[Pkg-voip-commits] r8886 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2011-005 patches/AST-2011-005-p2 patches/AST-2011-006 patches/series
tzafrir at alioth.debian.org
tzafrir at alioth.debian.org
Fri Apr 22 07:55:29 UTC 2011
Author: tzafrir
Date: Fri Apr 22 07:55:08 2011
New Revision: 8886
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=8886
Log:
Rearanging the patches.
Added:
asterisk/branches/squeeze/debian/patches/AST-2011-005-p2
- copied, changed from r8881, asterisk/branches/squeeze/debian/patches/AST-2011-006
Modified:
asterisk/branches/squeeze/debian/changelog
asterisk/branches/squeeze/debian/patches/AST-2011-005
asterisk/branches/squeeze/debian/patches/AST-2011-006
asterisk/branches/squeeze/debian/patches/series
Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=8886&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Fri Apr 22 07:55:08 2011
@@ -3,8 +3,9 @@
* Patch AST-2011-002 (CVE-2011-1147): Multiple crash vulnerabilities in
UDPTL code (Closes: #614580).
* Patch AST-2011-005: Resource exhaustion in Asterisk Manager Interface
- * Patch AST-2011-006: Resource exhaustion in chan_skinny and AJAM
+ * Patch AST-2011-005-p2: Resource exhaustion in chan_skinny and AJAM
(Closes: #618790).
+ * Patch AST-2011-006: Check for "system" privilege in the manager interface
* Patches AST-2011-003, manager_manager_bugfix_reload - its pre-requirements.
* Patch AST-2011-004: Remote crash vulnerability in TCP/TLS server
(Closes: #618791).
Modified: asterisk/branches/squeeze/debian/patches/AST-2011-005
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2011-005?rev=8886&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2011-005 (original)
+++ asterisk/branches/squeeze/debian/patches/AST-2011-005 Fri Apr 22 07:55:08 2011
@@ -10,6 +10,10 @@
The manager interface is disabled by default in upstream, but enabled
by default (listening on localhost only) in the version in Debian 5.0 (Lenny)
and 6.0 (Squeeze).
+
+There is a followup patch AST-2011-005-p2
+
+CVE: CVE-2011-1507
See also http://downloads.asterisk.org/pub/security/AST-2011-005.html
Copied: asterisk/branches/squeeze/debian/patches/AST-2011-005-p2 (from r8881, asterisk/branches/squeeze/debian/patches/AST-2011-006)
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2011-005-p2?rev=8886&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2011-006 (original)
+++ asterisk/branches/squeeze/debian/patches/AST-2011-005-p2 Fri Apr 22 07:55:08 2011
@@ -1,6 +1,6 @@
From: Matthew Nicholson <mnicholson at digium.com>
Date: Thu, 21 Apr 2011 18:22:19 +0000
-Bug: https://issues.asterisk.org/view.php?id=18787
+Bug: https://issues.asterisk.org/view.php?id=18996
Subject: limits unauthenticated TCP sessions
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=314620
@@ -19,10 +19,9 @@
Manager over HTTP is not enabled by default on Debian.
