[Pkg-voip-commits] r10122 - in /asterisk/trunk/debian: changelog patches/AST-2013-002 patches/AST-2013-003 patches/series
tzafrir at alioth.debian.org
tzafrir at alioth.debian.org
Thu Mar 28 08:19:23 UTC 2013
Author: tzafrir
Date: Thu Mar 28 08:19:22 2013
New Revision: 10122
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=10122
Log:
Patches backported from Asterisk 1.8.20.2 (Closes: #704114)
Patches backported from Asterisk 1.8.20.2 (Closes: #704114):
* Patch AST-2013-002 (CVE-2012-2686): Prevent DoS in HTTP server with
a large POST.
* Patch AST-2013-003 (CVE-2012-2264): Prevent username disclosure in
SIP channel driver.
Added:
asterisk/trunk/debian/patches/AST-2013-002
asterisk/trunk/debian/patches/AST-2013-003
Modified:
asterisk/trunk/debian/changelog
asterisk/trunk/debian/patches/series
Modified: asterisk/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/changelog?rev=10122&op=diff
==============================================================================
--- asterisk/trunk/debian/changelog (original)
+++ asterisk/trunk/debian/changelog Thu Mar 28 08:19:22 2013
@@ -11,6 +11,11 @@
* Patch powerpcspe: Fix OSARCH for powerpcspe (Closes: #701505).
* README.Debian: document running the testsuite.
* Patch fix_xmpp_19532: fix a crash of the XMPP code (Closes: #545272).
+ * Patches backported from Asterisk 1.8.20.2 (Closes: #704114):
+ - Patch AST-2013-002 (CVE-2012-2686): Prevent DoS in HTTP server with
+ a large POST.
+ - Patch AST-2013-003 (CVE-2012-2264): Prevent username disclosure in
+ SIP channel driver.
-- Tzafrir Cohen <tzafrir at debian.org> Tue, 08 Jan 2013 00:06:09 +0200
Added: asterisk/trunk/debian/patches/AST-2013-002
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/patches/AST-2013-002?rev=10122&op=file
==============================================================================
--- asterisk/trunk/debian/patches/AST-2013-002 (added)
+++ asterisk/trunk/debian/patches/AST-2013-002 Thu Mar 28 08:19:22 2013
@@ -1,0 +1,55 @@
+From: Matthew Jordan <mjordan at digium.com>
+Date: Wed, 27 Mar 2013 14:35:11 +0000
+Subject: AST-2013-002: Prevent denial of service in HTTP server
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=383976
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-20967
+CVE: CVE-2013-2686
+
+AST-2012-014, fixed in January of this year, contained a fix for Asterisk's
+HTTP server for a remotely-triggered crash. While the fix put in place fixed
+the possibility for the crash to be triggered, a denial of service vector still
+exists with that solution if an attacker sends one or more HTTP POST requests
+with very large Content-Length values. This patch resolves this by capping
+the Content-Length at 1024 bytes. Any attempt to send an HTTP POST with
+Content-Length greater than this cap will not result in any memory allocation.
+The POST will be responded to with an HTTP 413 "Request Entity Too Large"
+response.
