[Asterisk-bsd] upgrade path for 1.2

Wed Mar 21 16:08:39 MST 2007

On 2007/03/21 17:27, Graham Todd wrote:
> 
> I noticed that the ports version is at 1.2.13, but asterisk-1.2 source
> is at 1.2.17 - should I just jump to a test port of 1.4 or try to get
> 1.2.17 building/installing via ports? (patches need realigning it looks
> like).

You could just patch the vuln's if you don't care about the other fixes
brought in by 1.2.{14-17}. (that's what OpenBSD has been doing for Asterisk
versions from older OS releases' ports trees; -current has 1.2.17, 3.9 and
4.0 have 1.2.9 with the security fixes from 1.2.13 and 1.2.16 and the fix
for the new one to follow).

Really, you want these bugs fixed; exploiting the problem fixed in 1.2.16
is a one-liner at the shell. The newer one is a little more typing but
doesn't look like highly complicated.

Here are the two fixes together, this is against 1.2.9 but should apply
with little trouble to newer code.

--- channels/chan_sip.c.orig	Thu May 25 18:18:01 2006
+++ channels/chan_sip.c	Wed Mar 21 15:03:09 2007
@@ -3587,6 +3587,7 @@ static int process_sdp(struct sip_pvt *p
 				hp = ast_gethostbyname(host, &ahp);
 				if (!hp) {
 					ast_log(LOG_WARNING, "Unable to lookup host in secondary c= line, '%s'\n", c);
+					return -1;
 				}
 			}
 		}
@@ -3615,6 +3616,7 @@ static int process_sdp(struct sip_pvt *p
 				hp = ast_gethostbyname(host, &ahp);
 				if (!hp) {
 					ast_log(LOG_WARNING, "Unable to lookup host in secondary c= line, '%s'\n", c);
+					return -1;
 				}
 			}
 		}
@@ -11179,6 +11181,12 @@ static int handle_request(struct sip_pvt
 			}
 			return res;
 		}
+	}
+
+	if (!e && (p->method == SIP_INVITE || p->method == SIP_SUBSCRIBE || p->method == SIP_REGISTER)) {
+		transmit_response(p, "503 Server error", req);
+		ast_set_flag(p, SIP_NEEDDESTROY);
+		return -1;
 	}
 
 	/* Handle various incoming SIP methods in requests */