-See also:
- https://issues.asterisk.org/view.php?id=18996
- http://downloads.asterisk.org/pub/security/AST-2011-005.html
- http://downloads.asterisk.org/pub/security/AST-2011-006.html
+CVE: CVE-2011-1507
+
+See also http://downloads.asterisk.org/pub/security/AST-2011-005.html
---
channels/chan_sip.c | 162 ++++++++++++++++++++++++++++++++++++++++++--
@@ -31,8 +30,7 @@
configs/sip.conf.sample | 10 +++
configs/skinny.conf.sample | 9 +++
main/http.c | 15 ++++
- main/manager.c | 34 +++++----
- 7 files changed, 288 insertions(+), 25 deletions(-)
+ 6 files changed, 268 insertions(+), 11 deletions(-)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -577,53 +575,3 @@
} else {
ast_log(LOG_WARNING, "Ignoring unknown option '%s' in http.conf\n", v->name);
}
---- a/main/manager.c
-+++ b/main/manager.c
-@@ -2497,6 +2497,25 @@ static int action_originate(struct manse
- format = 0;
- ast_parse_allow_disallow(NULL, &format, codecs, 1);
- }
-+ if (!ast_strlen_zero(app)) {
-+ /* To run the System application (or anything else that goes to
-+ * shell), you must have the additional System privilege */
-+ if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
-+ && (
-+ strcasestr(app, "system") || /* System(rm -rf /)
-+ TrySystem(rm -rf /) */
-+ strcasestr(app, "exec") || /* Exec(System(rm -rf /))
-+ TryExec(System(rm -rf /)) */
-+ strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
-+ EAGI(/bin/rm,-rf /) */
-+ strstr(appdata, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
-+ strstr(appdata, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
-+ )) {
-+ astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
-+ return 0;
-+ }
-+ }
-+
- if (ast_true(async)) {
- struct fast_originate_helper *fast = ast_calloc(1, sizeof(*fast));
- if (!fast) {
-@@ -2527,21 +2546,6 @@ static int action_originate(struct manse
- }
- }
- } else if (!ast_strlen_zero(app)) {
-- /* To run the System application (or anything else that goes to shell), you must have the additional System privilege */
-- if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
-- && (
-- strcasestr(app, "system") == 0 || /* System(rm -rf /)
-- TrySystem(rm -rf /) */
-- strcasestr(app, "exec") || /* Exec(System(rm -rf /))
-- TryExec(System(rm -rf /)) */
-- strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
-- EAGI(/bin/rm,-rf /) */
-- strstr(appdata, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
-- strstr(appdata, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
-- )) {
-- astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
-- return 0;
-- }
- res = ast_pbx_outgoing_app(tech, format, data, to, app, appdata, &reason, 1, l, n, vars, account, NULL);
- } else {
- if (exten && context && pi)
Modified: asterisk/branches/squeeze/debian/patches/AST-2011-006
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2011-006?rev=8886&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2011-006 (original)
+++ asterisk/branches/squeeze/debian/patches/AST-2011-006 Fri Apr 22 07:55:08 2011
@@ -1,582 +1,26 @@
From: Matthew Nicholson <mnicholson at digium.com>
Date: Thu, 21 Apr 2011 18:22:19 +0000
Bug: https://issues.asterisk.org/view.php?id=18787
-Subject: limits unauthenticated TCP sessions
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=314620
+Subject: Check for "system" privilege in the manager interface
-Added limits to the number of unauthenticated sessions TCP based protocols
-are allowed to have open simultaneously. Also added timeouts for
-unauthenticated sessions where it made sense to do so.
+This fix adds the missing test (added in later version, though apparently
+in a slightly wrong location) for the "system" write permissions in case
+a manager user attempts to execute an action that may eventually execute
+a shell command.
-Unrelated, the manager interface now properly checks if the user has the
-"system" privilege before executing shell commands via the Originate action.
-
-This is a followup to AST-2011-005. It applies a similar fix to chan_skinny
-and to manager interface over HTTP.
-
-Skinny, or SCCP, is enabled by default (though not used in most settings).
-To disable: 'noload => chan_skinny.so' in /etc/asterisk/modules.conf .
-
-Manager over HTTP is not enabled by default on Debian.
+Note that:
+1. In order to explit this one must already gain authenticated access to
+ the manager interface with some sort of write access.
+2. Asterisk is never run as root in Debian (if you use standard init.d
+ script, which slightly reduces the impact of this.
+3. Many poorly-written sample manager.conf config files just give any
+ manager user all priviliges. There's all to big a chance the manager
+ user already has the 'system' write priv (write=system in manager.conf).
