[Pkg-voip-commits] r7765 - in /asterisk/branches/lenny/debian: changelog patches/AST-2009-006 patches/r159246 patches/r201993 patches/r206385 patches/series
paravoid at alioth.debian.org
paravoid at alioth.debian.org
Sat Nov 7 08:29:45 UTC 2009
Author: paravoid
Date: Sat Nov 7 08:29:45 2009
New Revision: 7765
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=7765
Log:
"IAX2 Call Number Resource Exhaustion", AST-2009-006, CVE-2009-2346.
Added:
asterisk/branches/lenny/debian/patches/r159246
asterisk/branches/lenny/debian/patches/r201993
asterisk/branches/lenny/debian/patches/r206385
Modified:
asterisk/branches/lenny/debian/changelog
asterisk/branches/lenny/debian/patches/AST-2009-006
asterisk/branches/lenny/debian/patches/series
Modified: asterisk/branches/lenny/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny/debian/changelog?rev=7765&op=diff
==============================================================================
--- asterisk/branches/lenny/debian/changelog (original)
+++ asterisk/branches/lenny/debian/changelog Sat Nov 7 08:29:45 2009
@@ -7,11 +7,12 @@
(Closes: #522528)
- "SIP responses expose valid usernames", AST-2009-008.
(Closes: #554487)
+ - "IAX2 Call Number Resource Exhaustion", AST-2009-006, CVE-2009-2346.
* Fix IAX2 encryption severe breakage. Thanks to Francois Marier for finding
the upstream bug report and preparing a fix. (Closes: #521641)
* Create the /usr/share/asterisk/agi-bin directory. (Closes: #463983)
- -- Faidon Liambotis <paravoid at debian.org> Sat, 07 Nov 2009 09:48:28 +0200
+ -- Faidon Liambotis <paravoid at debian.org> Sat, 07 Nov 2009 10:28:15 +0200
asterisk (1:1.4.21.2~dfsg-3) unstable; urgency=medium
Modified: asterisk/branches/lenny/debian/patches/AST-2009-006
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny/debian/patches/AST-2009-006?rev=7765&op=diff
==============================================================================
--- asterisk/branches/lenny/debian/patches/AST-2009-006 (original)
+++ asterisk/branches/lenny/debian/patches/AST-2009-006 Sat Nov 7 08:29:45 2009
@@ -181,15 +181,31 @@
/*!
* \brief Another container of iax2_pvt structures
@@ -882,6 +967,9 @@
+ static int decode_frame(aes_decrypt_ctx *dcx, struct ast_iax2_full_hdr *fh, struct ast_frame *f, int *datalen);
static int encrypt_frame(aes_encrypt_ctx *ecx, struct ast_iax2_full_hdr *fh, unsigned char *poo, int *datalen);
static void build_ecx_key(const unsigned char *digest, struct chan_iax2_pvt *pvt);
- static void build_rand_pad(unsigned char *buf, ssize_t len);
+static struct callno_entry *get_unused_callno(int trunk, int validated);
+static int replace_callno(const void *obj);
+static void sched_delay_remove(struct sockaddr_in *sin, struct callno_entry *callno_entry);
-
+
static const struct ast_channel_tech iax2_tech = {
.type = "IAX2",
+@@ -1185,6 +1186,15 @@
+ return NULL;
+ }
+
++static struct iax2_user *find_user(const char *name)
++{
++ struct iax2_user tmp_user = {
++ .name = name,
++ };
++
++ return ao2_find(users, &tmp_user, OBJ_POINTER);
++}
++
+ static inline struct iax2_user *user_ref(struct iax2_user *user)
+ {
+ ao2_ref(user, +1);
@@ -1346,8 +1434,7 @@
retry:
@@ -241,7 +257,7 @@
if (iaxs[callno]->oseqno) {
ast_log(LOG_WARNING, "Can't make trunk once a call has started!\n");
return -1;
-@@ -1566,35 +1665,43 @@
+@@ -1566,31 +1665,43 @@
ast_log(LOG_WARNING, "Call %d is already a trunk\n", callno);
return -1;
}
@@ -249,16 +265,12 @@
- for (x = TRUNK_CALL_START; x < ARRAY_LEN(iaxs) - 1; x++) {
- ast_mutex_lock(&iaxsl[x]);
- if (!iaxs[x] && ((now.tv_sec - lastused[x].tv_sec) > MIN_REUSE_TIME)) {
-- /* Update the two timers that should have been started */
-- /*!
-- * \note We delete these before switching the slot, because if
-- * they fire in the meantime, they will generate a warning.
