[Asterisk-code-review] AST-2020-002 - res_pjsip: Stop sending INVITEs after challenge limit. (asterisk[master])

Kevin Harwell asteriskteam at digium.com
Thu Nov 5 10:43:03 CST 2020 

Kevin Harwell has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/15120 )

Change subject: AST-2020-002 - res_pjsip: Stop sending INVITEs after challenge limit.
......................................................................

AST-2020-002 - res_pjsip: Stop sending INVITEs after challenge limit.

If Asterisk sends out and INVITE and receives a challenge with a
different nonce value each time, it will continually send out INVITEs,
even if the call is hung up. The endpoint must be configured for
outbound authentication in order for this to occur. A limit has been set
on outbound INVITEs so that, once reached, Asterisk will stop sending
INVITEs and the transaction will terminate.

ASTERISK-29013

Change-Id: I2d001ca745b00ca8aa12030f2240cd72363b46f7
---
M include/asterisk/res_pjsip.h
M include/asterisk/res_pjsip_session.h
M res/res_pjsip.c
M res/res_pjsip_session.c
4 files changed, 13 insertions(+), 3 deletions(-)

Approvals:
  Kevin Harwell: Looks good to me, but someone else must approve; Approved for Submit
  George Joseph: Looks good to me, approved



diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h
index ddcf02f..2e1f7af 100644
--- a/include/asterisk/res_pjsip.h
+++ b/include/asterisk/res_pjsip.h
@@ -76,6 +76,9 @@
 /*! \brief Maximum number of ciphers supported for a TLS transport */
 #define SIP_TLS_MAX_CIPHERS 64
 
+/*! Maximum number of challenges before assuming that we are in a loop */
+#define MAX_RX_CHALLENGES	10
+
 AST_VECTOR(ast_sip_service_route_vector, char *);
 
 /*!
diff --git a/include/asterisk/res_pjsip_session.h b/include/asterisk/res_pjsip_session.h
index 1e83696..54c704f 100644
--- a/include/asterisk/res_pjsip_session.h
+++ b/include/asterisk/res_pjsip_session.h
@@ -235,6 +235,8 @@
 	pjsip_uri *request_uri;
 	/*! Media statistics for negotiated RTP streams */
 	AST_VECTOR(, struct ast_rtp_instance_stats *) media_stats;
+	/*! Number of challenges received during outgoing requests to determine if we are in a loop */
+	unsigned int authentication_challenge_count:4;
 	/*! The direction of the call respective to Asterisk */
 	enum ast_sip_session_call_direction call_direction;
 };
diff --git a/res/res_pjsip.c b/res/res_pjsip.c
index cfc97b6..7378560 100644
--- a/res/res_pjsip.c
+++ b/res/res_pjsip.c
@@ -4415,8 +4415,6 @@
 	return pj_stristr(&method, message_method) ? PJ_TRUE : PJ_FALSE;
 }
 
-/*! Maximum number of challenges before assuming that we are in a loop */
-#define MAX_RX_CHALLENGES	10
 #define TIMER_INACTIVE		0
 #define TIMEOUT_TIMER2		5
 
diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c
index ec01145..e831922 100644
--- a/res/res_pjsip_session.c
+++ b/res/res_pjsip_session.c
@@ -2865,7 +2865,6 @@
 	.on_rx_request = session_reinvite_on_rx_request,
 };
 
-
 void ast_sip_session_send_request_with_cb(struct ast_sip_session *session, pjsip_tx_data *tdata,
 		ast_sip_session_response_cb on_response)
 {
@@ -3120,6 +3119,8 @@
 		return NULL;
 	}
 
+	session->authentication_challenge_count = 0;
+
 	/* Fire seesion begin handlers */
 	handle_session_begin(session);
 
@@ -3289,6 +3290,10 @@
 	}
 	ast_debug(3, "%s: Initial INVITE is being challenged.\n", ast_sip_session_get_name(session));
 
+	if (++session->authentication_challenge_count > MAX_RX_CHALLENGES) {
+		ast_debug(3, "%s: Initial INVITE reached maximum number of auth attempts.\n", ast_sip_session_get_name(session));
+		return PJ_FALSE;
+	}
 
 	if (ast_sip_create_request_with_auth(&session->endpoint->outbound_auths, rdata,
 		tsx->last_tx, &tdata)) {
@@ -4696,6 +4701,7 @@
 							ast_sip_session_get_name(session),
 							tsx->status_code);
 						if ((tsx->status_code == 401 || tsx->status_code == 407)
+							&& ++session->authentication_challenge_count < MAX_RX_CHALLENGES
 							&& !ast_sip_create_request_with_auth(
 								&session->endpoint->outbound_auths,
 								e->body.tsx_state.src.rdata, tsx->last_tx, &tdata)) {
@@ -4789,6 +4795,7 @@
 						(int) pj_strlen(&tsx->method.name), pj_strbuf(&tsx->method.name),
 						tsx->status_code);
 					if ((tsx->status_code == 401 || tsx->status_code == 407)
+						&& ++session->authentication_challenge_count < MAX_RX_CHALLENGES
 						&& !ast_sip_create_request_with_auth(
 							&session->endpoint->outbound_auths,
 							e->body.tsx_state.src.rdata, tsx->last_tx, &tdata)) {

-- 
To view, visit https://gerrit.asterisk.org/c/asterisk/+/15120
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Change-Id: I2d001ca745b00ca8aa12030f2240cd72363b46f7
Gerrit-Change-Number: 15120
Gerrit-PatchSet: 3
Gerrit-Owner: Benjamin Keith Ford <bford at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20201105/556b2503/attachment.html>

More information about the asterisk-code-review mailing list