[Pkg-voip-commits] r9966 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2012-010
maniac-guest at alioth.debian.org
maniac-guest at alioth.debian.org
Wed Sep 19 09:33:38 UTC 2012
Author: maniac-guest
Date: Wed Sep 19 09:33:38 2012
New Revision: 9966
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9966
Log:
AST-2012-010 fixed
Modified:
asterisk/branches/squeeze/debian/changelog
asterisk/branches/squeeze/debian/patches/AST-2012-010
Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9966&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Wed Sep 19 09:33:38 2012
@@ -1,3 +1,9 @@
+asterisk (1:1.6.2.9-2+squeeze7.1) UNRELEASED; urgency=high
+
+ * Fix AST-2012-010 backported patch
+
+ -- Victor Seva <linuxmaniac at torreviejawireless.org> Wed, 19 Sep 2012 11:23:34 +0200
+
asterisk (1:1.6.2.9-2+squeeze7) stable-security; urgency=low
[ Victor Seva ]
Modified: asterisk/branches/squeeze/debian/patches/AST-2012-010
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-010?rev=9966&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-010 (original)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-010 Wed Sep 19 09:33:38 2012
@@ -7,6 +7,10 @@
SIP dialog structure is never freed and the RTP ports for the call are
never released. If an attacker has the ability to place a call, they
could create a denial of service by using all available RTP ports.
+
+Adapted to 1.6.2.9 by Victor Seva <linuxmaniac at torreviejawireless.org>
+
+Don't use sip_pvt_lock_full or ast_channel_unref functions.
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -35,28 +39,27 @@
pvt_set_needdestroy(p, "autodestruct");
}
}
-@@ -6092,6 +6094,20 @@
+@@ -6092,6 +6094,19 @@
return 0;
}
+static int reinvite_timeout(const void *data)
+{
+ struct sip_pvt *dialog = (struct sip_pvt *) data;
-+ struct ast_channel *owner = sip_pvt_lock_full(dialog);
++ struct ast_channel *owner = sip_pvt_lock(dialog);
+ dialog->reinviteid = -1;
+ check_pendings(dialog);
+ if (owner) {
+ ast_channel_unlock(owner);
-+ ast_channel_unref(owner);
+ }
-+ ao2_unlock(dialog);
++ sip_pvt_unlock(dialog);
+ dialog_unref(dialog, "unref for reinvite timeout");
+ return 0;
+}
/*! \brief sip_hangup: Hangup SIP call
* Part of PBX interface, called from ast_hangup */
-@@ -6289,8 +6305,16 @@
+@@ -6289,8 +6304,16 @@
ast_set_flag(&p->flags[0], SIP_PENDINGBYE);
ast_clear_flag(&p->flags[0], SIP_NEEDREINVITE);
AST_SCHED_DEL_UNREF(sched, p->waitid, dialog_unref(p, "when you delete the waitid sched, you should dec the refcount for the stored dialog ptr"));
@@ -74,7 +77,7 @@
}
}
}
-@@ -7338,6 +7362,7 @@
+@@ -7338,6 +7361,7 @@
p->method = intended_method;
p->initid = -1;
p->waitid = -1;
@@ -82,7 +85,7 @@
p->autokillid = -1;
p->request_queue_sched_id = -1;
p->provisional_keepalive_sched_id = -1;
-@@ -10715,7 +10740,7 @@
+@@ -10715,7 +10739,7 @@
initialize_initreq(p, &req);
p->lastinvite = p->ocseq;
ast_set_flag(&p->flags[0], SIP_OUTGOING); /* Change direction of this dialog */
@@ -91,7 +94,7 @@
return send_request(p, &req, XMIT_CRITICAL, p->ocseq);
}
-@@ -17736,17 +17761,20 @@
+@@ -17736,17 +17760,20 @@
static void check_pendings(struct sip_pvt *p)
{
if (ast_test_flag(&p->flags[0], SIP_PENDINGBYE)) {
@@ -118,7 +121,7 @@
/* Perhaps there is an SD change INVITE outstanding */
transmit_request_with_auth(p, SIP_BYE, 0, XMIT_RELIABLE, TRUE);
}
-@@ -17821,9 +17849,17 @@
+@@ -17821,9 +17848,17 @@
if (resp >= 300 && (p->invitestate == INV_CALLING || p->invitestate == INV_PROCEEDING || p->invitestate == INV_EARLY_MEDIA ))
p->invitestate = INV_COMPLETED;
More information about the Pkg-voip-commits
mailing list