Update for 13.19.2

pjproject's fmtp retrieval function failed to catch invalid fmtp attributes.
Because of this Asterisk would crash if given an SDP with an invalid fmtp
attribute.

When retrieving the format this patch now makes sure the fmtp attribute is
available. If not available it now returns an error status.

ASTERISK-27583 #close

Change-Id: I5cebe000ce2d846cae3af33b6d72c416e51caf2f

.lastclean

@@ -0,0 +1 @@
+40

.version

@@ -0,0 +1 @@
+13.19.2

CHANGES

@@ -8,6 +8,17 @@
 ===
 ==============================================================================
 
+------------------------------------------------------------------------------
+--- Functionality changes from Asterisk 13.19.1 to Asterisk 13.19.2 ----------
+------------------------------------------------------------------------------
+
+res_pjsip_transport_management
+------------------
+ * Since res_pjsip_transport_management provides several attack
+   mitigation features, its functionality moved to res_pjsip and
+   this module has been removed.  This way the features will always
+   be available if res_pjsip is loaded.
+
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 13.18.0 to Asterisk 13.19.0 ----------
 ------------------------------------------------------------------------------

UPGRADE.txt

@@ -21,6 +21,14 @@
 === UPGRADE-12.txt  -- Upgrade info for 11 to 12
 ===========================================================
 
+From 13.19.1 to 13.19.2:
+
+res_pjsip_transport_management:
+ - Since res_pjsip_transport_management provides several attack
+   mitigation features, its functionality moved to res_pjsip and
+   this module has been removed.  This way the features will always
+   be available if res_pjsip is loaded.
+
 From 13.17.0 to 13.18.0:
 
 Core:

asterisk-13.19.2-summary.html

@@ -0,0 +1,31 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-13.19.2</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-13.19.2</h3><h3 align="center">Date: 2018-02-21</h3><h3 align="center">&lt;asteriskteam@digium.com&gt;</h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005.html">AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-13.19.1.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">2 Kevin Harwell <kharwell@digium.com><br/>2 George Joseph <gjoseph@digium.com><br/>1 Joshua Colp <jcolp@digium.com><br/></td><td width="33%"><td width="33%">5 Sandro Gauci <sandro@enablesecurity.com><br/>3 Sandro Gauci<br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Channels/chan_pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27583">ASTERISK-27583</a>: Segmentation fault occurs in asterisk with an invalid SDP fmtp attribute<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=f4bb71ea1b77177852525390fc4bc14193c096e1">[f4bb71ea1b]</a> Kevin Harwell -- AST-2018-003: Crash with an invalid SDP fmtp attribute</li>
+</ul><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27582">ASTERISK-27582</a>: Segmentation fault occurs in Asterisk with an invalid SDP media format description<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=88a89a0afac179d52e79db92f26e274a313c454a">[88a89a0afa]</a> Kevin Harwell -- AST-2018-002: Crash with an invalid SDP media format description</li>
+</ul><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27640">ASTERISK-27640</a>: SUBSCRIBE message with a large Accept value causes stack corruption<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=297f0ae05cc4b2313f51eeddfc3a45933310e7e0">[297f0ae05c]</a> Joshua Colp -- AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.</li>
+</ul><br><h4>Category: pjproject/pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-27618">ASTERISK-27618</a>: Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport<br/>Reported by: Sandro Gauci<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=61e27223dbe85027bc74cd63d4311b71a056fe34">[61e27223db]</a> George Joseph -- AST-2018-005: res_pjsip_transport_management:  Move to core</li>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=e7f59358b8d819e4e28ef544cec5d27744b8c8a4">[e7f59358b8]</a> George Joseph -- AST-2018-005: Fix tdata leaks when calling pjsip_endpt_send_response(2)</li>
+</ul><br><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>b/CHANGES                                                |   11
+b/UPGRADE.txt                                            |    8
+b/res/res_pjsip.c                                        |   14
+b/res/res_pjsip/include/res_pjsip_private.h              |   28 +
+b/res/res_pjsip/pjsip_distributor.c                      |    8
+b/res/res_pjsip/pjsip_transport_management.c             |  376 ++++++++++++++
+b/res/res_pjsip_pubsub.c                                 |    5
+b/res/res_pjsip_session.c                                |    8
+b/third-party/pjproject/patches/0070-sdp_media_fmt.patch |   19
+b/third-party/pjproject/patches/0071-sdp_fmtp_attr.patch |    5
+res/res_pjsip_transport_management.c                     |  400 ---------------
+11 files changed, 475 insertions(+), 407 deletions(-)</pre><br></html>

