[svn-commits] qwell: branch 10-digiumphones r365214 - in /branches/10-digiumphones: ./ addo...
SVN commits to the Digium repositories
svn-commits at lists.digium.com
Thu May 3 14:14:51 CDT 2012
Author: qwell
Date: Thu May 3 14:14:45 2012
New Revision: 365214
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=365214
Multiple revisions 361143,363103-363104,363107,363156,364707
r361143 | jrose | 2012-04-04 11:38:12 -0500 (Wed, 04 Apr 2012) | 12 lines
Replace GNU old-style field designator extensions to fix clang warnings
(issue ASTERISK-19540)
Reported by: Makoto Dei
clang-gnu-designator.patch uploaded by Makoto Dei (license 5027)
Also add from the patch the portion in res_fax_spandsp that didn't apply to 1.8
Merged revisions 361142 from http://svn.asterisk.org/svn/asterisk/branches/1.8
(closes issue ASTERISK-19540)
r363103 | mjordan | 2012-04-23 08:40:23 -0500 (Mon, 23 Apr 2012) | 19 lines
AST-2012-005: Fix remotely exploitable heap overflow in keypad button handling
When handling a keypad button message event, the received digit is placed into
a fixed length buffer that acts as a queue. When a new message event is
received, the length of that buffer is not checked before placing the new digit
on the end of the queue. The situation exists where sufficient keypad button
message events would occur that would cause the buffer to be overrun. This
patch explicitly checks that there is sufficient room in the buffer before
appending a new digit.
(closes issue ASTERISK-19592)
Reported by: Russell Bryant
Merged revisions 363100 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
Merged revisions 363102 from http://svn.asterisk.org/svn/asterisk/branches/1.8
r363104 | mjordan | 2012-04-23 08:48:48 -0500 (Mon, 23 Apr 2012) | 10 lines
Reference skinny_subchannel object instead of skinny_device for r363103
The check-in to resolve ASTERISK-19592 (r363103) failed to switch to the
skinny_subchannel object instead of the skinny_device when attempting to
reference the buffer for the keypad digits. This patch fixes that.
(issue ASTERISK-19592)
Reported by: Russell Bryant
r363107 | mjordan | 2012-04-23 09:07:29 -0500 (Mon, 23 Apr 2012) | 19 lines
AST-2012-006: Fix crash in UPDATE handling when no channel owner exists
If Asterisk receives a SIP UPDATE request after a call has been terminated and
the channel has been destroyed but before the SIP dialog has been destroyed, a
condition exists where a connected line update would be attempted on a
non-existing channel. This would cause Asterisk to crash. The patch resolves
this by first ensuring that the SIP dialog has an owning channel before
attempting a connected line update. If an UPDATE request is received and no
channel is associated with the dialog, a 481 response is sent.
(closes issue ASTERISK-19770)
Reported by: Thomas Arimont
Tested by: Matt Jordan
ASTERISK-19278-2012-04-16.diff uploaded by Matt Jordan (license 6283)
Merged revisions 363106 from http://svn.asterisk.org/svn/asterisk/branches/1.8
r363156 | jrose | 2012-04-23 09:39:48 -0500 (Mon, 23 Apr 2012) | 23 lines
AST-2012-004: Fix an error that allows AMI users to run shell commands sans authorization.
As detailed in the advisory, AMI users without write authorization for SYSTEM class AMI
actions were able to run system commands by going through other AMI commands which did
not require that authorization. Specifically, GetVar and Status allowed users to do this
by setting their variable/s options to the SHELL or EVAL functions.
Also, within 1.8, 10, and trunk there was a similar flaw with the Originate action that
allowed users with originate permission to run MixMonitor and supply a shell command
in the Data argument. That flaw is fixed in those versions of this patch.
(closes issue ASTERISK-17465)
Reported By: David Woolley
162_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
18_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
10_ami_readfunc_security_r2.diff uploaded by jrose (license 6182)
Merged revisions 363117 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
Merged revisions 363141 from http://svn.asterisk.org/svn/asterisk/branches/1.8
r364707 | mmichelson | 2012-04-30 14:42:35 -0500 (Mon, 30 Apr 2012) | 17 lines
Revert improved identities sent in dialog-info NOTIFY requests in r360862
Revision 360862 was intended to improve identities sent in dialog-info
NOTIFY requests. Some users reported that hint became broken once this
was done. It's not clear exactly what part of the patch has caused this
regression, but broken hints are bad.
For now, this revision is being reverted so that the next releases of
Asterisk do not have bad behavior in them. The original reported issue
will have to be fixed differently in the next version of Asterisk.
