen_zero(sub_tree->transport_key)) {
 		ast_debug(3, "Unregistering transport monitor on %s '%s->%s'\n",
-			sub_tree->transport->obj_name,
+			sub_tree->transport_key,
 			sub_tree->endpoint ? ast_sorcery_object_get_id(sub_tree->endpoint) : "Unknown",
 			sub_tree->root ? sub_tree->root->resource : "Unknown");
-		ast_sip_transport_monitor_unregister(sub_tree->transport,
+		ast_sip_transport_monitor_unregister_key(sub_tree->transport_key,
 			sub_tree_transport_cb, sub_tree, NULL);
 	}
 
@@ -1743,7 +1744,7 @@ static int subscription_persistence_recreate(void *obj, void *arg, int flags)
 	rdata.tp_info.pool = pool;
 
 	if (ast_sip_create_rdata_with_contact(&rdata, persistence->packet, persistence->src_name,
-		persistence->src_port, persistence->transport_key, persistence->local_name,
+		persistence->src_port, persistence->transport_type, persistence->local_name,
 		persistence->local_port, persistence->contact_uri)) {
 		ast_log(LOG_WARNING, "Failed recreating '%s' subscription: The message could not be parsed\n",
 			persistence->endpoint);
@@ -5759,7 +5760,7 @@ static int load_module(void)
 	ast_sorcery_object_field_register(sorcery, "subscription_persistence", "src_port", "0", OPT_UINT_T, 0,
 		FLDSET(struct subscription_persistence, src_port));
 	ast_sorcery_object_field_register(sorcery, "subscription_persistence", "transport_key", "0", OPT_CHAR_ARRAY_T, 0,
-		CHARFLDSET(struct subscription_persistence, transport_key));
+		CHARFLDSET(struct subscription_persistence, transport_type));
 	ast_sorcery_object_field_register(sorcery, "subscription_persistence", "local_name", "", OPT_CHAR_ARRAY_T, 0,
 		CHARFLDSET(struct subscription_persistence, local_name));
 	ast_sorcery_object_field_register(sorcery, "subscription_persistence", "local_port", "0", OPT_UINT_T, 0,

tests/test_crypto.c

@@ -49,7 +49,7 @@ static const char *old_key_dir = NULL;
 
 static char *hexstring(const unsigned char *data, unsigned datalen)
 {
-	char *buf = alloca(datalen * 2 + 1);
+	char *buf = ast_malloc(datalen * 2 + 1);
 	unsigned n;
 
 	for (n = 0; n < datalen; ++n) {
@@ -532,6 +532,7 @@ AST_TEST_DEFINE(crypto_aes_encrypt)
 	res = AST_TEST_PASS;
 
 cleanup:
+	ast_free(args[KEY]);
 	ast_test_capture_free(&cap);
 	return res;
 }
@@ -610,6 +611,7 @@ AST_TEST_DEFINE(crypto_aes_decrypt)
 	res = AST_TEST_PASS;
 
