Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[7532] branches/1.0/package/asterisk
|
From: <abe...@us...> - 2016-02-15 15:54:29
|
Revision: 7532
http://sourceforge.net/p/astlinux/code/7532
Author: abelbeck
Date: 2016-02-15 15:54:26 +0000 (Mon, 15 Feb 2016)
Log Message:
-----------
asterisk, no functional change, use the 1.8 patches against the latest release rather than the 1.8.28 release, though not mentioned in the PDF, use these patches:
http://downloads.asterisk.org/pub/security/AST-2016-001-1.8.diff
http://downloads.asterisk.org/pub/security/AST-2016-002-1.8.diff
http://downloads.asterisk.org/pub/security/AST-2016-003-1.8.diff
Added Paths:
-----------
branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.patch
branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.patch
branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.patch
Removed Paths:
-------------
branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.28.patch
branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.28.patch
branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.28.patch
Deleted: branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.28.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.28.patch 2016-02-13 22:58:22 UTC (rev 7531)
+++ branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.28.patch 2016-02-15 15:54:26 UTC (rev 7532)
@@ -1,140 +0,0 @@
-diff --git a/configs/http.conf.sample b/configs/http.conf.sample
-index 1a7f4fd..9a06fcf 100644
---- a/configs/http.conf.sample
-+++ b/configs/http.conf.sample
-@@ -67,10 +67,31 @@ bindaddr=127.0.0.1
- ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
- ; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
- ;
-+;
- ; To produce a certificate you can e.g. use openssl. This places both the cert and
- ; private in same .pem file.
- ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
- ;
-+; tlscipher= ; The list of allowed ciphers
-+; ; if none are specified the following cipher
-+; ; list will be used instead:
-+; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
-+; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
-+; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
-+; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
-+; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
-+; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
-+; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
-+; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
-+; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-+;
-+; tlsdisablev1=yes ; Disable TLSv1 support - if not set this defaults to "yes"
-+; tlsdisablev11=yes ; Disable TLSv1.1 support - if not set this defaults to "no"
-+; tlsdisablev12=yes ; Disable TLSv1.2 support - if not set this defaults to "no"
-+;
-+; tlsservercipherorder=yes ; Use the server preference order instead of the client order
-+; ; Defaults to "yes"
-+;
- ; The post_mappings section maps URLs to real paths on the filesystem. If a
- ; POST is done from within an authenticated manager session to one of the
- ; configured POST mappings, then any files in the POST will be placed in the
-diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
-index f3f5e1f..eb7166f 100644
---- a/include/asterisk/tcptls.h
-+++ b/include/asterisk/tcptls.h
-@@ -79,7 +79,15 @@ enum ast_ssl_flags {
- /*! Use SSLv3 for outgoing client connections */
- AST_SSL_SSLV3_CLIENT = (1 << 4),
- /*! Use TLSv1 for outgoing client connections */
-- AST_SSL_TLSV1_CLIENT = (1 << 5)
-+ AST_SSL_TLSV1_CLIENT = (1 << 5),
-+ /*! Use server cipher order instead of the client order */
-+ AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
-+ /*! Disable TLSv1 support */
-+ AST_SSL_DISABLE_TLSV1 = (1 << 7),
-+ /*! Disable TLSv1.1 support */
-+ AST_SSL_DISABLE_TLSV11 = (1 << 8),
-+ /*! Disable TLSv1.2 support */
-+ AST_SSL_DISABLE_TLSV12 = (1 << 9),
- };
-
- struct ast_tls_config {
-diff --git a/main/http.c b/main/http.c
-index 9bebbe7..4bfa985 100644
---- a/main/http.c
-+++ b/main/http.c
-@@ -1118,10 +1118,13 @@ static int __ast_http_load(int reload)
- }
- http_tls_cfg.pvtfile = ast_strdup("");
-
-+ /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
-+ ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
-+
- if (http_tls_cfg.cipher) {
- ast_free(http_tls_cfg.cipher);
- }
-- http_tls_cfg.cipher = ast_strdup("");
-+ http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
-
- AST_RWLIST_WRLOCK(&uri_redirects);
- while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
-@@ -1146,8 +1149,6 @@ static int __ast_http_load(int reload)
- && strcasecmp(v->name, "tlsdontverifyserver")
- && strcasecmp(v->name, "tlsclientmethod")
- && strcasecmp(v->name, "sslclientmethod")
-- && strcasecmp(v->name, "tlscipher")
-- && strcasecmp(v->name, "sslcipher")
- && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
- continue;
- }
-diff --git a/main/tcptls.c b/main/tcptls.c
-index 6f918ce..0f27e45 100644
---- a/main/tcptls.c
-+++ b/main/tcptls.c
-@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
- return 0;
- #else
- int disable_ssl = 0;
-+ long ssl_opts = 0;
-
- if (!cfg->enabled)
- return 0;
-@@ -793,11 +794,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
- * them. SSLv23_*_method supports TLSv1+.