+
+This issue was reported by Christoph Hebeisen of TELUS Security Labs
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2013-002.html
+
+---
+ main/http.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/main/http.c b/main/http.c
+index 1b5f2b6..4b73acb 100644
+--- a/main/http.c
++++ b/main/http.c
+@@ -612,6 +612,8 @@ static void http_decode(char *s)
+ ast_uri_decode(s);
+ }
+
++#define MAX_POST_CONTENT 1025
++
+ /*
+ * get post variables from client Request Entity-Body, if content type is
+ * application/x-www-form-urlencoded
+@@ -644,6 +646,13 @@ struct ast_variable *ast_http_get_post_vars(
+ return NULL;
+ }
+
++ if (content_length > MAX_POST_CONTENT - 1) {
++ ast_log(LOG_WARNING, "Excessively long HTTP content. %d is greater than our max of %d\n",
++ content_length, MAX_POST_CONTENT);
++ ast_http_send(ser, AST_HTTP_POST, 413, "Request Entity Too Large", NULL, NULL, 0, 0);
++ return NULL;
++ }
++
+ buf = ast_malloc(content_length + 1);
+ if (!buf) {
+ return NULL;
+--
+1.7.10.4
+
Added: asterisk/trunk/debian/patches/AST-2013-003
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/patches/AST-2013-003?rev=10122&op=file
==============================================================================
--- asterisk/trunk/debian/patches/AST-2013-003 (added)
+++ asterisk/trunk/debian/patches/AST-2013-003 Thu Mar 28 08:19:22 2013
@@ -1,0 +1,377 @@
+From: Matthew Jordan <mjordan at digium.com>
+Date: Wed, 27 Mar 2013 14:53:13 +0000
+Subject: AST-2013-003: Prevent username disclosure in SIP channel driver
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-21013
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=383981
+CVE: CVE-2013-2264
+
+When authenticating a SIP request with alwaysauthreject enabled, allowguest
+disabled, and autocreatepeer disabled, Asterisk discloses whether a user
+exists for INVITE, SUBSCRIBE, and REGISTER transactions in multiple ways. The
+information is disclosed when:
+ * A "407 Proxy Authentication Required" response is sent instead of a
+ "401 Unauthorized" response
+ * The presence or absence of additional tags occurs at the end of "403
+ Forbidden" (such as "(Bad Auth)")
+ * A "401 Unauthorized" response is sent instead of "403 Forbidden" response
+ after a retransmission
+ * Retransmission are sent when a matching peer did not exist, but not when a
+ matching peer did exist.
+
+This patch resolves these various vectors by ensuring that the responses sent
+in all scenarios is the same, regardless of the presence of a matching peer.
+
+This issue was reported by Walter Doekes, OSSO B.V. A substantial portion of
+the testing and the solution to this problem was done by Walter as well - a
+huge thanks to his tireless efforts in finding all the ways in which this
+setting didn't work, providing automated tests, and working with Kinsey on
+getting this fixed.
+
+Patch slightly adapted due to irrelevant changes in r367362.
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2013-003.html
+
+---
+ channels/chan_sip.c | 128 ++++++++++++++++++++++++++++----------------
+ channels/sip/include/sip.h | 1 -
+ 2 files changed, 83 insertions(+), 46 deletions(-)
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index afa25ae..41dbfc2 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -1110,6 +1110,11 @@ static struct ao2_container *threadt;
+ static struct ao2_container *peers;
+ static struct ao2_container *peers_by_ip;
+
++/*! \brief A bogus peer, to be used when authentication should fail */
++static struct sip_peer *bogus_peer;
++/*! \brief We can recognise the bogus peer by this invalid MD5 hash */