asterisk-13.19.2-summary.txt

@@ -0,0 +1,117 @@
+                                Release Summary
+
+                                asterisk-13.19.2
+
+                                Date: 2018-02-21
+
+                           <asteriskteam@digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Closed Issues
+    4. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release has been made to address one or more security vulnerabilities
+   that have been identified. A security advisory document has been published
+   for each vulnerability that includes additional information. Users of
+   versions of Asterisk that are affected are strongly encouraged to review
+   the advisories and determine what action they should take to protect their
+   systems from these issues.
+
+   Security Advisories:
+
+     * AST-2018-002,AST-2018-003,AST-2018-004,AST-2018-005
+
+   The data in this summary reflects changes that have been made since the
+   previous release, asterisk-13.19.1.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were affected by commits that went into
+   this release.
+
+   Coders                   Testers                  Reporters                
+   2 Kevin Harwell                                   5 Sandro Gauci           
+   2 George Joseph                                   3 Sandro Gauci           
+   1 Joshua Colp            
+
+     ----------------------------------------------------------------------
+
+                                 Closed Issues
+
+                                 [Back to Top]
+
+   This is a list of all issues from the issue tracker that were closed by
+   changes that went into this release.
+
+  Security
+
+    Category: Channels/chan_pjsip
+
+   ASTERISK-27583: Segmentation fault occurs in asterisk with an invalid SDP
+   fmtp attribute
+   Reported by: Sandro Gauci
+     * [f4bb71ea1b] Kevin Harwell -- AST-2018-003: Crash with an invalid SDP
+       fmtp attribute
+   ASTERISK-27582: Segmentation fault occurs in Asterisk with an invalid SDP
+   media format description
+   Reported by: Sandro Gauci
+     * [88a89a0afa] Kevin Harwell -- AST-2018-002: Crash with an invalid SDP
+       media format description
+   ASTERISK-27640: SUBSCRIBE message with a large Accept value causes stack
+   corruption
+   Reported by: Sandro Gauci
+     * [297f0ae05c] Joshua Colp -- AST-2018-004: Restrict the number of
+       Accept headers in a SUBSCRIBE.
+
+    Category: pjproject/pjsip
+
+   ASTERISK-27618: Crash occurs when sending a repeated number of INVITE
+   messages over TCP or TLS transport
+   Reported by: Sandro Gauci
+     * [61e27223db] George Joseph -- AST-2018-005:
+       res_pjsip_transport_management: Move to core
+     * [e7f59358b8] George Joseph -- AST-2018-005: Fix tdata leaks when
+       calling pjsip_endpt_send_response(2)
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ b/CHANGES                                                |   11
+ b/UPGRADE.txt                                            |    8
+ b/res/res_pjsip.c                                        |   14
+ b/res/res_pjsip/include/res_pjsip_private.h              |   28 +
+ b/res/res_pjsip/pjsip_distributor.c                      |    8
+ b/res/res_pjsip/pjsip_transport_management.c             |  376 ++++++++++++++
+ b/res/res_pjsip_pubsub.c                                 |    5
+ b/res/res_pjsip_session.c                                |    8
+ b/third-party/pjproject/patches/0070-sdp_media_fmt.patch |   19
+ b/third-party/pjproject/patches/0071-sdp_fmtp_attr.patch |    5
+ res/res_pjsip_transport_management.c                     |  400 ---------------
+ 11 files changed, 475 insertions(+), 407 deletions(-)

codecs/codecs.xml

@@ -3,7 +3,6 @@
 	<depend>xmlstarlet</depend>
 	<depend>bash</depend>
 	<depend>res_format_attr_opus</depend>
-	<depend>curl</depend>
 	<defaultenabled>no</defaultenabled>
 </member>
 <member name="codec_silk" displayname="Download the SILK codec from Digium.  See http://downloads.digium.com/pub/telephony/codec_silk/README.">