- */
- if (disable_ssl) {
-- long ssl_opts;
-+ ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
-+ }
-+
-+ if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
-+ ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
-+ }
-
-- ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
-- SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
-+ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
-+ ssl_opts |= SSL_OP_NO_TLSv1;
- }
-+ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
-+ ssl_opts |= SSL_OP_NO_TLSv1_1;
-+ }
-+ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
-+ ssl_opts |= SSL_OP_NO_TLSv1_2;
-+ }
-+
-+ SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
-
- SSL_CTX_set_verify(cfg->ssl_ctx,
- ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
-@@ -1109,6 +1123,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_
- ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
- ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
- }
-+ } else if (!strcasecmp(varname, "tlsservercipherorder")) {
-+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
-+ } else if (!strcasecmp(varname, "tlsdisablev1")) {
-+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
-+ } else if (!strcasecmp(varname, "tlsdisablev11")) {
-+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
-+ } else if (!strcasecmp(varname, "tlsdisablev12")) {
-+ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
- } else {
- return -1;
- }
Added: branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.patch (rev 0)
+++ branches/1.0/package/asterisk/asterisk-1.8-AST-2016-001-1.8.patch 2016-02-15 15:54:26 UTC (rev 7532)
@@ -0,0 +1,140 @@
+diff --git a/configs/http.conf.sample b/configs/http.conf.sample
+index 1a7f4fd..9a06fcf 100644
+--- a/configs/http.conf.sample
++++ b/configs/http.conf.sample
+@@ -67,10 +67,31 @@ bindaddr=127.0.0.1
+ ; If no path is given for tlscertfile or tlsprivatekey, default is to look in current
+ ; directory. If no tlsprivatekey is given, default is to search tlscertfile for private key.
+ ;
++;
+ ; To produce a certificate you can e.g. use openssl. This places both the cert and
+ ; private in same .pem file.
+ ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
+ ;
++; tlscipher= ; The list of allowed ciphers
++; ; if none are specified the following cipher
++; ; list will be used instead:
++; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
++; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
++; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
++; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
++; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
++; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
++; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
++; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
++; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
++;
++; tlsdisablev1=yes ; Disable TLSv1 support - if not set this defaults to "yes"
++; tlsdisablev11=yes ; Disable TLSv1.1 support - if not set this defaults to "no"
++; tlsdisablev12=yes ; Disable TLSv1.2 support - if not set this defaults to "no"
++;
++; tlsservercipherorder=yes ; Use the server preference order instead of the client order
++; ; Defaults to "yes"
++;
+ ; The post_mappings section maps URLs to real paths on the filesystem. If a
+ ; POST is done from within an authenticated manager session to one of the
+ ; configured POST mappings, then any files in the POST will be placed in the
+diff --git a/include/asterisk/tcptls.h b/include/asterisk/tcptls.h
+index f3f5e1f..eb7166f 100644
+--- a/include/asterisk/tcptls.h
++++ b/include/asterisk/tcptls.h
+@@ -79,7 +79,15 @@ enum ast_ssl_flags {
+ /*! Use SSLv3 for outgoing client connections */
+ AST_SSL_SSLV3_CLIENT = (1 << 4),
+ /*! Use TLSv1 for outgoing client connections */
+- AST_SSL_TLSV1_CLIENT = (1 << 5)
++ AST_SSL_TLSV1_CLIENT = (1 << 5),
++ /*! Use server cipher order instead of the client order */