 cleanup:
+	ast_free(args[KEY]);
 	ast_test_capture_free(&cap);
 	return res;
 }

third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch

@@ -0,0 +1,306 @@
+From c4d34984ec92b3d5252a7d5cddd85a1d3a8001ae Mon Sep 17 00:00:00 2001
+From: sauwming <ming@teluu.com>
+Date: Mon, 3 Oct 2022 08:07:22 +0800
+Subject: [PATCH] Merge pull request from GHSA-fq45-m3f7-3mhj
+
+* Initial patch
+
+* Use 'pj_scan_is_eof(scanner)'
+
+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
+
+* Use 'pj_scan_is_eof(scanner)'
+
+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
+
+* Use 'pj_scan_is_eof(scanner)'
+
+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
+
+* Use `!pj_scan_is_eof` instead of manually checking `scanner->curptr < scanner->end`
+
+Co-authored-by: Maksim Mukosey <mmukosey@gmail.com>
+
+* Update pjlib-util/src/pjlib-util/scanner.c
+
+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
+
+* Update pjlib-util/src/pjlib-util/scanner.c
+
+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
+
+* Update pjlib-util/src/pjlib-util/scanner.c
+
+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
+
+* Revert '>=' back to '>' in pj_scan_stricmp_alnum()
+
+* Fix error compiles.
+
+Co-authored-by: Nanang Izzuddin <nanang@teluu.com>
+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
+Co-authored-by: Maksim Mukosey <mmukosey@gmail.com>
+---
+ pjlib-util/src/pjlib-util/scanner.c | 41 +++++++++++++++++++----------
+ pjmedia/src/pjmedia/rtp.c           | 11 +++++---
+ pjmedia/src/pjmedia/sdp.c           | 24 ++++++++++-------
+ 3 files changed, 48 insertions(+), 28 deletions(-)
+
+diff --git a/pjlib-util/src/pjlib-util/scanner.c b/pjlib-util/src/pjlib-util/scanner.c
+index a54edf2d8..6541bbae3 100644
+--- a/pjlib-util/src/pjlib-util/scanner.c
++++ b/pjlib-util/src/pjlib-util/scanner.c
+@@ -195,7 +195,13 @@ PJ_DEF(void) pj_scan_skip_whitespace( pj_scanner *scanner )
+ 
+ PJ_DEF(void) pj_scan_skip_line( pj_scanner *scanner )
+ {
+-    char *s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);
++    char *s;
++
++    if (pj_scan_is_eof(scanner)) {
++        return;
++    }
++
++    s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);
+     if (!s) {
+ 	scanner->curptr = scanner->end;
+     } else {
+@@ -264,8 +270,7 @@ PJ_DEF(void) pj_scan_get( pj_scanner *scanner,
+ 
+     pj_assert(pj_cis_match(spec,0)==0);
+ 
+-    /* EOF is detected implicitly */
+-    if (!pj_cis_match(spec, *s)) {
++    if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s)) {
+ 	pj_scan_syntax_err(scanner);
+ 	return;
+     }
+@@ -299,8 +304,7 @@ PJ_DEF(void) pj_scan_get_unescape( pj_scanner *scanner,
+     /* Must not match character '%' */
+     pj_assert(pj_cis_match(spec,'%')==0);
+ 
+-    /* EOF is detected implicitly */
+-    if (!pj_cis_match(spec, *s) && *s != '%') {
++    if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s) && *s != '%') {
+ 	pj_scan_syntax_err(scanner);
+ 	return;
+     }
+@@ -436,7 +440,9 @@ PJ_DEF(void) pj_scan_get_n( pj_scanner *scanner,
+     
+     scanner->curptr += N;
+ 
+-    if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws) {
++    if (!pj_scan_is_eof(scanner) &&
++	PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws)
++    {
+ 	pj_scan_skip_whitespace(scanner);
+     }
+ }
+@@ -467,15 +473,16 @@ PJ_DEF(int) pj_scan_get_char( pj_scanner *scanner )
+ 
+ PJ_DEF(void) pj_scan_get_newline( pj_scanner *scanner )
+ {
+-    if (!PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {
++    if (pj_scan_is_eof(scanner) || !PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {
+ 	pj_scan_syntax_err(scanner);
+ 	return;
+     }
+ 
++    /* We have checked scanner->curptr validity above */
+     if (*scanner->curptr == '\r') {
+ 	++scanner->curptr;
+     }
+-    if (*scanner->curptr == '\n') {
++    if (!pj_scan_is_eof(scanner) && *scanner->curptr == '\n') {
+ 	++scanner->curptr;
+     }
+ 
+@@ -520,7 +527,9 @@ PJ_DEF(void) pj_scan_get_until( pj_scanner *scanner,
+ 
+     scanner->curptr = s;
+ 
+-    if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
++    if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
++	scanner->skip_ws)
++    {
+ 	pj_scan_skip_whitespace(scanner);
+     }
+ }
+@@ -544,7 +553,9 @@ PJ_DEF(void) pj_scan_get_until_ch( pj_scanner *scanner,
+ 
+     scanner->curptr = s;
+ 
+-    if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
++    if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
++	scanner->skip_ws)
++    {
+ 	pj_scan_skip_whitespace(scanner);
+     }
+ }
+@@ -570,7 +581,9 @@ PJ_DEF(void) pj_scan_get_until_chr( pj_scanner *scanner,
+ 
+     scanner->curptr = s;
+ 
+-    if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
++    if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
