<p>Kevin Harwell <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15136">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Kevin Harwell: Looks good to me, but someone else must approve; Approved for Submit
George Joseph: Looks good to me, approved
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2020-002 - res_pjsip: Stop sending INVITEs after challenge limit.<br><br>If Asterisk sends out and INVITE and receives a challenge with a<br>different nonce value each time, it will continually send out INVITEs,<br>even if the call is hung up. The endpoint must be configured for<br>outbound authentication in order for this to occur. A limit has been set<br>on outbound INVITEs so that, once reached, Asterisk will stop sending<br>INVITEs and the transaction will terminate.<br><br>ASTERISK-29013<br><br>Change-Id: I2d001ca745b00ca8aa12030f2240cd72363b46f7<br>---<br>M include/asterisk/res_pjsip.h<br>M include/asterisk/res_pjsip_session.h<br>M res/res_pjsip.c<br>M res/res_pjsip_session.c<br>4 files changed, 13 insertions(+), 3 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h</span><br><span>index ddcf02f..2e1f7af 100644</span><br><span>--- a/include/asterisk/res_pjsip.h</span><br><span>+++ b/include/asterisk/res_pjsip.h</span><br><span>@@ -76,6 +76,9 @@</span><br><span> /*! \brief Maximum number of ciphers supported for a TLS transport */</span><br><span> #define SIP_TLS_MAX_CIPHERS 64</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/*! Maximum number of challenges before assuming that we are in a loop */</span><br><span style="color: hsl(120, 100%, 40%);">+#define MAX_RX_CHALLENGES 10</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> AST_VECTOR(ast_sip_service_route_vector, char *);</span><br><span> </span><br><span> /*!</span><br><span>diff --git a/include/asterisk/res_pjsip_session.h b/include/asterisk/res_pjsip_session.h</span><br><span>index 1e83696..54c704f 100644</span><br><span>--- a/include/asterisk/res_pjsip_session.h</span><br><span>+++ b/include/asterisk/res_pjsip_session.h</span><br><span>@@ -235,6 +235,8 @@</span><br><span> pjsip_uri *request_uri;</span><br><span> /*! Media statistics for negotiated RTP streams */</span><br><span> AST_VECTOR(, struct ast_rtp_instance_stats *) media_stats;</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Number of challenges received during outgoing requests to determine if we are in a loop */</span><br><span style="color: hsl(120, 100%, 40%);">+ unsigned int authentication_challenge_count:4;</span><br><span> /*! The direction of the call respective to Asterisk */</span><br><span> enum ast_sip_session_call_direction call_direction;</span><br><span> };</span><br><span>diff --git a/res/res_pjsip.c b/res/res_pjsip.c</span><br><span>index cfc97b6..7378560 100644</span><br><span>--- a/res/res_pjsip.c</span><br><span>+++ b/res/res_pjsip.c</span><br><span>@@ -4415,8 +4415,6 @@</span><br><span> return pj_stristr(&method, message_method) ? PJ_TRUE : PJ_FALSE;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-/*! Maximum number of challenges before assuming that we are in a loop */</span><br><span style="color: hsl(0, 100%, 40%);">-#define MAX_RX_CHALLENGES 10</span><br><span> #define TIMER_INACTIVE 0</span><br><span> #define TIMEOUT_TIMER2 5</span><br><span> </span><br><span>diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c</span><br><span>index ec01145..e831922 100644</span><br><span>--- a/res/res_pjsip_session.c</span><br><span>+++ b/res/res_pjsip_session.c</span><br><span>@@ -2865,7 +2865,6 @@</span><br><span> .on_rx_request = session_reinvite_on_rx_request,</span><br><span> };</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span> void ast_sip_session_send_request_with_cb(struct ast_sip_session *session, pjsip_tx_data *tdata,</span><br><span> ast_sip_session_response_cb on_response)</span><br><span> {</span><br><span>@@ -3120,6 +3119,8 @@</span><br><span> return NULL;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ session->authentication_challenge_count = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Fire seesion begin handlers */</span><br><span> handle_session_begin(session);</span><br><span> </span><br><span>@@ -3289,6 +3290,10 @@</span><br><span> }</span><br><span> ast_debug(3, "%s: Initial INVITE is being challenged.\n", ast_sip_session_get_name(session));</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (++session->authentication_challenge_count > MAX_RX_CHALLENGES) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "%s: Initial INVITE reached maximum number of auth attempts.\n", ast_sip_session_get_name(session));</span><br><span style="color: hsl(120, 100%, 40%);">+ return PJ_FALSE;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> </span><br><span> if (ast_sip_create_request_with_auth(&session->endpoint->outbound_auths, rdata,</span><br><span> tsx->last_tx, &tdata)) {</span><br><span>@@ -4696,6 +4701,7 @@</span><br><span> ast_sip_session_get_name(session),</span><br><span> tsx->status_code);</span><br><span> if ((tsx->status_code == 401 || tsx->status_code == 407)</span><br><span style="color: hsl(120, 100%, 40%);">+ && ++session->authentication_challenge_count < MAX_RX_CHALLENGES</span><br><span> && !ast_sip_create_request_with_auth(</span><br><span> &session->endpoint->outbound_auths,</span><br><span> e->body.tsx_state.src.rdata, tsx->last_tx, &tdata)) {</span><br><span>@@ -4789,6 +4795,7 @@</span><br><span> (int) pj_strlen(&tsx->method.name), pj_strbuf(&tsx->method.name),</span><br><span> tsx->status_code);</span><br><span> if ((tsx->status_code == 401 || tsx->status_code == 407)</span><br><span style="color: hsl(120, 100%, 40%);">+ && ++session->authentication_challenge_count < MAX_RX_CHALLENGES</span><br><span> && !ast_sip_create_request_with_auth(</span><br><span> &session->endpoint->outbound_auths,</span><br><span> e->body.tsx_state.src.rdata, tsx->last_tx, &tdata)) {</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15136">change 15136</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15136"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 18 </div>
<div style="display:none"> Gerrit-Change-Id: I2d001ca745b00ca8aa12030f2240cd72363b46f7 </div>
<div style="display:none"> Gerrit-Change-Number: 15136 </div>
<div style="display:none"> Gerrit-PatchSet: 3 </div>
<div style="display:none"> Gerrit-Owner: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>