contrib/realtime/mssql/mssql_cdr.sql

@@ -0,0 +1,44 @@
+BEGIN TRANSACTION;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+GO
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20) NULL, 
+    src VARCHAR(80) NULL, 
+    dst VARCHAR(80) NULL, 
+    dcontext VARCHAR(80) NULL, 
+    clid VARCHAR(80) NULL, 
+    channel VARCHAR(80) NULL, 
+    dstchannel VARCHAR(80) NULL, 
+    lastapp VARCHAR(80) NULL, 
+    lastdata VARCHAR(80) NULL, 
+    start DATETIME NULL, 
+    answer DATETIME NULL, 
+    [end] DATETIME NULL, 
+    duration INTEGER NULL, 
+    billsec INTEGER NULL, 
+    disposition VARCHAR(45) NULL, 
+    amaflags VARCHAR(45) NULL, 
+    userfield VARCHAR(256) NULL, 
+    uniqueid VARCHAR(150) NULL, 
+    linkedid VARCHAR(150) NULL, 
+    peeraccount VARCHAR(20) NULL, 
+    sequence INTEGER NULL
+);
+
+GO
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+GO
+
+COMMIT;
+
+GO
+

contrib/realtime/mssql/mssql_voicemail.sql

@@ -0,0 +1,54 @@
+BEGIN TRANSACTION;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+GO
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80) NULL, 
+    macrocontext VARCHAR(80) NULL, 
+    callerid VARCHAR(80) NULL, 
+    origtime INTEGER NULL, 
+    duration INTEGER NULL, 
+    recording IMAGE NULL, 
+    flag VARCHAR(30) NULL, 
+    category VARCHAR(30) NULL, 
+    mailboxuser VARCHAR(30) NULL, 
+    mailboxcontext VARCHAR(30) NULL, 
+    msg_id VARCHAR(40) NULL
+);
+
+GO
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+GO
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+GO
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+GO
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages ALTER COLUMN recording IMAGE;
+
+GO
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+
+GO
+
+COMMIT;
+
+GO
+

contrib/realtime/mysql/mysql_cdr.sql

@@ -0,0 +1,32 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20), 
+    src VARCHAR(80), 
+    dst VARCHAR(80), 
+    dcontext VARCHAR(80), 
+    clid VARCHAR(80), 
+    channel VARCHAR(80), 
+    dstchannel VARCHAR(80), 
+    lastapp VARCHAR(80), 
+    lastdata VARCHAR(80), 
+    start DATETIME, 
+    answer DATETIME, 
+    end DATETIME, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR(45), 
+    amaflags VARCHAR(45), 
+    userfield VARCHAR(256), 
+    uniqueid VARCHAR(150), 
+    linkedid VARCHAR(150), 
+    peeraccount VARCHAR(20), 
+    sequence INTEGER
+);
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+

contrib/realtime/mysql/mysql_voicemail.sql

@@ -0,0 +1,34 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80), 
+    macrocontext VARCHAR(80), 
+    callerid VARCHAR(80), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BLOB, 
+    flag VARCHAR(30), 
+    category VARCHAR(30), 
+    mailboxuser VARCHAR(30), 
+    mailboxcontext VARCHAR(30), 
+    msg_id VARCHAR(40)
+);
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages MODIFY recording BLOB(4294967295) NULL;
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+

contrib/realtime/oracle/oracle_cdr.sql

@@ -0,0 +1,38 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR2(32 CHAR) NOT NULL
+)
+
+/
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR2(20 CHAR), 
+    src VARCHAR2(80 CHAR), 
+    dst VARCHAR2(80 CHAR), 
+    dcontext VARCHAR2(80 CHAR), 
+    clid VARCHAR2(80 CHAR), 
+    channel VARCHAR2(80 CHAR), 
+    dstchannel VARCHAR2(80 CHAR), 
+    lastapp VARCHAR2(80 CHAR), 
+    lastdata VARCHAR2(80 CHAR), 
+    "start" DATE, 
+    answer DATE, 
+    end DATE, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR2(45 CHAR), 
+    amaflags VARCHAR2(45 CHAR), 
+    userfield VARCHAR2(256 CHAR), 
+    uniqueid VARCHAR2(150 CHAR), 
+    linkedid VARCHAR2(150 CHAR), 
+    peeraccount VARCHAR2(20 CHAR), 
+    sequence INTEGER
+)
+
+/
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d')
+
+/
+