++#define BOGUS_PEER_MD5SECRET "intentionally_invalid_md5_string"
++
+ /*! \brief The register list: Other SIP proxies we register with and receive calls from */
+ static struct ast_register_list {
+ ASTOBJ_CONTAINER_COMPONENTS(struct sip_registry);
+@@ -1250,7 +1255,7 @@ static int transmit_response_with_unsupported(struct sip_pvt *p, const char *msg
+ static int transmit_response_with_auth(struct sip_pvt *p, const char *msg, const struct sip_request *req, const char *rand, enum xmittype reliable, const char *header, int stale);
+ static int transmit_provisional_response(struct sip_pvt *p, const char *msg, const struct sip_request *req, int with_sdp);
+ static int transmit_response_with_allow(struct sip_pvt *p, const char *msg, const struct sip_request *req, enum xmittype reliable);
+-static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct sip_request *req, enum xmittype reliable);
++static void transmit_fake_auth_response(struct sip_pvt *p, struct sip_request *req, enum xmittype reliable);
+ static int transmit_request(struct sip_pvt *p, int sipmethod, uint32_t seqno, enum xmittype reliable, int newbranch);
+ static int transmit_request_with_auth(struct sip_pvt *p, int sipmethod, uint32_t seqno, enum xmittype reliable, int newbranch);
+ static int transmit_publish(struct sip_epa_entry *epa_entry, enum sip_publish_type publish_type, const char * const explicit_uri);
+@@ -14856,6 +14861,7 @@ static enum check_auth_result check_auth(struct sip_pvt *p, struct sip_request *
+ char a1_hash[256];
+ char resp_hash[256]="";
+ char *c;
++ int is_bogus_peer = 0;
+ int wrongnonce = FALSE;
+ int good_response;
+ const char *usednonce = p->randdata;
+@@ -14950,8 +14956,14 @@ static enum check_auth_result check_auth(struct sip_pvt *p, struct sip_request *
+ }
+ }
+
++ /* We cannot rely on the bogus_peer having a bad md5 value. Someone could
++ * use it to construct valid auth. */
++ if (md5secret && strcmp(md5secret, BOGUS_PEER_MD5SECRET) == 0) {
++ is_bogus_peer = 1;
++ }
++
+ /* Verify that digest username matches the username we auth as */
+- if (strcmp(username, keys[K_USER].s)) {
++ if (strcmp(username, keys[K_USER].s) && !is_bogus_peer) {
+ ast_log(LOG_WARNING, "username mismatch, have <%s>, digest has <%s>\n",
+ username, keys[K_USER].s);
+ /* Oops, we're trying something here */
+@@ -14990,7 +15002,8 @@ static enum check_auth_result check_auth(struct sip_pvt *p, struct sip_request *
+ }
+
+ good_response = keys[K_RESP].s &&
+- !strncasecmp(keys[K_RESP].s, resp_hash, strlen(resp_hash));
++ !strncasecmp(keys[K_RESP].s, resp_hash, strlen(resp_hash)) &&
++ !is_bogus_peer; /* lastly, check that the peer isn't the fake peer */
+ if (wrongnonce) {
+ if (good_response) {
+ if (sipdebug)
+@@ -15134,7 +15147,7 @@ static int cb_extensionstate(char *context, char* exten, int state, void *data)
+ /*! \brief Send a fake 401 Unauthorized response when the administrator
+ wants to hide the names of local devices from fishers
+ */
+-static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct sip_request *req, enum xmittype reliable)
++static void transmit_fake_auth_response(struct sip_pvt *p, struct sip_request *req, enum xmittype reliable)
+ {
+ /* We have to emulate EXACTLY what we'd get with a good peer
+ * and a bad password, or else we leak information. */
+@@ -15173,13 +15186,13 @@ static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct
+ }
+
+ if (!(buf = ast_str_thread_get(&check_auth_buf, CHECK_AUTH_BUF_INITLEN))) {
+- transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
++ __transmit_response(p, "403 Forbidden", &p->initreq, reliable);