See also:
- https://issues.asterisk.org/view.php?id=18996
- http://downloads.asterisk.org/pub/security/AST-2011-005.html
http://downloads.asterisk.org/pub/security/AST-2011-006.html
----
- channels/chan_sip.c | 162 ++++++++++++++++++++++++++++++++++++++++++--
- channels/chan_skinny.c | 78 ++++++++++++++++++++-
- configs/http.conf.sample | 5 ++
- configs/sip.conf.sample | 10 +++
- configs/skinny.conf.sample | 9 +++
- main/http.c | 15 ++++
- main/manager.c | 34 +++++----
- 7 files changed, 288 insertions(+), 25 deletions(-)
-
---- a/channels/chan_sip.c
-+++ b/channels/chan_sip.c
-@@ -500,6 +500,8 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
- #define DEFAULT_MWI_EXPIRY 3600
- #define DEFAULT_REGISTRATION_TIMEOUT 20
- #define DEFAULT_MAX_FORWARDS "70"
-+#define DEFAULT_AUTHLIMIT 100
-+#define DEFAULT_AUTHTIMEOUT 30
-
- /* guard limit must be larger than guard secs */
- /* guard min must be < 1000, and should be >= 250 */
-@@ -552,6 +554,10 @@ static int mwi_expiry = DEFAULT_MWI_EXPI
-
- #define SDP_MAX_RTPMAP_CODECS 32 /*!< Maximum number of codecs allowed in received SDP */
-
-+static int unauth_sessions = 0;
-+static int authlimit = DEFAULT_AUTHLIMIT;
-+static int authtimeout = DEFAULT_AUTHTIMEOUT;
-+
- /*! \brief Global jitterbuffer configuration - by default, jb is disabled */
- static struct ast_jb_conf default_jbconf =
- {
-@@ -1212,6 +1218,7 @@ struct sip_request {
- char debug; /*!< print extra debugging if non zero */
- char has_to_tag; /*!< non-zero if packet has To: tag */
- char ignore; /*!< if non-zero This is a re-transmit, ignore it */
-+ char authenticated; /*!< non-zero if this request was authenticated */
- /* Array of offsets into the request string of each SIP header*/
- ptrdiff_t header[SIP_MAX_HEADERS];
- /* Array of offsets into the request string of each SDP line*/
-@@ -2908,21 +2915,48 @@ static void *sip_tcp_worker_fn(void *dat
- return _sip_tcp_helper_thread(NULL, tcptls_session);
- }
-
-+/*! \brief Check if the authtimeout has expired.
-+ * \param start the time when the session started
-+ *
-+ * \retval 0 the timeout has expired
-+ * \retval -1 error
-+ * \return the number of milliseconds until the timeout will expire
-+ */
-+static int sip_check_authtimeout(time_t start)
-+{
-+ int timeout;
-+ time_t now;
-+ if(time(&now) == -1) {
-+ ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno));
-+ return -1;
-+ }
-+
-+ timeout = (authtimeout - (now - start)) * 1000;
-+ if (timeout < 0) {
-+ /* we have timed out */
-+ return 0;
-+ }
-+
-+ return timeout;
-+}
-+
- /*! \brief SIP TCP thread management function
- This function reads from the socket, parses the packet into a request
- */
- static void *_sip_tcp_helper_thread(struct sip_pvt *pvt, struct ast_tcptls_session_instance *tcptls_session)
- {
-- int res, cl;
-+ int res, cl, timeout = -1, authenticated = 0, flags;
-+ time_t start;
- struct sip_request req = { 0, } , reqcpy = { 0, };
- struct sip_threadinfo *me = NULL;
- char buf[1024] = "";
- struct pollfd fds[2] = { { 0 }, { 0 }, };
- struct ast_tcptls_session_args *ca = NULL;
-
-- /* If this is a server session, then the connection has already been setup,
-- * simply create the threadinfo object so we can access this thread for writing.
-- *
-+ /* If this is a server session, then the connection has already been
-+ * setup. Check if the authlimit has been reached and if not create the
-+ * threadinfo object so we can access this thread for writing.
-+ *
- * if this is a client connection more work must be done.
- * 1. We own the parent session args for a client connection. This pointer needs
- * to be held on to so we can decrement it's ref count on thread destruction.
-@@ -2931,6 +2965,22 @@ static void *_sip_tcp_helper_thread(stru
- * 3. Last, the tcptls_session must be started.