contrib/realtime/oracle/oracle_voicemail.sql

@@ -0,0 +1,48 @@
+CREATE TABLE alembic_version (
+    version_num VARCHAR2(32 CHAR) NOT NULL
+)
+
+/
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR2(255 CHAR) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR2(80 CHAR), 
+    macrocontext VARCHAR2(80 CHAR), 
+    callerid VARCHAR2(80 CHAR), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BLOB, 
+    flag VARCHAR2(30 CHAR), 
+    category VARCHAR2(30 CHAR), 
+    mailboxuser VARCHAR2(30 CHAR), 
+    mailboxcontext VARCHAR2(30 CHAR), 
+    msg_id VARCHAR2(40 CHAR)
+)
+
+/
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum)
+
+/
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir)
+
+/
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e')
+
+/
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages MODIFY recording BLOB
+
+/
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e'
+
+/
+

contrib/realtime/postgresql/postgresql_cdr.sql

@@ -0,0 +1,36 @@
+BEGIN;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> 210693f3123d
+
+CREATE TABLE cdr (
+    accountcode VARCHAR(20), 
+    src VARCHAR(80), 
+    dst VARCHAR(80), 
+    dcontext VARCHAR(80), 
+    clid VARCHAR(80), 
+    channel VARCHAR(80), 
+    dstchannel VARCHAR(80), 
+    lastapp VARCHAR(80), 
+    lastdata VARCHAR(80), 
+    start TIMESTAMP WITHOUT TIME ZONE, 
+    answer TIMESTAMP WITHOUT TIME ZONE, 
+    "end" TIMESTAMP WITHOUT TIME ZONE, 
+    duration INTEGER, 
+    billsec INTEGER, 
+    disposition VARCHAR(45), 
+    amaflags VARCHAR(45), 
+    userfield VARCHAR(256), 
+    uniqueid VARCHAR(150), 
+    linkedid VARCHAR(150), 
+    peeraccount VARCHAR(20), 
+    sequence INTEGER
+);
+
+INSERT INTO alembic_version (version_num) VALUES ('210693f3123d');
+
+COMMIT;
+

contrib/realtime/postgresql/postgresql_voicemail.sql

@@ -0,0 +1,38 @@
+BEGIN;
+
+CREATE TABLE alembic_version (
+    version_num VARCHAR(32) NOT NULL
+);
+
+-- Running upgrade  -> a2e9769475e
+
+CREATE TABLE voicemail_messages (
+    dir VARCHAR(255) NOT NULL, 
+    msgnum INTEGER NOT NULL, 
+    context VARCHAR(80), 
+    macrocontext VARCHAR(80), 
+    callerid VARCHAR(80), 
+    origtime INTEGER, 
+    duration INTEGER, 
+    recording BYTEA, 
+    flag VARCHAR(30), 
+    category VARCHAR(30), 
+    mailboxuser VARCHAR(30), 
+    mailboxcontext VARCHAR(30), 
+    msg_id VARCHAR(40)
+);
+
+ALTER TABLE voicemail_messages ADD CONSTRAINT voicemail_messages_dir_msgnum PRIMARY KEY (dir, msgnum);
+
+CREATE INDEX voicemail_messages_dir ON voicemail_messages (dir);
+
+INSERT INTO alembic_version (version_num) VALUES ('a2e9769475e');
+
+-- Running upgrade a2e9769475e -> 39428242f7f5
+
+ALTER TABLE voicemail_messages ALTER COLUMN recording TYPE BYTEA;
+
+UPDATE alembic_version SET version_num='39428242f7f5' WHERE alembic_version.version_num = 'a2e9769475e';
+
+COMMIT;
+

main/cdr.c

@@ -371,7 +371,7 @@ static ast_cond_t cdr_pending_cond;
 /*! \brief A container of the active master CDRs indexed by Party A channel uniqueid */
 static struct ao2_container *active_cdrs_master;
 
-/*! \brief A container of all active CDRs indexed by Party B channel name */
+/*! \brief A container of all active CDRs with a Party B indexed by Party B channel name */
 static struct ao2_container *active_cdrs_all;
 
 /*! \brief Message router for stasis messages regarding channel state */
@@ -971,13 +971,21 @@ static void cdr_all_unlink(struct cdr_object *cdr)
 
 	ast_assert(cdr->is_root);
 