+ return;
+ }
+
+ /* Make a copy of the response and parse it */
+ if (ast_str_set(&buf, 0, "%s", authtoken) == AST_DYNSTR_BUILD_FAILED) {
+- transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
++ __transmit_response(p, "403 Forbidden", &p->initreq, reliable);
+ return;
+ }
+
+@@ -15217,7 +15230,7 @@ static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct
+ /* Schedule auto destroy in 32 seconds */
+ sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+ } else {
+- transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
++ __transmit_response(p, "403 Forbidden", &p->initreq, reliable);
+ }
+ }
+
+@@ -15327,7 +15340,7 @@ static enum check_auth_result register_verify(struct sip_pvt *p, struct ast_sock
+ if (!AST_LIST_EMPTY(&domain_list)) {
+ if (!check_sip_domain(domain, NULL, 0)) {
+ if (sip_cfg.alwaysauthreject) {
+- transmit_fake_auth_response(p, SIP_REGISTER, &p->initreq, XMIT_UNRELIABLE);
++ transmit_fake_auth_response(p, &p->initreq, XMIT_UNRELIABLE);
+ } else {
+ transmit_response(p, "404 Not found (unknown domain)", &p->initreq);
+ }
+@@ -15354,6 +15367,13 @@ static enum check_auth_result register_verify(struct sip_pvt *p, struct ast_sock
+ }
+ peer = find_peer(name, NULL, TRUE, FINDPEERS, FALSE, 0);
+
++ /* If we don't want username disclosure, use the bogus_peer when a user
++ * is not found. */
++ if (!peer && sip_cfg.alwaysauthreject && !sip_cfg.autocreatepeer) {
++ peer = bogus_peer;
++ ref_peer(peer, "register_verify: ref the bogus_peer");
++ }
++
+ if (!(peer && ast_apply_ha(peer->ha, addr))) {
+ /* Peer fails ACL check */
+ if (peer) {
+@@ -15429,7 +15449,7 @@ static enum check_auth_result register_verify(struct sip_pvt *p, struct ast_sock
+ switch (parse_register_contact(p, peer, req)) {
+ case PARSE_REGISTER_DENIED:
+ ast_log(LOG_WARNING, "Registration denied because of contact ACL\n");
+- transmit_response_with_date(p, "403 Forbidden (ACL)", req);
++ transmit_response_with_date(p, "403 Forbidden", req);
+ peer->lastmsgssent = -1;
+ res = 0;
+ break;
+@@ -15469,7 +15489,7 @@ static enum check_auth_result register_verify(struct sip_pvt *p, struct ast_sock
+ switch (res) {
+ case AUTH_SECRET_FAILED:
+ /* Wrong password in authentication. Go away, don't try again until you fixed it */
+- transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
++ transmit_response(p, "403 Forbidden", &p->initreq);
+ if (global_authfailureevents) {
+ const char *peer_addr = ast_strdupa(ast_sockaddr_stringify_addr(addr));
+ const char *peer_port = ast_strdupa(ast_sockaddr_stringify_port(addr));
+@@ -15492,7 +15512,7 @@ static enum check_auth_result register_verify(struct sip_pvt *p, struct ast_sock
+ case AUTH_PEER_NOT_DYNAMIC:
+ case AUTH_ACL_FAILED:
+ if (sip_cfg.alwaysauthreject) {
+- transmit_fake_auth_response(p, SIP_REGISTER, &p->initreq, XMIT_UNRELIABLE);
++ transmit_fake_auth_response(p, &p->initreq, XMIT_UNRELIABLE);
+ if (global_authfailureevents) {
+ const char *peer_addr = ast_strdupa(ast_sockaddr_stringify_addr(addr));
+ const char *peer_port = ast_strdupa(ast_sockaddr_stringify_port(addr));
+@@ -16522,7 +16542,19 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of,
+ ast_verbose("No matching peer for '%s' from '%s'\n",
+ of, ast_sockaddr_stringify(&p->recv));
+ }
+- return AUTH_DONT_KNOW;
++
++ /* If you don't mind, we can return 404s for devices that do
++ * not exist: username disclosure. If we allow guests, there
++ * is no way around that. */
++ if (sip_cfg.allowguest || !sip_cfg.alwaysauthreject) {
++ return AUTH_DONT_KNOW;
++ }
++
++ /* If you do mind, we use a peer that will never authenticate.