- */
- if (!tcptls_session->client) {
-+ if (ast_atomic_fetchadd_int(&unauth_sessions, +1) >= authlimit) {
-+ /* unauth_sessions is decremented in the cleanup code */
-+ goto cleanup;
-+ }
-+
-+ if ((flags = fcntl(tcptls_session->fd, F_GETFL)) == -1) {
-+ ast_log(LOG_ERROR, "error setting socket to non blocking mode, fcntl() failed: %s\n", strerror(errno));
-+ goto cleanup;
-+ }
-+
-+ flags |= O_NONBLOCK;
-+ if (fcntl(tcptls_session->fd, F_SETFL, flags) == -1) {
-+ ast_log(LOG_ERROR, "error setting socket to non blocking mode, fcntl() failed: %s\n", strerror(errno));
-+ goto cleanup;
-+ }
-+
- if (!(me = sip_threadinfo_create(tcptls_session, tcptls_session->ssl ? SIP_TRANSPORT_TLS : SIP_TRANSPORT_TCP))) {
- goto cleanup;
- }
-@@ -2960,14 +3010,41 @@ static void *_sip_tcp_helper_thread(stru
- if (!(reqcpy.data = ast_str_create(SIP_MIN_PACKET)))
- goto cleanup;
-
-+ if(time(&start) == -1) {
-+ ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno));
-+ goto cleanup;
-+ }
-+
- for (;;) {
- struct ast_str *str_save;
-
-- res = ast_poll(fds, 2, -1); /* polls for both socket and alert_pipe */
-+ if (!tcptls_session->client && req.authenticated && !authenticated) {
-+ authenticated = 1;
-+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
-+ }
-+
-+ /* calculate the timeout for unauthenticated server sessions */
-+ if (!tcptls_session->client && !authenticated ) {
-+ if ((timeout = sip_check_authtimeout(start)) < 0) {
-+ goto cleanup;
-+ }
-+
-+ if (timeout == 0) {
-+ ast_debug(2, "SIP %s server timed out\n", tcptls_session->ssl ? "SSL": "TCP");
-+ goto cleanup;
-+ }
-+ } else {
-+ timeout = -1;
-+ }
-
-+ res = ast_poll(fds, 2, timeout); /* polls for both socket and alert_pipe */
- if (res < 0) {
- ast_debug(2, "SIP %s server :: ast_wait_for_input returned %d\n", tcptls_session->ssl ? "SSL": "TCP", res);
- goto cleanup;
-+ } else if (res == 0) {
-+ /* timeout */
-+ ast_debug(2, "SIP %s server timed out\n", tcptls_session->ssl ? "SSL": "TCP");
-+ goto cleanup;
- }
-
- /* handle the socket event, check for both reads from the socket fd,
-@@ -3000,6 +3077,29 @@ static void *_sip_tcp_helper_thread(stru
-
- /* Read in headers one line at a time */
- while (req.len < 4 || strncmp(REQ_OFFSET_TO_STR(&req, len - 4), "\r\n\r\n", 4)) {
-+ if (!tcptls_session->client && !authenticated ) {
-+ if ((timeout = sip_check_authtimeout(start)) < 0) {
-+ goto cleanup;
-+ }
-+
-+ if (timeout == 0) {
-+ ast_debug(2, "SIP %s server timed out\n", tcptls_session->ssl ? "SSL": "TCP");
-+ goto cleanup;
-+ }
-+ } else {
-+ timeout = -1;
-+ }
-+
-+ res = ast_wait_for_input(tcptls_session->fd, timeout);
-+ if (res < 0) {
-+ ast_debug(2, "SIP %s server :: ast_wait_for_input returned %d\n", tcptls_session->ssl ? "SSL": "TCP", res);
-+ goto cleanup;
-+ } else if (res == 0) {
-+ /* timeout */
-+ ast_debug(2, "SIP %s server timed out\n", tcptls_session->ssl ? "SSL": "TCP");
-+ goto cleanup;
-+ }
-+
- ast_mutex_lock(&tcptls_session->lock);
- if (!fgets(buf, sizeof(buf), tcptls_session->f)) {