++	scanner->skip_ws)
++    {
+ 	pj_scan_skip_whitespace(scanner);
+     }
+ }
+@@ -585,7 +598,9 @@ PJ_DEF(void) pj_scan_advance_n( pj_scanner *scanner,
+ 
+     scanner->curptr += N;
+ 
+-    if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws) {
++    if (!pj_scan_is_eof(scanner) && 
++	PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws)
++    {
+ 	pj_scan_skip_whitespace(scanner);
+     }
+ }
+@@ -636,5 +651,3 @@ PJ_DEF(void) pj_scan_restore_state( pj_scanner *scanner,
+     scanner->line = state->line;
+     scanner->start_line = state->start_line;
+ }
+-
+-
+diff --git a/pjmedia/src/pjmedia/rtp.c b/pjmedia/src/pjmedia/rtp.c
+index 18917f18b..d29348cc5 100644
+--- a/pjmedia/src/pjmedia/rtp.c
++++ b/pjmedia/src/pjmedia/rtp.c
+@@ -188,6 +188,11 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(
+     /* Payload is located right after header plus CSRC */
+     offset = sizeof(pjmedia_rtp_hdr) + ((*hdr)->cc * sizeof(pj_uint32_t));
+ 
++    /* Check that offset is less than packet size */
++    if (offset >= pkt_len) {
++        return PJMEDIA_RTP_EINLEN;
++    }
++
+     /* Decode RTP extension. */
+     if ((*hdr)->x) {
+         if (offset + sizeof (pjmedia_rtp_ext_hdr) > (unsigned)pkt_len)
+@@ -202,8 +207,8 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(
+ 	dec_hdr->ext_len = 0;
+     }
+ 
+-    /* Check that offset is less than packet size */
+-    if (offset > pkt_len)
++    /* Check again that offset is still less than packet size */
++    if (offset >= pkt_len)
+ 	return PJMEDIA_RTP_EINLEN;
+ 
+     /* Find and set payload. */
+@@ -393,5 +398,3 @@ void pjmedia_rtp_seq_update( pjmedia_rtp_seq_session *sess,
+ 	seq_status->status.value = st.status.value;
+     }
+ }
+-
+-
+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
+index 3905c2f52..647f49e13 100644
+--- a/pjmedia/src/pjmedia/sdp.c
++++ b/pjmedia/src/pjmedia/sdp.c
+@@ -983,13 +983,13 @@ static void parse_version(pj_scanner *scanner,
+     ctx->last_error = PJMEDIA_SDP_EINVER;
+ 
+     /* check equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+ 
+     /* check version is 0 */
+-    if (*(scanner->curptr+2) != '0') {
++    if (scanner->curptr+2 >= scanner->end || *(scanner->curptr+2) != '0') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+@@ -1006,7 +1006,7 @@ static void parse_origin(pj_scanner *scanner, pjmedia_sdp_session *ses,
+     ctx->last_error = PJMEDIA_SDP_EINORIGIN;
+ 
+     /* check equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+@@ -1052,7 +1052,7 @@ static void parse_time(pj_scanner *scanner, pjmedia_sdp_session *ses,
+     ctx->last_error = PJMEDIA_SDP_EINTIME;
+ 
+     /* check equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+@@ -1080,7 +1080,7 @@ static void parse_generic_line(pj_scanner *scanner, pj_str_t *str,
+     ctx->last_error = PJMEDIA_SDP_EINSDP;
+ 
+     /* check equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if ((scanner->curptr+1 >= scanner->end) || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+@@ -1149,7 +1149,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
+     ctx->last_error = PJMEDIA_SDP_EINMEDIA;
+ 
+     /* check the equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+@@ -1164,6 +1164,10 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
+     /* port */
+     pj_scan_get(scanner, &cs_token, &str);
+     med->desc.port = (unsigned short)pj_strtoul(&str);
++    if (pj_scan_is_eof(scanner)) {
++        on_scanner_error(scanner);
++        return;
++    }
+     if (*scanner->curptr == '/') {
+ 	/* port count */
+ 	pj_scan_get_char(scanner);
+@@ -1175,7 +1179,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
+     }
+ 
+     if (pj_scan_get_char(scanner) != ' ') {
+-	PJ_THROW(SYNTAX_ERROR);
++	on_scanner_error(scanner);
+     }
+ 
+     /* transport */
+@@ -1183,7 +1187,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
+ 
+     /* format list */
+     med->desc.fmt_count = 0;
+-    while (*scanner->curptr == ' ') {
++    while (scanner->curptr < scanner->end && *scanner->curptr == ' ') {
+ 	pj_str_t fmt;
+ 
+ 	pj_scan_get_char(scanner);
+@@ -1223,7 +1227,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,
+     attr = PJ_POOL_ALLOC_T(pool, pjmedia_sdp_attr);
+ 
+     /* check equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return NULL;
+     }
+@@ -1242,7 +1246,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,
+ 	    pj_scan_get_char(scanner);
+ 
+ 	/* get value */
+-	if (*scanner->curptr != '\r' && *scanner->curptr != '\n') {
++	if (!pj_scan_is_eof(scanner) && *scanner->curptr != '\r' && *scanner->curptr != '\n') {
+ 	    pj_scan_get_until_chr(scanner, "\r\n", &attr->value);
+ 	} else {
+ 	    attr->value.ptr = NULL;
+-- 
+2.25.1
+