++ * This ensures that we follow the same code path as regular
++ * auth: less chance for username disclosure. */
++ peer = bogus_peer;
++ ref_peer(peer, "ref_peer: check_peer_ok: must ref bogus_peer so unreffing it does not fail");
+ }
+
+ if (!ast_apply_ha(peer->ha, addr)) {
+@@ -16530,9 +16562,10 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of,
+ unref_peer(peer, "unref_peer: check_peer_ok: from find_peer call, early return of AUTH_ACL_FAILED");
+ return AUTH_ACL_FAILED;
+ }
+- if (debug)
++ if (debug && peer != bogus_peer) {
+ ast_verbose("Found peer '%s' for '%s' from %s\n",
+ peer->name, of, ast_sockaddr_stringify(&p->recv));
++ }
+
+ /* XXX what about p->prefs = peer->prefs; ? */
+ /* Set Frame packetization */
+@@ -16801,8 +16834,6 @@ static enum check_auth_result check_user_full(struct sip_pvt *p, struct sip_requ
+ } else {
+ res = AUTH_RTP_FAILED;
+ }
+- } else if (sip_cfg.alwaysauthreject) {
+- res = AUTH_FAKE_AUTH; /* reject with fake authorization request */
+ } else {
+ res = AUTH_SECRET_FAILED; /* we don't want any guests, authentication will fail */
+ }
+@@ -22582,13 +22613,8 @@ static int handle_request_options(struct sip_pvt *p, struct sip_request *req, st
+ return 0;
+ }
+ if (res < 0) { /* Something failed in authentication */
+- if (res == AUTH_FAKE_AUTH) {
+- ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
+- transmit_fake_auth_response(p, SIP_OPTIONS, req, XMIT_UNRELIABLE);
+- } else {
+- ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
+- transmit_response(p, "403 Forbidden", req);
+- }
++ ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
++ transmit_response(p, "403 Forbidden", req);
+ sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+ return 0;
+ }
+@@ -23248,13 +23274,8 @@ static int handle_request_invite(struct sip_pvt *p, struct sip_request *req, int
+ goto request_invite_cleanup;
+ }
+ if (res < 0) { /* Something failed in authentication */
+- if (res == AUTH_FAKE_AUTH) {
+- ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
+- transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE);
+- } else {
+- ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
+- transmit_response_reliable(p, "403 Forbidden", req);
+- }
++ ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
++ transmit_response_reliable(p, "403 Forbidden", req);
+ p->invitestate = INV_COMPLETED;
+ sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+ res = 0;
+@@ -25081,18 +25102,13 @@ static int handle_request_publish(struct sip_pvt *p, struct sip_request *req, st
+ return -1;
+ }
+
+- auth_result = check_user(p, req, SIP_PUBLISH, uri, XMIT_RELIABLE, addr);
++ auth_result = check_user(p, req, SIP_PUBLISH, uri, XMIT_UNRELIABLE, addr);
+ if (auth_result == AUTH_CHALLENGE_SENT) {
+ p->lastinvite = seqno;
+ return 0;
+ } else if (auth_result < 0) {
+- if (auth_result == AUTH_FAKE_AUTH) {
+- ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
+- transmit_fake_auth_response(p, SIP_INVITE, req, XMIT_RELIABLE);
+- } else {
+- ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
+- transmit_response_reliable(p, "403 Forbidden", req);
+- }
++ ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
++ transmit_response(p, "403 Forbidden", req);
+ sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);
+ ast_string_field_set(p, theirtag, NULL);
+ return 0;
+@@ -25305,19 +25321,14 @@ static int handle_request_subscribe(struct sip_pvt *p, struct sip_request *req,
+ * use if !req->ignore, because then we'll end up sending
+ * a 200 OK if someone retransmits without sending auth */
+ if (p->subscribed == NONE || resubscribe) {
+- res = check_user_full(p, req, SIP_SUBSCRIBE, e, 0, addr, &authpeer);
++ res = check_user_full(p, req, SIP_SUBSCRIBE, e, XMIT_UNRELIABLE, addr, &authpeer);
+
+ /* if an authentication response was sent, we are done here */
+ if (res == AUTH_CHALLENGE_SENT) /* authpeer = NULL here */
+ return 0;
+ if (res != AUTH_SUCCESSFUL) {