(issue ASTERISK-16735)
Merged revisions 364706 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Merged revisions 361143,363103-363104,363107,363156,364707 from http://svn.asterisk.org/svn/asterisk/branches/10
branches/10-digiumphones/ (props changed)
Propchange: branches/10-digiumphones/
Binary property 'branch-1.8-merged' - no diff available.
Propchange: branches/10-digiumphones/
Binary property 'branch-10-merged' - no diff available.
Modified: branches/10-digiumphones/addons/chan_ooh323.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/addons/chan_ooh323.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/addons/chan_ooh323.c (original)
+++ branches/10-digiumphones/addons/chan_ooh323.c Thu May 3 14:14:45 2012
@@ -129,9 +129,9 @@
static struct ast_udptl_protocol ooh323_udptl = {
- type: "H323",
- get_udptl_info: ooh323_get_udptl_peer,
- set_udptl_peer: ooh323_set_udptl_peer,
+ .type = "H323",
+ .get_udptl_info = ooh323_get_udptl_peer,
+ .set_udptl_peer = ooh323_set_udptl_peer,
Modified: branches/10-digiumphones/apps/app_externalivr.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/apps/app_externalivr.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/apps/app_externalivr.c (original)
+++ branches/10-digiumphones/apps/app_externalivr.c Thu May 3 14:14:45 2012
@@ -293,9 +293,9 @@
static struct ast_generator gen =
- alloc: gen_alloc,
- release: gen_release,
- generate: gen_generate,
+ .alloc = gen_alloc,
+ .release = gen_release,
+ .generate = gen_generate,
static void ast_eivr_getvariable(struct ast_channel *chan, char *data, char *outbuf, int outbuflen)
Modified: branches/10-digiumphones/apps/app_milliwatt.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/apps/app_milliwatt.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/apps/app_milliwatt.c (original)
+++ branches/10-digiumphones/apps/app_milliwatt.c Thu May 3 14:14:45 2012
@@ -117,9 +117,9 @@
static struct ast_generator milliwattgen = {
- alloc: milliwatt_alloc,
- release: milliwatt_release,
- generate: milliwatt_generate,
+ .alloc = milliwatt_alloc,
+ .release = milliwatt_release,
+ .generate = milliwatt_generate,
static int old_milliwatt_exec(struct ast_channel *chan)
Modified: branches/10-digiumphones/channels/chan_iax2.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/channels/chan_iax2.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/channels/chan_iax2.c (original)
+++ branches/10-digiumphones/channels/chan_iax2.c Thu May 3 14:14:45 2012
@@ -14144,12 +14144,12 @@
static struct ast_switch iax2_switch =
- name: "IAX2",
- description: "IAX Remote Dialplan Switch",
- exists: iax2_exists,
- canmatch: iax2_canmatch,
- exec: iax2_exec,
- matchmore: iax2_matchmore,
+ .name = "IAX2",
+ .description = "IAX Remote Dialplan Switch",
+ .exists = iax2_exists,
+ .canmatch = iax2_canmatch,
+ .exec = iax2_exec,
+ .matchmore = iax2_matchmore,
Modified: branches/10-digiumphones/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/channels/chan_sip.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/channels/chan_sip.c (original)
+++ branches/10-digiumphones/channels/chan_sip.c Thu May 3 14:14:45 2012
@@ -3080,9 +3080,9 @@
/*! \brief Interface structure with callbacks used to connect to UDPTL module*/
static struct ast_udptl_protocol sip_udptl = {
- type: "SIP",
- get_udptl_info: sip_get_udptl_peer,
- set_udptl_peer: sip_set_udptl_peer,
+ .type = "SIP",
+ .get_udptl_info = sip_get_udptl_peer,
+ .set_udptl_peer = sip_set_udptl_peer,
static void append_history_full(struct sip_pvt *p, const char *fmt, ...)