- ast_mutex_unlock(&tcptls_session->lock);
-@@ -3017,6 +3117,29 @@ static void *_sip_tcp_helper_thread(stru
- if (sscanf(get_header(&reqcpy, "Content-Length"), "%30d", &cl)) {
- while (cl > 0) {
- size_t bytes_read;
-+ if (!tcptls_session->client && !authenticated ) {
-+ if ((timeout = sip_check_authtimeout(start)) < 0) {
-+ goto cleanup;
-+ }
-+
-+ if (timeout == 0) {
-+ ast_debug(2, "SIP %s server timed out", tcptls_session->ssl ? "SSL": "TCP");
-+ goto cleanup;
-+ }
-+ } else {
-+ timeout = -1;
-+ }
-+
-+ res = ast_wait_for_input(tcptls_session->fd, timeout);
-+ if (res < 0) {
-+ ast_debug(2, "SIP %s server :: ast_wait_for_input returned %d\n", tcptls_session->ssl ? "SSL": "TCP", res);
-+ goto cleanup;
-+ } else if (res == 0) {
-+ /* timeout */
-+ ast_debug(2, "SIP %s server timed out", tcptls_session->ssl ? "SSL": "TCP");
-+ goto cleanup;
-+ }
-+
- ast_mutex_lock(&tcptls_session->lock);
- if (!(bytes_read = fread(buf, 1, MIN(sizeof(buf) - 1, cl), tcptls_session->f))) {
- ast_mutex_unlock(&tcptls_session->lock);
-@@ -3074,6 +3197,10 @@ static void *_sip_tcp_helper_thread(stru
- ast_debug(2, "Shutting down thread for %s server\n", tcptls_session->ssl ? "SSL" : "TCP");
-
- cleanup:
-+ if (!tcptls_session->client && !authenticated) {
-+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
-+ }
-+
- if (me) {
- ao2_t_unlink(threadt, me, "Removing tcptls helper thread, thread is closing");
- ao2_t_ref(me, -1, "Removing tcp_helper_threads threadinfo ref");
-@@ -20092,6 +20219,8 @@ static int handle_request_invite(struct
- }
- }
-
-+ req->authenticated = 1;
-+
- /* We have a succesful authentication, process the SDP portion if there is one */
- if (find_sdp(req)) {
- if (process_sdp(p, req, SDP_T38_INITIATE)) {
-@@ -21640,8 +21769,10 @@ static int handle_request_register(struc
- get_header(req, "To"), ast_inet_ntoa(sin->sin_addr),
- reason);
- append_history(p, "RegRequest", "Failed : Account %s : %s", get_header(req, "To"), reason);
-- } else
-+ } else {
-+ req->authenticated = 1;
- append_history(p, "RegRequest", "Succeeded : Account %s", get_header(req, "To"));
-+ }
-
- if (res < 1) {
- /* Destroy the session, but keep us around for just a bit in case they don't
-@@ -22079,6 +22210,11 @@ static int handle_request_do(struct sip_
- }
- p->recv = *sin;
-
-+ /* if we have an owner, then this request has been authenticated */
-+ if (p->owner) {
-+ req->authenticated = 1;
-+ }
-+
- if (p->do_history) /* This is a request or response, note what it was for */
- append_history(p, "Rx", "%s / %s / %s", req->data->str, get_header(req, "CSeq"), REQ_OFFSET_TO_STR(req, rlPart2));
-
-@@ -24592,6 +24728,8 @@ static int reload_config(enum channelrel
- global_qualifyfreq = DEFAULT_QUALIFYFREQ;
- global_t38_maxdatagram = -1;
- global_shrinkcallerid = 1;
-+ authlimit = DEFAULT_AUTHLIMIT;
-+ authtimeout = DEFAULT_AUTHTIMEOUT;
-
- sip_cfg.matchexterniplocally = DEFAULT_MATCHEXTERNIPLOCALLY;
-
-@@ -24838,6 +24976,18 @@ static int reload_config(enum channelrel