++ AST_SSL_SERVER_CIPHER_ORDER = (1 << 6),
++ /*! Disable TLSv1 support */
++ AST_SSL_DISABLE_TLSV1 = (1 << 7),
++ /*! Disable TLSv1.1 support */
++ AST_SSL_DISABLE_TLSV11 = (1 << 8),
++ /*! Disable TLSv1.2 support */
++ AST_SSL_DISABLE_TLSV12 = (1 << 9),
+ };
+
+ struct ast_tls_config {
+diff --git a/main/http.c b/main/http.c
+index 9bebbe7..4bfa985 100644
+--- a/main/http.c
++++ b/main/http.c
+@@ -1118,10 +1118,13 @@ static int __ast_http_load(int reload)
+ }
+ http_tls_cfg.pvtfile = ast_strdup("");
+
++ /* Apply modern intermediate settings according to the Mozilla OpSec team as of July 30th, 2015 but disable TLSv1 */
++ ast_set_flag(&http_tls_cfg.flags, AST_SSL_DISABLE_TLSV1 | AST_SSL_SERVER_CIPHER_ORDER);
++
+ if (http_tls_cfg.cipher) {
+ ast_free(http_tls_cfg.cipher);
+ }
+- http_tls_cfg.cipher = ast_strdup("");
++ http_tls_cfg.cipher = ast_strdup("ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA");
+
+ AST_RWLIST_WRLOCK(&uri_redirects);
+ while ((redirect = AST_RWLIST_REMOVE_HEAD(&uri_redirects, entry))) {
+@@ -1146,8 +1149,6 @@ static int __ast_http_load(int reload)
+ && strcasecmp(v->name, "tlsdontverifyserver")
+ && strcasecmp(v->name, "tlsclientmethod")
+ && strcasecmp(v->name, "sslclientmethod")
+- && strcasecmp(v->name, "tlscipher")
+- && strcasecmp(v->name, "sslcipher")
+ && !ast_tls_read_conf(&http_tls_cfg, &https_desc, v->name, v->value)) {
+ continue;
+ }
+diff --git a/main/tcptls.c b/main/tcptls.c
+index a5a2af6..f73c2aa 100644
+--- a/main/tcptls.c
++++ b/main/tcptls.c
+@@ -749,6 +749,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+ return 0;
+ #else
+ int disable_ssl = 0;
++ long ssl_opts = 0;
+
+ if (!cfg->enabled)
+ return 0;
+@@ -793,11 +794,24 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
+ * them. SSLv23_*_method supports TLSv1+.
+ */
+ if (disable_ssl) {
+- long ssl_opts;
++ ssl_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
++ }
++
++ if (ast_test_flag(&cfg->flags, AST_SSL_SERVER_CIPHER_ORDER)) {
++ ssl_opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
++ }
+
+- ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+- SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV1)) {
++ ssl_opts |= SSL_OP_NO_TLSv1;
+ }
++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV11)) {
++ ssl_opts |= SSL_OP_NO_TLSv1_1;
++ }
++ if (ast_test_flag(&cfg->flags, AST_SSL_DISABLE_TLSV12)) {
++ ssl_opts |= SSL_OP_NO_TLSv1_2;
++ }
++
++ SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+
+ SSL_CTX_set_verify(cfg->ssl_ctx,
+ ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
+@@ -1109,6 +1123,14 @@ int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_
+ ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
+ ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
+ }
++ } else if (!strcasecmp(varname, "tlsservercipherorder")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_SERVER_CIPHER_ORDER);
++ } else if (!strcasecmp(varname, "tlsdisablev1")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV1);
++ } else if (!strcasecmp(varname, "tlsdisablev11")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV11);
++ } else if (!strcasecmp(varname, "tlsdisablev12")) {
++ ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DISABLE_TLSV12);
+ } else {
+ return -1;
+ }
Deleted: branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.28.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.28.patch 2016-02-13 22:58:22 UTC (rev 7531)
+++ branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.28.patch 2016-02-15 15:54:26 UTC (rev 7532)
@@ -1,18 +0,0 @@
-diff --git a/channels/chan_sip.c b/channels/chan_sip.c
-index 16e3e53..86c52e9 100644
---- a/channels/chan_sip.c
-+++ b/channels/chan_sip.c
-@@ -3771,6 +3771,13 @@ static int retrans_pkt(const void *data)
- }
-
- /* For non-invites, a maximum of 4 secs */
-+ if (INT_MAX / pkt->timer_a < pkt->timer_t1) {
-+ /*
-+ * Uh Oh, we will have an integer overflow.