-- */
-- AST_SCHED_DEL(sched, iaxs[callno]->pingid);
-- AST_SCHED_DEL(sched, iaxs[callno]->lagid);
- iaxs[x] = iaxs[callno];
- iaxs[x]->callno = x;
- iaxs[callno] = NULL;
+- /* Update the two timers that should have been started */
+- AST_SCHED_DEL(sched, iaxs[x]->pingid);
+- AST_SCHED_DEL(sched, iaxs[x]->lagid);
- iaxs[x]->pingid = iax2_sched_add(sched, ping_time * 1000, send_ping, (void *)(long)x);
- iaxs[x]->lagid = iax2_sched_add(sched, lagrq_time * 1000, send_lagrq, (void *)(long)x);
- if (locked)
@@ -993,9 +1005,9 @@
+ ast_cli(fd, " Calltoken req: %s\n", (peer->calltoken_required == CALLTOKEN_YES) ? "Yes" : ((peer->calltoken_required == CALLTOKEN_AUTO) ? "Auto" : "No"));
+
+
- ast_cli(fd, " Trunk : %s\n", ast_test_flag(peer, IAX_TRUNK) ? "Yes" : "No");
ast_cli(fd, " Callerid : %s\n", ast_callerid_merge(cbuf, sizeof(cbuf), peer->cid_name, peer->cid_num, "<unspecified>"));
ast_cli(fd, " Expire : %d\n", peer->expire);
+ ast_cli(fd, " ACL : %s\n", (peer->ha?"Yes":"No"));
@@ -2998,7 +3691,7 @@
if (!strcasecmp(tmp->name, "host")) {
struct ast_hostent ahp;
@@ -1279,9 +1291,9 @@
ast_mutex_unlock(&iaxsl[callno]);
@@ -6167,6 +7095,12 @@
+ ast_log(LOG_WARNING, "Invalid transfer request\n");
return -1;
}
- remove_by_transfercallno(pvt);
+ /* since a transfer has taken place, the address will change.
+ * This must be accounted for in the peercnts table. Remove
+ * the old address and add the new one */
@@ -1732,9 +1744,9 @@
iax2_do_debug, "Enable IAX debugging",
debug_usage },
@@ -11406,6 +12478,11 @@
+ ao2_ref(peers, -1);
ao2_ref(users, -1);
ao2_ref(iax_peercallno_pvts, -1);
- ao2_ref(iax_transfercallno_pvts, -1);
+ ao2_ref(peercnts, -1);
+ ao2_ref(callno_limits, -1);
+ ao2_ref(calltoken_ignores, -1);
@@ -1743,15 +1755,14 @@
return 0;
}
-@@ -11461,35 +12538,77 @@
- return match(&pvt2->transfer, pvt2->transfercallno, pvt2->callno, pvt,
- pvt2->frames_received) ? CMP_MATCH | CMP_STOP : 0;
+@@ -11461,29 +12538,71 @@
+ pvt2->frames_received) ? CMP_MATCH : 0;
}
-+
+
+
+static int load_objects(void)
+{
-+ peers = users = iax_peercallno_pvts = iax_transfercallno_pvts = NULL;
++ peers = users = iax_peercallno_pvts = NULL;
+ peercnts = callno_limits = calltoken_ignores = callno_pool = callno_pool_trunk = NULL;
+
+ if (!(peers = ao2_container_alloc(MAX_PEER_BUCKETS, peer_hash_cb, peer_cmp_cb))) {
@@ -1759,8 +1770,6 @@
+ } else if (!(users = ao2_container_alloc(MAX_USER_BUCKETS, user_hash_cb, user_cmp_cb))) {
+ goto container_fail;
+ } else if (!(iax_peercallno_pvts = ao2_container_alloc(IAX_MAX_CALLS, pvt_hash_cb, pvt_cmp_cb))) {
-+ goto container_fail;
-+ } else if (!(iax_transfercallno_pvts = ao2_container_alloc(IAX_MAX_CALLS, transfercallno_pvt_hash_cb, transfercallno_pvt_cmp_cb))) {
+ goto container_fail;
+ } else if (!(peercnts = ao2_container_alloc(MAX_PEER_BUCKETS, peercnt_hash_cb, peercnt_cmp_cb))) {
+ goto container_fail;
@@ -1783,9 +1792,6 @@
+ }
+ if (iax_peercallno_pvts) {
+ ao2_ref(iax_peercallno_pvts, -1);
-+ }
-+ if (iax_transfercallno_pvts) {
-+ ao2_ref(iax_transfercallno_pvts, -1);
+ }
+ if (peercnts) {
+ ao2_ref(peercnts, -1);
@@ -1829,14 +1835,7 @@
- ao2_ref(users, -1);
- return AST_MODULE_LOAD_FAILURE;
- }
-- iax_transfercallno_pvts = ao2_container_alloc(IAX_MAX_CALLS, transfercallno_pvt_hash_cb, transfercallno_pvt_cmp_cb);
-- if (!iax_transfercallno_pvts) {
-- ao2_ref(peers, -1);
-- ao2_ref(users, -1);
-- ao2_ref(iax_peercallno_pvts, -1);
-- return AST_MODULE_LOAD_FAILURE;
-- }
-+
+
+ randomcalltokendata = ast_random();
ast_custom_function_register(&iaxpeer_function);
Added: asterisk/branches/lenny/debian/patches/r159246
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny/debian/patches/r159246?rev=7765&op=file
==============================================================================
--- asterisk/branches/lenny/debian/patches/r159246 (added)
+++ asterisk/branches/lenny/debian/patches/r159246 Sat Nov 7 08:29:45 2009
@@ -1,0 +1,26 @@
+Upstream: r159246
+
+Regression fix for last security fix. Set the iseqno correctly.