- mwi_expiry = atoi(v->value);
- if (mwi_expiry < 1)
- mwi_expiry = DEFAULT_MWI_EXPIRY;
-+ } else if (!strcasecmp(v->name, "tcpauthtimeout")) {
-+ if (ast_parse_arg(v->value, PARSE_INT32|PARSE_DEFAULT|PARSE_IN_RANGE,
-+ &authtimeout, DEFAULT_AUTHTIMEOUT, 1, INT_MAX)) {
-+ ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n",
-+ v->name, v->value, v->lineno, config);
-+ }
-+ } else if (!strcasecmp(v->name, "tcpauthlimit")) {
-+ if (ast_parse_arg(v->value, PARSE_INT32|PARSE_DEFAULT|PARSE_IN_RANGE,
-+ &authlimit, DEFAULT_AUTHLIMIT, 1, INT_MAX)) {
-+ ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of %s\n",
-+ v->name, v->value, v->lineno, config);
-+ }
- } else if (!strcasecmp(v->name, "sipdebug")) {
- if (ast_true(v->value))
- sipdebug |= sip_debug_config;
---- a/channels/chan_skinny.c
-+++ b/channels/chan_skinny.c
-@@ -100,6 +100,8 @@ enum skinny_codecs {
- #define DEFAULT_SKINNY_PORT 2000
- #define DEFAULT_SKINNY_BACKLOG 2
- #define SKINNY_MAX_PACKET 1000
-+#define DEFAULT_AUTH_TIMEOUT 30
-+#define DEFAULT_AUTH_LIMIT 50
-
- static struct {
- unsigned int tos;
-@@ -111,6 +113,9 @@ static struct {
- } qos = { 0, 0, 0, 0, 0, 0 };
-
- static int keep_alive = 120;
-+static int auth_timeout = DEFAULT_AUTH_TIMEOUT;
-+static int auth_limit = DEFAULT_AUTH_LIMIT;
-+static int unauth_sessions = 0;
- static char global_vmexten[AST_MAX_EXTENSION]; /* Voicemail pilot number */
- static char used_context[AST_MAX_EXTENSION]; /* placeholder to check if context are already used in regcontext */
- static char regcontext[AST_MAX_CONTEXT]; /* Context for auto-extension */
-@@ -1307,6 +1312,7 @@ static struct ast_jb_conf global_jbconf;
- struct skinnysession {
- pthread_t t;
- ast_mutex_t lock;
-+ time_t start;
- struct sockaddr_in sin;
- int fd;
- char inbuf[SKINNY_MAX_PACKET];
-@@ -4558,6 +4564,8 @@ static int handle_register_message(struc
-
- return 0;
- }
-+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
-+
- ast_verb(3, "Device '%s' successfully registered\n", name);
-
- d = s->device;
-@@ -6236,6 +6244,9 @@ static void destroy_session(struct skinn
- if (s->fd > -1)
- close(s->fd);
-
-+ if (!s->device)
-+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
-+
- ast_mutex_destroy(&s->lock);
-
- ast_free(s);
-@@ -6251,13 +6262,30 @@ static int get_input(struct skinnysessio
- {
- int res;
- int dlen = 0;
-+ int timeout = keep_alive * 1100;
-+ time_t now;
- int *bufaddr;
- struct pollfd fds[1];
-
-+ if (!s->device) {
-+ if(time(&now) == -1) {
-+ ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno));
-+ return -1;
-+ }
-+
-+ timeout = (auth_timeout - (now - s->start)) * 1000;
-+ if (timeout < 0) {
-+ /* we have timed out */
-+ if (skinnydebug)
-+ ast_verb(1, "Skinny Client failed to authenticate in %d seconds\n", auth_timeout);
-+ return -1;
-+ }
-+ }
-+
- fds[0].fd = s->fd;
- fds[0].events = POLLIN;
- fds[0].revents = 0;
-- res = ast_poll(fds, 1, (keep_alive * 1100)); /* If nothing has happen, client is dead */