+	/* Hold a ref to the root CDR to ensure the list members don't go away on us. */
+	ao2_ref(cdr, +1);
 	ao2_lock(active_cdrs_all);
-	for (cur = cdr->next; cur; cur = next) {
+	for (cur = cdr; cur; cur = next) {
 		next = cur->next;
 		ao2_unlink_flags(active_cdrs_all, cur, OBJ_NOLOCK);
+		/*
+		 * It is safe to still use cur after unlinking because the
+		 * root CDR holds a ref to all the CDRs in the list and we
+		 * have a ref to the root CDR.
+		 */
 		ast_string_field_set(cur, party_b_name, "");
 	}
 	ao2_unlock(active_cdrs_all);
+	ao2_ref(cdr, -1);
 }
 
 /*!

main/loader.c

@@ -202,7 +202,7 @@ static AST_DLLIST_HEAD_STATIC(reload_queue, reload_queue_item);
  *
  * This is protected by the module_list lock.
  */
-static struct ast_module *resource_being_loaded;
+static struct ast_module * volatile resource_being_loaded;
 
 /*!
  * \internal

main/translate.c

@@ -34,7 +34,6 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <math.h>
-#include <stdlib.h>
 
 #include "asterisk/lock.h"
 #include "asterisk/channel.h"
@@ -1322,6 +1321,13 @@ void ast_translator_deactivate(struct ast_translator *t)
 	AST_RWLIST_UNLOCK(&translators);
 }
 
+/*! Calculate the absolute difference between sample rate of two formats. */
+#define format_sample_rate_absdiff(fmt1, fmt2) ({ \
+	unsigned int rate1 = ast_format_get_sample_rate(fmt1); \
+	unsigned int rate2 = ast_format_get_sample_rate(fmt2); \
+	(rate1 > rate2 ? rate1 - rate2 : rate2 - rate1); \
+})
+
 /*! \brief Calculate our best translator source format, given costs, and a desired destination */
 int ast_translator_best_choice(struct ast_format_cap *dst_cap,
 	struct ast_format_cap *src_cap,
@@ -1406,10 +1412,8 @@ int ast_translator_best_choice(struct ast_format_cap *dst_cap,
 				beststeps = matrix_get(x, y)->multistep;
 			} else if (matrix_get(x, y)->table_cost == besttablecost
 					&& matrix_get(x, y)->multistep == beststeps) {
-				int gap_selected = abs(ast_format_get_sample_rate(best)
-					- ast_format_get_sample_rate(bestdst));
-				int gap_current = abs(ast_format_get_sample_rate(src)
-					- ast_format_get_sample_rate(dst));
+				unsigned int gap_selected = format_sample_rate_absdiff(best, bestdst);
+				unsigned int gap_current = format_sample_rate_absdiff(src, dst);
 
 				if (gap_current < gap_selected) {
 					/* better than what we have so far */

res/res_pjsip.c

@@ -3241,7 +3241,7 @@ pjsip_dialog *ast_sip_create_dialog_uas(const struct ast_sip_endpoint *endpoint,
 	ast_assert(status != NULL);
 
 	contact_hdr = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT, NULL);
-	if (ast_sip_set_tpselector_from_ep_or_uri(endpoint, pjsip_uri_get_uri(contact_hdr->uri),
+	if (!contact_hdr || ast_sip_set_tpselector_from_ep_or_uri(endpoint, pjsip_uri_get_uri(contact_hdr->uri),
 		&selector)) {
 		return NULL;
 	}
@@ -4402,9 +4402,15 @@ static void supplement_outgoing_response(pjsip_tx_data *tdata, struct ast_sip_en
 
 int ast_sip_send_response(pjsip_response_addr *res_addr, pjsip_tx_data *tdata, struct ast_sip_endpoint *sip_endpoint)
 {
-	supplement_outgoing_response(tdata, sip_endpoint);
+	pj_status_t status;
 