-+ * Recalculate previous timeout time instead.
-+ */
-+ pkt->timer_a = pkt->timer_a / 2;
-+ }
- siptimer_a = pkt->timer_t1 * pkt->timer_a; /* Double each time */
- if (pkt->method != SIP_INVITE && siptimer_a > 4000) {
- siptimer_a = 4000;
Added: branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.patch (rev 0)
+++ branches/1.0/package/asterisk/asterisk-1.8-AST-2016-002-1.8.patch 2016-02-15 15:54:26 UTC (rev 7532)
@@ -0,0 +1,18 @@
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 5de304a..277eec7 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -3771,6 +3771,13 @@ static int retrans_pkt(const void *data)
+ }
+
+ /* For non-invites, a maximum of 4 secs */
++ if (INT_MAX / pkt->timer_a < pkt->timer_t1) {
++ /*
++ * Uh Oh, we will have an integer overflow.
++ * Recalculate previous timeout time instead.
++ */
++ pkt->timer_a = pkt->timer_a / 2;
++ }
+ siptimer_a = pkt->timer_t1 * pkt->timer_a; /* Double each time */
+ if (pkt->method != SIP_INVITE && siptimer_a > 4000) {
+ siptimer_a = 4000;
Deleted: branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.28.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.28.patch 2016-02-13 22:58:22 UTC (rev 7531)
+++ branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.28.patch 2016-02-15 15:54:26 UTC (rev 7532)
@@ -1,28 +0,0 @@
-diff --git a/main/udptl.c b/main/udptl.c
-index 8885d7a..136dcb6 100644
---- a/main/udptl.c
-+++ b/main/udptl.c
-@@ -231,16 +231,15 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
- if (decode_length(buf, limit, len, &octet_cnt) != 0)
- return -1;
-
-- if (octet_cnt > 0) {
-- /* Make sure the buffer contains at least the number of bits requested */
-- if ((*len + octet_cnt) > limit)
-- return -1;
--
-- *p_num_octets = octet_cnt;
-- *p_object = &buf[*len];
-- *len += octet_cnt;
-+ /* Make sure the buffer contains at least the number of bits requested */
-+ if ((*len + octet_cnt) > limit) {
-+ return -1;
- }
-
-+ *p_num_octets = octet_cnt;
-+ *p_object = &buf[*len];
-+ *len += octet_cnt;
-+
- return 0;
- }
- /*- End of function --------------------------------------------------------*/
Added: branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.patch
===================================================================
--- branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.patch (rev 0)
+++ branches/1.0/package/asterisk/asterisk-1.8-AST-2016-003-1.8.patch 2016-02-15 15:54:26 UTC (rev 7532)
@@ -0,0 +1,28 @@
+diff --git a/main/udptl.c b/main/udptl.c
+index a8244e8..6960487 100644
+--- a/main/udptl.c
++++ b/main/udptl.c
+@@ -231,16 +231,15 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
+ if (decode_length(buf, limit, len, &octet_cnt) != 0)
+ return -1;
+
+- if (octet_cnt > 0) {
+- /* Make sure the buffer contains at least the number of bits requested */
+- if ((*len + octet_cnt) > limit)
+- return -1;
+-
+- *p_num_octets = octet_cnt;
+- *p_object = &buf[*len];
+- *len += octet_cnt;
++ /* Make sure the buffer contains at least the number of bits requested */
++ if ((*len + octet_cnt) > limit) {
++ return -1;
+ }
+
++ *p_num_octets = octet_cnt;
++ *p_object = &buf[*len];
++ *len += octet_cnt;
++
+ return 0;
+ }
+ /*- End of function --------------------------------------------------------*/
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