-+ res = ast_poll(fds, 1, timeout); /* If nothing has happen, client is dead */
- /* we add 10% to the keep_alive to deal */
- /* with network delays, etc */
- if (res < 0) {
-@@ -6266,8 +6294,13 @@ static int get_input(struct skinnysessio
- return res;
- }
- } else if (res == 0) {
-- if (skinnydebug)
-- ast_verb(1, "Skinny Client was lost, unregistering\n");
-+ if (skinnydebug) {
-+ if (s->device) {
-+ ast_verb(1, "Skinny Client was lost, unregistering\n");
-+ } else {
-+ ast_verb(1, "Skinny Client failed to authenticate in %d seconds\n", auth_timeout);
-+ }
-+ }
- skinny_unregister(NULL, s);
- return -1;
- }
-@@ -6400,18 +6433,35 @@ static void *accept_thread(void *ignore)
- ast_log(LOG_NOTICE, "Accept returned -1: %s\n", strerror(errno));
- continue;
- }
-+
-+ if (ast_atomic_fetchadd_int(&unauth_sessions, +1) >= auth_limit) {
-+ close(as);
-+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
-+ continue;
-+ }
-+
- p = getprotobyname("tcp");
- if(p) {
- if( setsockopt(as, p->p_proto, TCP_NODELAY, (char *)&arg, sizeof(arg) ) < 0 ) {
- ast_log(LOG_WARNING, "Failed to set Skinny tcp connection to TCP_NODELAY mode: %s\n", strerror(errno));
- }
- }
-- if (!(s = ast_calloc(1, sizeof(struct skinnysession))))
-+ if (!(s = ast_calloc(1, sizeof(struct skinnysession)))) {
-+ close(as);
-+ ast_atomic_fetchadd_int(&unauth_sessions, -1);
- continue;
-+ }
-
- memcpy(&s->sin, &sin, sizeof(sin));
- ast_mutex_init(&s->lock);
- s->fd = as;
-+
-+ if(time(&s->start) == -1) {
-+ ast_log(LOG_ERROR, "error executing time(): %s; disconnecting client\n", strerror(errno));
-+ destroy_session(s);
-+ continue;
-+ }
-+
- AST_LIST_LOCK(&sessions);
- AST_LIST_INSERT_HEAD(&sessions, s, list);
- AST_LIST_UNLOCK(&sessions);
-@@ -6565,6 +6615,26 @@ static struct ast_channel *skinny_reques
- } else if (!strcasecmp(v->name, "keepalive")) {
- keep_alive = atoi(v->value);
- continue;
-+ } else if (!strcasecmp(v->name, "authtimeout")) {
-+ int timeout = atoi(v->value);
-+
-+ if (timeout < 1) {
-+ ast_log(LOG_WARNING, "Invalid authtimeout value '%s', using default value\n", v->value);
-+ auth_timeout = DEFAULT_AUTH_TIMEOUT;
-+ } else {
-+ auth_timeout = timeout;
-+ }
-+ continue;
-+ } else if (!strcasecmp(v->name, "authlimit")) {
-+ int limit = atoi(v->value);
-+
-+ if (limit < 1) {
-+ ast_log(LOG_WARNING, "Invalid authlimit value '%s', using default value\n", v->value);
-+ auth_limit = DEFAULT_AUTH_LIMIT;
-+ } else {
-+ auth_limit = limit;
-+ }
-+ continue;
- } else if (!strcasecmp(v->name, "regcontext")) {
- ast_copy_string(newcontexts, v->value, sizeof(newcontexts));
- stringp = newcontexts;
---- a/configs/http.conf.sample
-+++ b/configs/http.conf.sample
-@@ -32,6 +32,11 @@ bindaddr=127.0.0.1
- ;
- ;prefix=asterisk
- ;
-+; sessionlimit specifies the maximum number of httpsessions that will be
-+; allowed to exist at any given time. (default: 100)
-+;
-+;sessionlimit=100
-+;
- ; Whether Asterisk should serve static content from http-static
- ; Default is no.