third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch

@@ -0,0 +1,44 @@
+From 450baca94f475345542c6953832650c390889202 Mon Sep 17 00:00:00 2001
+From: sauwming <ming@teluu.com>
+Date: Tue, 7 Jun 2022 12:00:13 +0800
+Subject: [PATCH] Merge pull request from GHSA-26j7-ww69-c4qj
+
+---
+ pjlib-util/src/pjlib-util/stun_simple.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/pjlib-util/src/pjlib-util/stun_simple.c b/pjlib-util/src/pjlib-util/stun_simple.c
+index 722519584..d0549176d 100644
+--- a/pjlib-util/src/pjlib-util/stun_simple.c
++++ b/pjlib-util/src/pjlib-util/stun_simple.c
+@@ -54,6 +54,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
+ {
+     pj_uint16_t msg_type, msg_len;
+     char *p_attr;
++    int attr_max_cnt = PJ_ARRAY_SIZE(msg->attr);
+ 
+     PJ_CHECK_STACK();
+ 
+@@ -83,7 +84,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
+     msg->attr_count = 0;
+     p_attr = (char*)buf + sizeof(pjstun_msg_hdr);
+ 
+-    while (msg_len > 0) {
++    while (msg_len > 0 && msg->attr_count < attr_max_cnt) {
+ 	pjstun_attr_hdr **attr = &msg->attr[msg->attr_count];
+ 	pj_uint32_t len;
+ 	pj_uint16_t attr_type;
+@@ -111,6 +112,10 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
+ 	p_attr += len;
+ 	++msg->attr_count;
+     }
++    if (msg->attr_count == attr_max_cnt) {
++	PJ_LOG(4, (THIS_FILE, "Warning: max number attribute %d reached.",
++		   attr_max_cnt));
++    }
+ 
+     return PJ_SUCCESS;
+ }
+-- 
+2.25.1
+