@@ -13090,8 +13090,6 @@
if ((data->state & AST_EXTENSION_RINGING) && sip_cfg.notifyringing) {
const char *local_display = exten;
char *local_target = ast_strdupa(mto);
- const char *remote_display = exten;
- char *remote_target = ast_strdupa(mfrom);
/* There are some limitations to how this works. The primary one is that the
callee must be dialing the same extension that is being monitored. Simply dialing
@@ -13101,28 +13099,16 @@
if ((caller = ast_channel_callback(find_calling_channel, NULL, p, 0))) {
char *cid_num;
- char *connected_num;
int need;
cid_num = S_COR(caller->caller.id.number.valid,
caller->caller.id.number.str, "");
need = strlen(cid_num) + strlen(p->fromdomain) + sizeof("sip:@");
- remote_target = alloca(need);
- snprintf(remote_target, need, "sip:%s@%s", cid_num, p->fromdomain);
- remote_display = ast_strdupa(S_COR(caller->caller.id.name.valid,
+ local_target = alloca(need);
+ snprintf(local_target, need, "sip:%s@%s", cid_num, p->fromdomain);
+ local_display = ast_strdupa(S_COR(caller->caller.id.name.valid,
caller->caller.id.name.str, ""));
- connected_num = S_COR(caller->connected.id.number.valid,
- caller->connected.id.number.str, "");
- need = strlen(connected_num) + strlen(p->fromdomain) + sizeof("sip:@");
- local_target = alloca(need);
- snprintf(local_target, need, "sip:%s@%s", connected_num, p->fromdomain);
- local_display = ast_strdupa(S_COR(caller->connected.id.name.valid,
- caller->connected.id.name.str, ""));
caller = ast_channel_unref(caller);
@@ -13144,10 +13130,10 @@
"<target uri=\"%s\"/>\n"
- "<identity display=\"%s\">%s</identity>\n"
+ "<identity>%s</identity>\n"
"<target uri=\"%s\"/>\n"
- remote_display, remote_target, remote_target, local_display, local_target, local_target);
+ local_display, local_target, local_target, mto, mto);
} else {
ast_str_append(tmp, 0, "<dialog id=\"%s\" direction=\"recipient\">\n", exten);
@@ -22945,6 +22931,10 @@
if (ast_strlen_zero(sip_get_header(req, "X-Asterisk-rpid-update"))) {
transmit_response(p, "501 Method Not Implemented", req);
+ return 0;
+ }
+ if (!p->owner) {
+ transmit_response(p, "481 Call/Transaction Does Not Exist", req);
return 0;
if (get_rpid(p, req)) {
Modified: branches/10-digiumphones/channels/chan_skinny.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/channels/chan_skinny.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/channels/chan_skinny.c (original)
+++ branches/10-digiumphones/channels/chan_skinny.c Thu May 3 14:14:45 2012
@@ -6601,7 +6601,8 @@
int res = 0;
struct skinny_speeddial *sd;
struct skinny_device *d = s->device;
+ size_t len;
if ((!s->device) && (letohl(req->e) != REGISTER_MESSAGE && letohl(req->e) != ALARM_MESSAGE)) {
ast_log(LOG_WARNING, "Client sent message #%d without first registering.\n", req->e);
@@ -6671,8 +6672,13 @@
ast_log(LOG_WARNING, "Unsupported digit %d\n", digit);
- sub->exten[strlen(sub->exten)] = dgt;
- sub->exten[strlen(sub->exten)+1] = '\0';
+ len = strlen(sub->exten);
+ if (len < sizeof(sub->exten) - 1) {
+ sub->exten[len] = dgt;
+ sub->exten[len + 1] = '\0';
+ } else {
+ ast_log(AST_LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt);
+ }
} else
res = handle_keypad_button_message(req, s);
Modified: branches/10-digiumphones/main/app.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/main/app.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/main/app.c (original)
+++ branches/10-digiumphones/main/app.c Thu May 3 14:14:45 2012
@@ -551,9 +551,9 @@
static struct ast_generator linearstream =
- alloc: linear_alloc,
- release: linear_release,
- generate: linear_generator,
+ .alloc = linear_alloc,
+ .release = linear_release,
+ .generate = linear_generator,
int ast_linear_stream(struct ast_channel *chan, const char *filename, int fd, int allowoverride)
Modified: branches/10-digiumphones/main/channel.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/main/channel.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/main/channel.c (original)
+++ branches/10-digiumphones/main/channel.c Thu May 3 14:14:45 2012
@@ -7932,9 +7932,9 @@
static struct ast_generator tonepair = {
- alloc: tonepair_alloc,
- release: tonepair_release,
- generate: tonepair_generator,
+ .alloc = tonepair_alloc,
+ .release = tonepair_release,
+ .generate = tonepair_generator,
int ast_tonepair_start(struct ast_channel *chan, int freq1, int freq2, int duration, int vol)
Modified: branches/10-digiumphones/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/main/manager.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/main/manager.c (original)