- ;
---- a/configs/sip.conf.sample
-+++ b/configs/sip.conf.sample
-@@ -144,6 +144,16 @@ tcpbindaddr=0.0.0.0 ; IP add
- ; A list of valid SSL cipher strings can be found at:
- ; http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
-
-+;tcpauthtimeout = 30 ; tcpauthtimeout specifies the maximum number
-+ ; of seconds a client has to authenticate. If
-+ ; the client does not authenticate beofre this
-+ ; timeout expires, the client will be
-+ ; disconnected. (default: 30 seconds)
-+
-+;tcpauthlimit = 100 ; tcpauthlimit specifies the maximum number of
-+ ; unauthenticated sessions that will be allowed
-+ ; to connect at any given time. (default: 100)
-+
- srvlookup=yes ; Enable DNS SRV lookups on outbound calls
- ; Note: Asterisk only uses the first host
- ; in SRV records
---- a/configs/skinny.conf.sample
-+++ b/configs/skinny.conf.sample
-@@ -9,6 +9,15 @@ dateformat=M-D-Y ; M,D,Y in any order (6
- ; Use M for month, D for day, Y for year, A for 12-hour time.
- keepalive=120
-
-+;authtimeout = 30 ; authtimeout specifies the maximum number of seconds a
-+ ; client has to authenticate. If the client does not
-+ ; authenticate beofre this timeout expires, the client
-+ ; will be disconnected. (default: 30 seconds)
-+
-+;authlimit = 50 ; authlimit specifies the maximum number of
-+ ; unauthenticated sessions that will be allowed to
-+ ; connect at any given time. (default: 50)
-+
- ;vmexten=8500 ; Systemwide voicemailmain pilot number
- ; It must be in the same context as the calling
- ; device/line
---- a/main/http.c
-+++ b/main/http.c
-@@ -53,12 +53,16 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
- #include "asterisk/astobj2.h"
-
- #define MAX_PREFIX 80
-+#define DEFAULT_SESSION_LIMIT 100
-
- /* See http.h for more information about the SSL implementation */
- #if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE))
- #define DO_SSL /* comment in/out if you want to support ssl */
- #endif
-
-+static int session_limit = DEFAULT_SESSION_LIMIT;
-+static int session_count = 0;
-+
- static struct ast_tls_config http_tls_cfg;
-
- static void *httpd_helper_thread(void *arg);
-@@ -668,6 +672,10 @@ static void *httpd_helper_thread(void *d
- unsigned int static_content = 0;
- struct ast_variable *tail = headers;
-
-+ if (ast_atomic_fetchadd_int(&session_count, +1) >= session_limit) {
-+ goto done;
-+ }
-+
- if (!fgets(buf, sizeof(buf), ser->f)) {
- goto done;
- }
-@@ -778,6 +786,7 @@ static void *httpd_helper_thread(void *d
- }
-
- done:
-+ ast_atomic_fetchadd_int(&session_count, -1);
- fclose(ser->f);
- ao2_ref(ser, -1);
- ser = NULL;
-@@ -927,6 +936,12 @@ static int __ast_http_load(int reload)
- }
- } else if (!strcasecmp(v->name, "redirect")) {
- add_redirect(v->value);
-+ } else if (!strcasecmp(v->name, "sessionlimit")) {
-+ if (ast_parse_arg(v->value, PARSE_INT32|PARSE_DEFAULT|PARSE_IN_RANGE,
-+ &session_limit, DEFAULT_SESSION_LIMIT, 1, INT_MAX)) {
-+ ast_log(LOG_WARNING, "Invalid %s '%s' at line %d of http.conf\n",
-+ v->name, v->value, v->lineno);
-+ }
- } else {
- ast_log(LOG_WARNING, "Ignoring unknown option '%s' in http.conf\n", v->name);
- }
--- a/main/manager.c
+++ b/main/manager.c
@@ -2497,6 +2497,25 @@ static int action_originate(struct manse
Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=8886&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Fri Apr 22 07:55:08 2011
@@ -32,4 +32,5 @@
AST-2011-003
AST-2011-004
AST-2011-005
+AST-2011-005-p2
AST-2011-006
More information about the Pkg-voip-commits
mailing list