-	return pjsip_endpt_send_response(ast_sip_get_pjsip_endpoint(), res_addr, tdata, NULL, NULL);
+	supplement_outgoing_response(tdata, sip_endpoint);
+	status = pjsip_endpt_send_response(ast_sip_get_pjsip_endpoint(), res_addr, tdata, NULL, NULL);
+	if (status != PJ_SUCCESS) {
+		pjsip_tx_data_dec_ref(tdata);
+	}
+
+	return status == PJ_SUCCESS ? 0 : -1;
 }
 
 int ast_sip_send_stateful_response(pjsip_rx_data *rdata, pjsip_tx_data *tdata, struct ast_sip_endpoint *sip_endpoint)
@@ -4657,6 +4663,7 @@ static int unload_pjsip(void *data)
 		internal_sip_destroy_outbound_authentication();
 		ast_res_pjsip_cleanup_message_filter();
 		ast_sip_destroy_distributor();
+		ast_sip_destroy_transport_management();
 		ast_res_pjsip_destroy_configuration();
 		ast_sip_destroy_system();
 		ast_sip_destroy_global_headers();
@@ -4819,6 +4826,11 @@ static int load_module(void)
 		goto error;
 	}
 
+	if (ast_sip_initialize_transport_management()) {
+		ast_log(LOG_ERROR, "Failed to initialize SIP transport management. Aborting load\n");
+		goto error;
+	}
+
 	if (ast_sip_initialize_distributor()) {
 		ast_log(LOG_ERROR, "Failed to register distributor module. Aborting load\n");
 		goto error;

res/res_pjsip/include/res_pjsip_private.h

@@ -419,4 +419,32 @@ void internal_res_pjsip_ref(void);
  */
 void internal_res_pjsip_unref(void);
 
+/*!
+ * \internal
+ * \brief Initialize the transport management module
+ * \since 13.20.0
+ *
+ * The transport management module is responsible for 3 things...
+ * 1.  It automatically destroys any reliable transport that does not
+ * receive a valid request within system/timer_b milliseconds of the
+ * connection being opened. (Attack mitigation)
+ * 2.  Since it increments the reliable transport's reference count
+ * for that period of time, it also prevents issues if the transport
+ * disconnects while we're still trying to process a response.
+ *  (Attack mitigation)
+ * 3.  If enabled by global/keep_alive_interval, it sends '\r\n'
+ * keepalives on reliable transports at the interval specified.
+ *
+ * \retval -1 Failure
+ * \retval 0 Success
+ */
+int ast_sip_initialize_transport_management(void);
+
+/*!
+ * \internal
+ * \brief Destruct the transport management module.
+ * \since 13.20.0
+ */
+void ast_sip_destroy_transport_management(void);
+
 #endif /* RES_PJSIP_PRIVATE_H_ */

res/res_pjsip/pjsip_distributor.c

@@ -844,7 +844,9 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
 		case AST_SIP_AUTHENTICATION_CHALLENGE:
 			/* Send the 401 we created for them */
 			ast_sip_report_auth_challenge_sent(endpoint, rdata, tdata);
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 			return PJ_TRUE;
 		case AST_SIP_AUTHENTICATION_SUCCESS:
 			/* See note in endpoint_lookup about not holding an unnecessary write lock */
@@ -857,7 +859,9 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
 		case AST_SIP_AUTHENTICATION_FAILED:
 			log_failed_request(rdata, "Failed to authenticate", 0, 0);
 			ast_sip_report_auth_failed_challenge_response(endpoint, rdata);
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 			return PJ_TRUE;
 		case AST_SIP_AUTHENTICATION_ERROR:
 			log_failed_request(rdata, "Error to authenticate", 0, 0);

res/res_pjsip/pjsip_message_filter.c

@@ -429,15 +429,27 @@ static pj_bool_t on_rx_process_uris(pjsip_rx_data *rdata)
 		return PJ_TRUE;
 	}
 
-	while ((contact =
-		(pjsip_contact_hdr *) pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_CONTACT,
-			contact ? contact->next : NULL))) {
+
+	contact = (pjsip_contact_hdr *) pjsip_msg_find_hdr(
+		rdata->msg_info.msg, PJSIP_H_CONTACT, NULL);
+
+	if (!contact && pjsip_method_creates_dialog(&rdata->msg_info.msg->line.req.method)) {
+		/* A contact header is required for dialog creating methods */
+		static const pj_str_t missing_contact = { "Missing Contact header", 22 };
+		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 400,
+				&missing_contact, NULL, NULL);
+		return PJ_TRUE;
+	}
+
+	while (contact) {
 		if (!contact->star && !is_sip_uri(contact->uri)) {
 			print_uri_debug(URI_TYPE_CONTACT, rdata, (pjsip_hdr *)contact);
 			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata,
 				PJSIP_SC_UNSUPPORTED_URI_SCHEME, NULL, NULL, NULL);
 			return PJ_TRUE;
 		}
+		contact = (pjsip_contact_hdr *) pjsip_msg_find_hdr(
+			rdata->msg_info.msg, PJSIP_H_CONTACT, contact->next);
 	}
 