+(closes issue #13918)
+
+--- a/channels/chan_iax2.c (revision 159245)
++++ b/channels/chan_iax2.c (revision 159246)
+@@ -3225,7 +3225,7 @@
+ static int send_apathetic_reply(unsigned short callno, unsigned short dcallno, struct sockaddr_in *sin, int command, int ts, unsigned char seqno)
+ {
+ struct ast_iax2_full_hdr f = { .scallno = htons(0x8000 | callno), .dcallno = htons(dcallno),
+- .ts = htonl(ts), .iseqno = seqno, .oseqno = seqno, .type = AST_FRAME_IAX,
++ .ts = htonl(ts), .iseqno = seqno, .oseqno = 0, .type = AST_FRAME_IAX,
+ .csub = compress_subclass(command) };
+
+ return sendto(defaultsockfd, &f, sizeof(f), 0, (struct sockaddr *)sin, sizeof(*sin));
+@@ -7225,7 +7225,7 @@
+ /* Deal with POKE/PONG without allocating a callno */
+ if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) {
+ /* Reply back with a PONG, but don't care about the result. */
+- send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->oseqno);
++ send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->iseqno + 1);
+ return 1;
+ } else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) {
+ /* Ignore */
+
Added: asterisk/branches/lenny/debian/patches/r201993
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny/debian/patches/r201993?rev=7765&op=file
==============================================================================
--- asterisk/branches/lenny/debian/patches/r201993 (added)
+++ asterisk/branches/lenny/debian/patches/r201993 Sat Nov 7 08:29:45 2009
@@ -1,0 +1,17 @@
+Upstream r201993
+
+timestamp was being converted to host order as a short rather than a long
+
+(closes issue #15361)
+
+--- a/channels/chan_iax2.c (revision 201992)
++++ b/channels/chan_iax2.c (revision 201993)
+@@ -7466,7 +7466,7 @@
+ /* Deal with POKE/PONG without allocating a callno */
+ if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) {
+ /* Reply back with a PONG, but don't care about the result. */
+- send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->iseqno + 1);
++ send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohl(fh->ts), fh->iseqno + 1);
+ return 1;
+ } else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) {
+ /* Ignore */
Added: asterisk/branches/lenny/debian/patches/r206385
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny/debian/patches/r206385?rev=7765&op=file
==============================================================================
--- asterisk/branches/lenny/debian/patches/r206385 (added)
+++ asterisk/branches/lenny/debian/patches/r206385 Sat Nov 7 08:29:45 2009
@@ -1,0 +1,37 @@
+Upstream r206385
+
+Ensure apathetic replies are sent out on the proper socket.
+
+chan_iax2 supports multiple address bindings. The send_apathetic_reply()
+function did not attempt to send its response on the same socket that the
+incoming message came in on.
+
+--- a/channels/chan_iax2.c (revision 206384)
++++ b/channels/chan_iax2.c (revision 206385)
+@@ -3332,13 +3332,15 @@
+ char *options;
+ };
+
+-static int send_apathetic_reply(unsigned short callno, unsigned short dcallno, struct sockaddr_in *sin, int command, int ts, unsigned char seqno)
++static int send_apathetic_reply(unsigned short callno, unsigned short dcallno,
++ struct sockaddr_in *sin, int command, int ts, unsigned char seqno,
++ int sockfd)
+ {
+ struct ast_iax2_full_hdr f = { .scallno = htons(0x8000 | callno), .dcallno = htons(dcallno),
+ .ts = htonl(ts), .iseqno = seqno, .oseqno = 0, .type = AST_FRAME_IAX,
+ .csub = compress_subclass(command) };
+
+- return sendto(defaultsockfd, &f, sizeof(f), 0, (struct sockaddr *)sin, sizeof(*sin));
++ return sendto(sockfd, &f, sizeof(f), 0, (struct sockaddr *)sin, sizeof(*sin));
+ }
+
+ /*!
+@@ -7477,7 +7479,7 @@
+ /* Deal with POKE/PONG without allocating a callno */
+ if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) {
+ /* Reply back with a PONG, but don't care about the result. */
+- send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohl(fh->ts), fh->iseqno + 1);
++ send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohl(fh->ts), fh->iseqno + 1, fd);
+ return 1;
+ } else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) {
+ /* Ignore */
Modified: asterisk/branches/lenny/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny/debian/patches/series?rev=7765&op=diff
==============================================================================
--- asterisk/branches/lenny/debian/patches/series (original)
+++ asterisk/branches/lenny/debian/patches/series Sat Nov 7 08:29:45 2009
@@ -99,4 +99,9 @@
r171264
AST-2009-003
+r159246
+r201993
+r206385
+AST-2009-006
+
AST-2009-008
More information about the Pkg-voip-commits
mailing list