<p>Benjamin Keith Ford has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/15138">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2020-002 - res_pjsip: Stop sending INVITEs after challenge limit.<br><br>If Asterisk sends out an INVITE and receives a challenge with a<br>different nonce value each time, it will continuously send out INVITEs,<br>even if the call is hung up. The endpoint must be configured for<br>outbound authentication for this to occur. A limit has been set on<br>outbound INVITEs so that, once reached, Asterisk will stop sending<br>INVITEs and the transaction will terminate.<br><br>ASTERISK-29013<br><br>Change-Id: I2d001ca745b00ca8aa12030f2240cd72363b46f7<br>---<br>M include/asterisk/res_pjsip.h<br>M include/asterisk/res_pjsip_session.h<br>M res/res_pjsip.c<br>M res/res_pjsip_session.c<br>4 files changed, 17 insertions(+), 3 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/38/15138/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/include/asterisk/res_pjsip.h b/include/asterisk/res_pjsip.h</span><br><span>index 3991ebd..f48ea3e 100644</span><br><span>--- a/include/asterisk/res_pjsip.h</span><br><span>+++ b/include/asterisk/res_pjsip.h</span><br><span>@@ -75,6 +75,9 @@</span><br><span> /*! \brief Maximum number of ciphers supported for a TLS transport */</span><br><span> #define SIP_TLS_MAX_CIPHERS 64</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+/*! Maximum number of challenges before assuming that we are in a loop */</span><br><span style="color: hsl(120, 100%, 40%);">+#define MAX_RX_CHALLENGES 10</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /*!</span><br><span> * \brief Structure for SIP transport information</span><br><span> */</span><br><span>diff --git a/include/asterisk/res_pjsip_session.h b/include/asterisk/res_pjsip_session.h</span><br><span>index 27d669f..efcdb7d 100644</span><br><span>--- a/include/asterisk/res_pjsip_session.h</span><br><span>+++ b/include/asterisk/res_pjsip_session.h</span><br><span>@@ -171,6 +171,8 @@</span><br><span> pjsip_uri *request_uri;</span><br><span> /*! Joint capabilities */</span><br><span> struct ast_format_cap *joint_caps;</span><br><span style="color: hsl(120, 100%, 40%);">+ /*! Number of challenges received during outgoing requests to determine if we are in a loop */</span><br><span style="color: hsl(120, 100%, 40%);">+ unsigned int authentication_challenge_count:4;</span><br><span> };</span><br><span> </span><br><span> typedef int (*ast_sip_session_request_creation_cb)(struct ast_sip_session *session, pjsip_tx_data *tdata);</span><br><span>diff --git a/res/res_pjsip.c b/res/res_pjsip.c</span><br><span>index ac0d070..93ac3ee 100644</span><br><span>--- a/res/res_pjsip.c</span><br><span>+++ b/res/res_pjsip.c</span><br><span>@@ -3833,8 +3833,6 @@</span><br><span> return pj_stristr(&method, message_method) ? PJ_TRUE : PJ_FALSE;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-/*! Maximum number of challenges before assuming that we are in a loop */</span><br><span style="color: hsl(0, 100%, 40%);">-#define MAX_RX_CHALLENGES 10</span><br><span> #define TIMER_INACTIVE 0</span><br><span> #define TIMEOUT_TIMER2 5</span><br><span> </span><br><span>diff --git a/res/res_pjsip_session.c b/res/res_pjsip_session.c</span><br><span>index c93be19..450bcbc 100644</span><br><span>--- a/res/res_pjsip_session.c</span><br><span>+++ b/res/res_pjsip_session.c</span><br><span>@@ -1210,7 +1210,6 @@</span><br><span> .on_rx_request = session_reinvite_on_rx_request,</span><br><span> };</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span> void ast_sip_session_send_request_with_cb(struct ast_sip_session *session, pjsip_tx_data *tdata,</span><br><span> ast_sip_session_response_cb on_response)</span><br><span> {</span><br><span>@@ -1508,12 +1507,17 @@</span><br><span> ao2_ref(session, -1);</span><br><span> return NULL;</span><br><span> }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Track the number of challenges received on outbound requests */</span><br><span style="color: hsl(120, 100%, 40%);">+ session->authentication_challenge_count = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> AST_LIST_TRAVERSE(&session->supplements, iter, next) {</span><br><span> if (iter->session_begin) {</span><br><span> iter->session_begin(session);</span><br><span> }</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* Avoid unnecessary ref manipulation to return a session */</span><br><span> ret_session = session;</span><br><span> session = NULL;</span><br><span>@@ -1680,6 +1684,11 @@</span><br><span> </span><br><span> session = inv->mod_data[session_module.id];</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (++session->authentication_challenge_count > MAX_RX_CHALLENGES) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_debug(3, "%s: Initial INVITE reached maximum number of auth attempts.\n", ast_sip_session_get_name(session));</span><br><span style="color: hsl(120, 100%, 40%);">+ return PJ_FALSE;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (ast_sip_create_request_with_auth(&session->endpoint->outbound_auths, rdata, tsx,</span><br><span> &tdata)) {</span><br><span> return PJ_FALSE;</span><br><span>@@ -2882,6 +2891,7 @@</span><br><span> ast_debug(1, "reINVITE received final response code %d\n",</span><br><span> tsx->status_code);</span><br><span> if ((tsx->status_code == 401 || tsx->status_code == 407)</span><br><span style="color: hsl(120, 100%, 40%);">+ && ++session->authentication_challenge_count < MAX_RX_CHALLENGES</span><br><span> && !ast_sip_create_request_with_auth(</span><br><span> &session->endpoint->outbound_auths,</span><br><span> e->body.tsx_state.src.rdata, tsx, &tdata)) {</span><br><span>@@ -2976,6 +2986,7 @@</span><br><span> (int) pj_strlen(&tsx->method.name), pj_strbuf(&tsx->method.name),</span><br><span> tsx->status_code);</span><br><span> if ((tsx->status_code == 401 || tsx->status_code == 407)</span><br><span style="color: hsl(120, 100%, 40%);">+ && ++session->authentication_challenge_count < MAX_RX_CHALLENGES</span><br><span> && !ast_sip_create_request_with_auth(</span><br><span> &session->endpoint->outbound_auths,</span><br><span> e->body.tsx_state.src.rdata, tsx, &tdata)) {</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/15138">change 15138</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/15138"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13 </div>
<div style="display:none"> Gerrit-Change-Id: I2d001ca745b00ca8aa12030f2240cd72363b46f7 </div>
<div style="display:none"> Gerrit-Change-Number: 15138 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>