<p>George Joseph <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15150">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Kevin Harwell: Looks good to me, approved
George Joseph: Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2020-002 - res_pjsip: Stop sending INVITEs after challenge limit.<br><br>If Asterisk sends out an INVITE and receives a challenge with a<br>different nonce value each time, it will continuously send out INVITEs,<br>even if the call is hung up. The endpoint must be configured for<br>outbound authentication for this to occur. A limit has been set on<br>outbound INVITEs so that, once reached, Asterisk will stop sending<br>INVITEs and the transaction will terminate.<br><br>ASTERISK-29013<br><br>Change-Id: I2d001ca745b00ca8aa12030f2240cd72363b46f7<br>---<br>M include/asterisk/res_pjsip.h<br>M include/asterisk/res_pjsip_session.h<br>M res/res_pjsip.c<br>M res/res_pjsip_session.c<br>4 files changed, 15 insertions(+), 4 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h</span><br><span>index a78311d..22292cc 100644</span><br><span>--- a/include/asterisk/res_pjsip.h</span><br><span>+++ b/include/asterisk/res_pjsip.h</span><br><span>@@ -63,6 +63,9 @@</span><br><span> /*! \brief Maximum number of ciphers supported for a TLS transport */</span><br><span> #define SIP_TLS_MAX_CIPHERS 64</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/*! Maximum number of challenges before assuming that we are in a loop */</span><br><span style="color: hsl(120, 100%, 40%);">+#define MAX_RX_CHALLENGES 10</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*!</span><br><span> * \brief Structure for SIP transport information</span><br><span> */</span><br><span>diff --git a/include/asterisk/res_pjsip_session.h b/include/asterisk/res_pjsip_session.h</span><br><span>index 44b4568..f814fa0 100644</span><br><span>--- a/include/asterisk/res_pjsip_session.h</span><br><span>+++ b/include/asterisk/res_pjsip_session.h</span><br><span>@@ -221,8 +221,10 @@</span><br><span> enum ast_sip_dtmf_mode dtmf;</span><br><span> /*! Initial incoming INVITE Request-URI. NULL otherwise. */</span><br><span> pjsip_uri *request_uri;</span><br><span style="color: hsl(0, 100%, 40%);">- /* Media statistics for negotiated RTP streams */</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Media statistics for negotiated RTP streams */</span><br><span> AST_VECTOR(, struct ast_rtp_instance_stats *) media_stats;</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Number of challenges received during outgoing requests to determine if we are in a loop */</span><br><span style="color: hsl(120, 100%, 40%);">+ unsigned int authentication_challenge_count:4;</span><br><span> };</span><br><span> </span><br><span> typedef int (*ast_sip_session_request_creation_cb)(struct ast_sip_session *session, pjsip_tx_data *tdata);</span><br><span>diff --git a/res/res_pjsip.c b/res/res_pjsip.c</span><br><span>index 3e11a6b..7f09036 100644</span><br><span>--- a/res/res_pjsip.c</span><br><span>+++ b/res/res_pjsip.c</span><br><span>@@ -4000,8 +4000,6 @@</span><br><span> return pj_stristr(&method, message_method) ? PJ_TRUE : PJ_FALSE;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-/*! Maximum number of challenges before assuming that we are in a loop */</span><br><span style="color: hsl(0, 100%, 40%);">-#define MAX_RX_CHALLENGES 10</span><br><span> #define TIMER_INACTIVE 0</span><br><span> #define TIMEOUT_TIMER2 5</span><br><span> </span><br><span>diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c</span><br><span>index 4399d55..563989d 100644</span><br><span>--- a/res/res_pjsip_session.c</span><br><span>+++ b/res/res_pjsip_session.c</span><br><span>@@ -2842,7 +2842,6 @@</span><br><span> .on_rx_request = session_reinvite_on_rx_request,</span><br><span> };</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span> void ast_sip_session_send_request_with_cb(struct ast_sip_session *session, pjsip_tx_data *tdata,</span><br><span> ast_sip_session_response_cb on_response)</span><br><span> {</span><br><span>@@ -3094,6 +3093,9 @@</span><br><span> return NULL;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Track the number of challenges received on outbound requests */</span><br><span style="color: hsl(120, 100%, 40%);">+ session->authentication_challenge_count = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Fire seesion begin handlers */</span><br><span> handle_session_begin(session);</span><br><span> </span><br><span>@@ -3263,6 +3265,10 @@</span><br><span> }</span><br><span> ast_debug(3, "%s: Initial INVITE is being challenged.\n", ast_sip_session_get_name(session));</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (++session->authentication_challenge_count > MAX_RX_CHALLENGES) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "%s: Initial INVITE reached maximum number of auth attempts.\n", ast_sip_session_get_name(session));</span><br><span style="color: hsl(120, 100%, 40%);">+ return PJ_FALSE;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> </span><br><span> if (ast_sip_create_request_with_auth(&session->endpoint->outbound_auths, rdata,</span><br><span> tsx->last_tx, &tdata)) {</span><br><span>@@ -4565,6 +4571,7 @@</span><br><span> ast_sip_session_get_name(session),</span><br><span> tsx->status_code);</span><br><span> if ((tsx->status_code == 401 || tsx->status_code == 407)</span><br><span style="color: hsl(120, 100%, 40%);">+ && ++session->authentication_challenge_count < MAX_RX_CHALLENGES</span><br><span> && !ast_sip_create_request_with_auth(</span><br><span> &session->endpoint->outbound_auths,</span><br><span> e->body.tsx_state.src.rdata, tsx->last_tx, &tdata)) {</span><br><span>@@ -4641,6 +4648,7 @@</span><br><span> (int) pj_strlen(&tsx->method.name), pj_strbuf(&tsx->method.name),</span><br><span> tsx->status_code);</span><br><span> if ((tsx->status_code == 401 || tsx->status_code == 407)</span><br><span style="color: hsl(120, 100%, 40%);">+ && ++session->authentication_challenge_count < MAX_RX_CHALLENGES</span><br><span> && !ast_sip_create_request_with_auth(</span><br><span> &session->endpoint->outbound_auths,</span><br><span> e->body.tsx_state.src.rdata, tsx->last_tx, &tdata)) {</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15150">change 15150</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15150"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: certified/16.8 </div>
<div style="display:none"> Gerrit-Change-Id: I2d001ca745b00ca8aa12030f2240cd72363b46f7 </div>
<div style="display:none"> Gerrit-Change-Number: 15150 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>