+++ branches/10-digiumphones/main/manager.c Thu May 3 14:14:45 2012
@@ -1220,6 +1220,19 @@
{ INT_MAX, "all" },
{ 0, "none" },
+/*! \brief Checks to see if a string which can be used to evaluate functions should be rejected */
+static int function_capable_string_allowed_with_auths(const char *evaluating, int writepermlist)
+ if (!(writepermlist & EVENT_FLAG_SYSTEM)
+ && (
+ strstr(evaluating, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
+ strstr(evaluating, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ )) {
+ return 0;
+ }
+ return 1;
/*! \brief Convert authority code to a list of options */
static const char *authority_to_str(int authority, struct ast_str **res)
@@ -3224,6 +3237,12 @@
return 0;
+ /* We don't want users with insufficient permissions using certain functions. */
+ if (!(function_capable_string_allowed_with_auths(varname, s->session->writeperm))) {
+ astman_send_error(s, m, "GetVar Access Forbidden: Variable");
+ return 0;
+ }
if (!ast_strlen_zero(name)) {
if (!(c = ast_channel_get_by_name(name))) {
astman_send_error(s, m, "No such channel");
@@ -3282,6 +3301,11 @@
snprintf(idText, sizeof(idText), "ActionID: %s\r\n", id);
} else {
idText[0] = '\0';
+ }
+ if (!(function_capable_string_allowed_with_auths(variables, s->session->writeperm))) {
+ astman_send_error(s, m, "Status Access Forbidden: Variables");
+ return 0;
if (all) {
@@ -4087,6 +4111,7 @@
if (!ast_strlen_zero(app) && s->session) {
+ int bad_appdata = 0;
/* To run the System application (or anything else that goes to
* shell), you must have the additional System privilege */
if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
@@ -4097,10 +4122,13 @@
TryExec(System(rm -rf /)) */
strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
EAGI(/bin/rm,-rf /) */
- strstr(appdata, "SHELL") || /* NoOp(${SHELL(rm -rf /)}) */
- strstr(appdata, "EVAL") /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */
+ (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */
+ (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
)) {
- astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
+ char error_buf[64];
+ snprintf(error_buf, sizeof(error_buf), "Originate Access Forbidden: %s", bad_appdata ? "Data" : "Application");
+ astman_send_error(s, m, error_buf);
res = 0;
goto fast_orig_cleanup;
Modified: branches/10-digiumphones/pbx/pbx_loopback.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/pbx/pbx_loopback.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/pbx/pbx_loopback.c (original)
+++ branches/10-digiumphones/pbx/pbx_loopback.c Thu May 3 14:14:45 2012
@@ -163,12 +163,12 @@
static struct ast_switch loopback_switch =
- name: "Loopback",
- description: "Loopback Dialplan Switch",
- exists: loopback_exists,
- canmatch: loopback_canmatch,
- exec: loopback_exec,
- matchmore: loopback_matchmore,
+ .name = "Loopback",
+ .description = "Loopback Dialplan Switch",
+ .exists = loopback_exists,
+ .canmatch = loopback_canmatch,
+ .exec = loopback_exec,
+ .matchmore = loopback_matchmore,
static int unload_module(void)
Modified: branches/10-digiumphones/pbx/pbx_realtime.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/pbx/pbx_realtime.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/pbx/pbx_realtime.c (original)
+++ branches/10-digiumphones/pbx/pbx_realtime.c Thu May 3 14:14:45 2012
@@ -388,12 +388,12 @@
static struct ast_switch realtime_switch =
- name: "Realtime",
- description: "Realtime Dialplan Switch",
- exists: realtime_exists,
- canmatch: realtime_canmatch,
- exec: realtime_exec,
- matchmore: realtime_matchmore,
+ .name = "Realtime",
+ .description = "Realtime Dialplan Switch",
+ .exists = realtime_exists,
+ .canmatch = realtime_canmatch,
+ .exec = realtime_exec,
+ .matchmore = realtime_matchmore,
static int unload_module(void)
Modified: branches/10-digiumphones/res/res_fax_spandsp.c
URL: http://svnview.digium.com/svn/asterisk/branches/10-digiumphones/res/res_fax_spandsp.c?view=diff&rev=365214&r1=365213&r2=365214
--- branches/10-digiumphones/res/res_fax_spandsp.c (original)
+++ branches/10-digiumphones/res/res_fax_spandsp.c Thu May 3 14:14:45 2012
@@ -759,9 +759,9 @@
int i;
struct ast_channel *peer;
static struct ast_generator t30_gen = {
- alloc: spandsp_fax_gw_gen_alloc,
- release: spandsp_fax_gw_gen_release,
- generate: spandsp_fax_gw_t30_gen,
+ .alloc = spandsp_fax_gw_gen_alloc,
+ .release = spandsp_fax_gw_gen_release,
+ .generate = spandsp_fax_gw_t30_gen,
#if SPANDSP_RELEASE_DATE >= 20081012
More information about the svn-commits
mailing list