+- if (res == AUTH_FAKE_AUTH) {
+- ast_log(LOG_NOTICE, "Sending fake auth rejection for device %s\n", get_header(req, "From"));
+- transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, XMIT_UNRELIABLE);
+- } else {
+- ast_log(LOG_NOTICE, "Failed to authenticate device %s for SUBSCRIBE\n", get_header(req, "From"));
+- transmit_response_reliable(p, "403 Forbidden", req);
+- }
++ ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From"));
++ transmit_response(p, "403 Forbidden", req);
+
+ pvt_set_needdestroy(p, "authentication failed");
+ return 0;
+@@ -30460,6 +30471,7 @@ static int sip_do_reload(enum channelreloadreason reason)
+ /*! \brief Force reload of module from cli */
+ static char *sip_reload(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
+ {
++ static struct sip_peer *tmp_peer, *new_peer;
+
+ switch (cmd) {
+ case CLI_INIT:
+@@ -30482,6 +30494,18 @@ static char *sip_reload(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a
+ ast_mutex_unlock(&sip_reload_lock);
+ restart_monitor();
+
++ tmp_peer = bogus_peer;
++ /* Create new bogus peer possibly with new global settings. */
++ if ((new_peer = temp_peer("(bogus_peer)"))) {
++ ast_string_field_set(new_peer, md5secret, BOGUS_PEER_MD5SECRET);
++ ast_clear_flag(&new_peer->flags[0], SIP_INSECURE);
++ bogus_peer = new_peer;
++ ao2_t_ref(tmp_peer, -1, "unref the old bogus_peer during reload");
++ } else {
++ ast_log(LOG_ERROR, "Could not update the fake authentication peer.\n");
++ /* You probably have bigger (memory?) issues to worry about though.. */
++ }
++
+ return CLI_SUCCESS;
+ }
+
+@@ -31665,6 +31689,17 @@ static int load_module(void)
+ return AST_MODULE_LOAD_DECLINE;
+ }
+
++ /* Initialize bogus peer. Can be done first after reload_config() */
++ if (!(bogus_peer = temp_peer("(bogus_peer)"))) {
++ ast_log(LOG_ERROR, "Unable to create bogus_peer for authentication\n");
++ io_context_destroy(io);
++ sched_context_destroy(sched);
++ return AST_MODULE_LOAD_FAILURE;
++ }
++ /* Make sure the auth will always fail. */
++ ast_string_field_set(bogus_peer, md5secret, BOGUS_PEER_MD5SECRET);
++ ast_clear_flag(&bogus_peer->flags[0], SIP_INSECURE);
++
+ /* Prepare the version that does not require DTMF BEGIN frames.
+ * We need to use tricks such as memcpy and casts because the variable
+ * has const fields.
+@@ -31675,6 +31710,7 @@ static int load_module(void)
+ /* Make sure we can register our sip channel type */
+ if (ast_channel_register(&sip_tech)) {
+ ast_log(LOG_ERROR, "Unable to register channel type 'SIP'\n");
++ ao2_t_ref(bogus_peer, -1, "unref the bogus_peer");
+ io_context_destroy(io);
+ sched_context_destroy(sched);
+ return AST_MODULE_LOAD_FAILURE;
+@@ -31916,6 +31952,8 @@ static int unload_module(void)
+ ast_debug(2, "TCP/TLS thread container did not become empty :(\n");
+ }
+
++ ao2_t_ref(bogus_peer, -1, "unref the bogus_peer");
++
+ ao2_t_ref(peers, -1, "unref the peers table");
+ ao2_t_ref(peers_by_ip, -1, "unref the peers_by_ip table");
+ ao2_t_ref(dialogs, -1, "unref the dialogs table");
+diff --git a/channels/sip/include/sip.h b/channels/sip/include/sip.h
+index 6040daa..4d1dc1f 100644
+--- a/channels/sip/include/sip.h
++++ b/channels/sip/include/sip.h
+@@ -471,7 +471,6 @@ enum check_auth_result {
+ AUTH_SECRET_FAILED = -1,
+ AUTH_USERNAME_MISMATCH = -2,
+ AUTH_NOT_FOUND = -3, /*!< returned by register_verify */
+- AUTH_FAKE_AUTH = -4,
+ AUTH_UNKNOWN_DOMAIN = -5,
+ AUTH_PEER_NOT_DYNAMIC = -6,
+ AUTH_ACL_FAILED = -7,
+--
+1.7.10.4
+
Modified: asterisk/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/patches/series?rev=10122&op=diff
==============================================================================
--- asterisk/trunk/debian/patches/series (original)
+++ asterisk/trunk/debian/patches/series Thu Mar 28 08:19:22 2013
@@ -35,3 +35,5 @@
AST-2012-015
powerpcspe
fix_xmpp_19532
+AST-2013-002
+AST-2013-003
More information about the Pkg-voip-commits
mailing list