 	return PJ_FALSE;

res/res_pjsip/pjsip_transport_management.c

@@ -16,12 +16,6 @@
  * at the top of the source tree.
  */
 
-/*** MODULEINFO
-	<depend>pjproject</depend>
-	<depend>res_pjsip</depend>
-	<support_level>core</support_level>
- ***/
-
 #include "asterisk.h"
 
 #include <signal.h>
@@ -32,6 +26,7 @@
 #include "asterisk/res_pjsip.h"
 #include "asterisk/module.h"
 #include "asterisk/astobj2.h"
+#include "include/res_pjsip_private.h"
 
 /*! \brief Number of buckets for monitored transports */
 #define TRANSPORTS_BUCKETS 127
@@ -319,12 +314,10 @@ static pjsip_module idle_monitor_module = {
 	.on_rx_request = idle_monitor_on_rx_request,
 };
 
-static int load_module(void)
+int ast_sip_initialize_transport_management(void)
 {
 	struct ao2_container *transports;
 
-	CHECK_PJSIP_MODULE_LOADED();
-
 	transports = ao2_container_alloc(TRANSPORTS_BUCKETS, monitored_transport_hash_fn,
 		monitored_transport_cmp_fn);
 	if (!transports) {
@@ -356,11 +349,10 @@ static int load_module(void)
 	ast_sorcery_observer_add(ast_sip_get_sorcery(), "global", &keepalive_global_observer);
 	ast_sorcery_reload_object(ast_sip_get_sorcery(), "global");
 
-	ast_module_shutdown_ref(ast_module_info->self);
 	return AST_MODULE_LOAD_SUCCESS;
 }
 
-static int unload_module(void)
+void ast_sip_destroy_transport_management(void)
 {
 	if (keepalive_interval) {
 		keepalive_interval = 0;
@@ -381,20 +373,4 @@ static int unload_module(void)
 	sched = NULL;
 
 	ao2_global_obj_release(monitored_transports);
-
-	return 0;
 }
-
-static int reload_module(void)
-{
-	ast_sorcery_reload_object(ast_sip_get_sorcery(), "global");
-	return 0;
-}
-
-AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP Reliable Transport Management",
-	.support_level = AST_MODULE_SUPPORT_CORE,
-	.load = load_module,
-	.reload = reload_module,
-	.unload = unload_module,
-	.load_pri = AST_MODPRI_CHANNEL_DEPEND - 4,
-);

res/res_pjsip_pubsub.c

@@ -613,8 +613,12 @@ static void subscription_persistence_update(struct sip_subscription_tree *sub_tr
 		expires = expires_hdr ? expires_hdr->ivalue : DEFAULT_PUBLISH_EXPIRES;
 		sub_tree->persistence->expires = ast_tvadd(ast_tvnow(), ast_samp2tv(expires, 1));
 
-		pjsip_uri_print(PJSIP_URI_IN_CONTACT_HDR, contact_hdr->uri,
-			sub_tree->persistence->contact_uri, sizeof(sub_tree->persistence->contact_uri));
+		if (contact_hdr) {
+			pjsip_uri_print(PJSIP_URI_IN_CONTACT_HDR, contact_hdr->uri,
+					sub_tree->persistence->contact_uri, sizeof(sub_tree->persistence->contact_uri));
+		} else {
+			ast_log(LOG_WARNING, "Contact not updated due to missing contact header\n");
+		}
 
 		/* When receiving a packet on an streaming transport, it's possible to receive more than one SIP
 		 * message at a time into the rdata->pkt_info.packet buffer. However, the rdata->msg_info.msg_buf
@@ -728,10 +732,11 @@ static struct ast_sip_pubsub_body_generator *subscription_get_generator_from_rda
 	char accept[AST_SIP_MAX_ACCEPT][64];
 	size_t num_accept_headers = 0;
 
-	while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next))) {
+	while ((accept_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_ACCEPT, accept_header->next)) &&
+		(num_accept_headers < AST_SIP_MAX_ACCEPT)) {
 		int i;
 
-		for (i = 0; i < accept_header->count; ++i) {
+		for (i = 0; i < accept_header->count && num_accept_headers < AST_SIP_MAX_ACCEPT; ++i) {
 			if (!exceptional_accept(&accept_header->values[i])) {
 				ast_copy_pj_str(accept[num_accept_headers], &accept_header->values[i], sizeof(accept[num_accept_headers]));
 				++num_accept_headers;

res/res_pjsip_session.c

@@ -1083,7 +1083,9 @@ static pj_bool_t session_reinvite_on_rx_request(pjsip_rx_data *rdata)
 
 		/* Otherwise this is a new re-invite, so reject it */
 		if (pjsip_dlg_create_response(dlg, rdata, 491, NULL, &tdata) == PJ_SUCCESS) {
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 		}
 
 		return PJ_TRUE;
@@ -2051,7 +2053,9 @@ static pjsip_inv_session *pre_session_setup(pjsip_rx_data *rdata, const struct a
 
 	if (pjsip_inv_verify_request(rdata, &options, NULL, NULL, ast_sip_get_pjsip_endpoint(), &tdata) != PJ_SUCCESS) {
 		if (tdata) {
-			pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL);
+			if (pjsip_endpt_send_response2(ast_sip_get_pjsip_endpoint(), rdata, tdata, NULL, NULL) != PJ_SUCCESS) {
+				pjsip_tx_data_dec_ref(tdata);
+			}
 		} else {
 			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
 		}

third-party/pjproject/patches/0070-sdp_media_fmt.patch

@@ -0,0 +1,19 @@
+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
+index a3dd80b..0a13206 100644
+--- a/pjmedia/src/pjmedia/sdp.c
++++ b/pjmedia/src/pjmedia/sdp.c
+@@ -1516,11 +1516,12 @@ PJ_DEF(pj_status_t) pjmedia_sdp_validate2(const pjmedia_sdp_session *sdp,
+ 	     * RTC based programs sends "null" for instant messaging!
+ 	     */
+ 	    if (pj_isdigit(*m->desc.fmt[j].ptr)) {
+-		unsigned pt = pj_strtoul(&m->desc.fmt[j]);
++		unsigned long pt;
++		pj_status_t status = pj_strtoul3(&m->desc.fmt[j], &pt, 10);
+ 
+ 		/* Payload type is between 0 and 127. 
+ 		 */
+-		CHECK( pt <= 127, PJMEDIA_SDP_EINPT);
++		CHECK( status == PJ_SUCCESS && pt <= 127, PJMEDIA_SDP_EINPT);
+ 
+ 		/* If port is not zero, then for each dynamic payload type, an
+ 		 * rtpmap attribute must be specified.

third-party/pjproject/patches/0071-sdp_fmtp_attr.patch

@@ -0,0 +1,34 @@
+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
+index a3dd80b..6117e07 100644
+--- a/pjmedia/src/pjmedia/sdp.c
++++ b/pjmedia/src/pjmedia/sdp.c
+@@ -256,7 +256,8 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_rtpmap( const pjmedia_sdp_attr *attr,
+ 
+     PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "rtpmap")==0, PJ_EINVALIDOP);
+ 
+-    PJ_ASSERT_RETURN(attr->value.slen != 0, PJMEDIA_SDP_EINATTR);
++    if (attr->value.slen == 0)
++        return PJMEDIA_SDP_EINATTR;
+ 
+     init_sdp_parser();
+ 
+@@ -341,6 +342,9 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_fmtp( const pjmedia_sdp_attr *attr,
+ 
+     PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "fmtp")==0, PJ_EINVALIDOP);
+ 
++    if (attr->value.slen == 0)
++        return PJMEDIA_SDP_EINATTR;
++
+     /* fmtp BNF:
+      *	a=fmtp:<format> <format specific parameter>
+      */
+@@ -379,6 +383,9 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_rtcp(const pjmedia_sdp_attr *attr,
+ 
+     PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "rtcp")==0, PJ_EINVALIDOP);
+ 
++    if (attr->value.slen == 0)
++        return PJMEDIA_SDP_EINATTR;
++
+     init_sdp_parser();
+ 
+     /* fmtp BNF: