Milliwatt is vulnerable to a remotely exploitable stack overrun when using
the 'o' option. This occurs due to the milliwatt_generate function not
accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
samples it can put in the output buffer.
This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
when determining the maximum number of samples allowed. Note that at no
point is remote code execution possible. The data that is written into the
buffer is the pre-defined Milliwatt data, and not custom data.
(closes issue ASTERISK-19541)
Reported by: Russell Bryant
Tested by: Matt Jordan
Patches:
milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
Note that this patch was written by Russell, even though Matt uploaded it
........
Merged revisions 359645 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
Merged revisions 359656 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 359694 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359704 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch adds unit tests for main/jitterbuf.c. This includes checking for
the following:
* Nominal insertion and retrieval of frames
* Insertion and retrieval of frames where the frames are inserted out of
order with respect to the previous frame
* Insertion and retrieval of frames where some number of frames that would
occur in the expected sequence are instead dropped
* Insertion and retrieval of frames with an arrival time that does not occur
at the same rate as the surrounding frames
* Resynchronization of the jitter buffer when an inserted frame breaks the
resynchronization threshold
* Overfilling of the jitter buffer
For each of the tests, both JB_TYPE_VOICE and JB_TYPE_CONTROL permutations
exist.
Review: https://reviewboard.asterisk.org/r/1815
(issue: ASTERISK-18964)
Reported by: Kris Shaw
Tested by: Kris Shaw, Matt Jordan
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359406 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When a change in time occurs, such that the timestamps associated with frames
being placed into an adaptive jitter buffer (implemented in jitterbuf.c)
are significantly different then the previously inserted frames, the jitter
buffer checks to see if it needs to be resynched to the new time frame. If
three consecutive packets break the threshold, the jitter buffer resynchs
itself to the new timestamps. This currently only occurs when history is
calculated, and hence only on JB_TYPE_VOICE frames.
JB_TYPE_CONTROL frames, on the other hand, are never passed to the history
calculations. Because of this, if the jump in time is greater then the
maximum allowed length of the jitter buffer, the JB_TYPE_CONTROL frames are
dropped and no resynchronization occurs. Alterntively, if the overfill
logic is not triggered, the JB_TYPE_CONTROL frame will be placed into the
buffer, but with a time reference that is not applicable. Subsequent
JB_TYPE_VOICE frames will quickly trigger the overflow logic until reads
from the jitter buffer reach the errant JB_TYPE_CONTROL frame.
This patch allows JB_TYPE_CONTROL frames to resynch the jitter buffer. As
JB_TYPE_CONTROL frames are unlikely to occur in multiples, it perform the
resynchronization on any JB_TYPE_CONTROL frame that breaks the resynch
threshold.
Note that this only impacts chan_iax2, as other consumers of the adaptive
jitter buffer use the abstract jitter buffer API, which does not use
JB_TYPE_CONTROL frames.
Review: https://reviewboard.asterisk.org/r/1814/
(closes issue ASTERISK-18964)
Reported by: Kris Shaw
Tested by: Kris Shaw, Matt Jordan
Patches:
jitterbuffer-2012-2-26.diff uploaded by Kris Shaw (license 5722)
........
Merged revisions 359356 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 359358 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359359 65c4cc65-6c06-0410-ace0-fbb531ad65f3
When connected line support was added, the wait_for_answer() variable
single changed its meaning slightly. Unfortunately, the places where
single was used did not necessarily get updated to reflect that change.
Also audio/video frames were sent to all forked calls when the endpoints
were never made compatible.
* Don't pass audio/video media frames when the channels have not been made
compatible.
* Added handling of AST_CONTROL_SRCCHANGE to app_dial.c.
* Fixed app_dial.c passing on AST_CONTROL_HOLD because that frame can also
pass a requested MOH class.
(closes issue ASTERISK-16901)
Reported by: Chris Gentle
(closes issue ASTERISK-17541)
Reported by: clint
Review: https://reviewboard.asterisk.org/r/1805/
........
Merged revisions 359344 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 359355 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359357 65c4cc65-6c06-0410-ace0-fbb531ad65f3
In r357272, astobj2 was changed to automatically enable REF_DEBUG when the
TEST_FRAMEWORK flag was enabled. Unfortunately, some compilers (gcc 4.5.1
at least) will attempt to inline ao2_iterator_destroy in handle_astobj2_test.
This by itself is not a problem; unfortunately, the compiler believes that
there is a code path wherein an object allocated on the stack will be
free'd. As warnings are treated as errors, this prevents compilation of
astobj2.
This patch works around that by adding the noinline attribue to
ao2_iterator_destroy, but only if the TEST_FRAMEWORK flag is enabled.
Preventing inlining is only needed for the test method defined in astobj2,
which is also only enabled if TEST_FRAMEWORK is enabled.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359306 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This patch updates the NUMLOGLEVELS define in logger.h to 32, to match the fact
that logger.c implements 32 log levels (because of the custom log level stuff).
asterisk.c uses this define to size an array of levels per remote console.
This array is modified in ast_console_toggle_loglevel(), which is called by the
"logger set level" CLI command. While the documentation for the CLI command
doesn't make it terribly obvious, you can use this CLI command to toggle a
custom log level on a remote console, as well. However, doing so led to an
invalid array index in asterisk.c.
This array is read from any time a log message is written to a console. So,
all custom log level messages resulted in a bogus read if a remote console
was connected.
........
Merged revisions 359259 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 359260 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359261 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Added new chan_dahdi.conf colp_send option parameter to block connected
line updates per span.
(closes issue ASTERISK-17025)
Reported by: Michael Smith
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@358997 65c4cc65-6c06-0410-ace0-fbb531ad65f3
The set_format() function was more subtle in how it modified the
struct ast_channel readtrans/writetrans values.
* Fixed ast_activate_generator() conversion correctly.
(closes issue ASTERISK-19434)
Reported by: Birger Harzenetter
Tested by: rmudgett
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@358861 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This change restores functionality that was present in 1.4, when AEL macros
were implemented with the Macro dialplan application. Macros are fraught with
functionality issues, because they consume a large portion of the underlying
application stack. This limits the ability of AEL users to call many layers
of subroutines, an issue which Gosub does not have (originally tested to
100,000 levels deep). Therefore, starting in 1.6.0, AEL macros were
implemented with Gosub.
However, there were some implicit behaviors of Macro, which were not replicated
at the same time as with the transition to Gosub, one of which is documented in
the related issue. In particular, the "h" extension is designed to execute not
in the Macro context, but in the topmost calling context. Due to legacy issues
with a misapplied bugfix many years ago, when a macro exited in 1.4, it looks
in all calling contexts, bubbling up from the deepest level until it finds an
"h" extension.
Since AEL hides the complexity of the underlying dialplan logic from the AEL
programmer, it's reasonable to assume that this behavior should not change in
the transition from Asterisk 1.4 LTS to Asterisk 1.8 LTS, lest we break
working AEL configurations in the transition to Asterisk 1.8 LTS. This fix
is the result, which implements a search for the "h" extension in all calling
Gosub contexts.
Fixes ASTERISK-19336
Patch: 20120308__ael_bugfix_for_trunk__2.diff (License #5003) by Tilghman Lesher
(with slight modifications for 1.8)
Tested by: Johan Wilfer
Review: https://reviewboard.asterisk.org/r/1776/
........
Merged revisions 358810 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 358811 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@358812 65c4cc65-6c06-0410-ace0-fbb531ad65f3
* Added ability to use multiple lines on phone, so for one device in configuration multiple lines can be defined, it allows to have multiple calls on one phone, callwaiting and switching between calls.
* Added ability for translation on-screen menu to multiple languages. Tested on Russian languages. Supported encodings: ISO 8859-1, ISO 8859-2, ISO 8859-4, ISO 8859-5, ISO 2022-JP. Language controlled by 'language' and on-screen menu of phone
* Other described in CHANGES file
Testing done by issue tracker users: ibercom, scsiborg, idarwin, TeknoJuce, c0rnoTa.
Tested on production system by Jonn Taylor (jonnt) using phone models: Nortel i2004, 1120E and 1140E.
(closes issue ASTERISK-16890)
Review: https://reviewboard.asterisk.org/r/1243/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@358766 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Passing -Wshadow to gcc enables shadow warnings. From the gcc manual:
Warn whenever a local variable or type declaration shadows another
variable, parameter, type, or class member (in C++), or whenever a
built-in function is shadowed.
Asterisk will not currently compile with this option set, but a number of bugs
have been discovered by enabling this flag on specific files. The long-term
goal is to eliminate all of the suspect code that causes this warning to be
emitted.
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@358622 65c4cc65-6c06-0410-ace0-fbb531ad65f3
For analog lines, enables Asterisk to use dialtone detection per channel
if an incoming call was hung up before it was answered. If dialtone is
detected, the call is hung up.
no: Disabled. (Default)
yes: Look for dialtone for 10000 ms after answer.
<number>: Look for dialtone for the specified number of ms after answer.
always: Look for dialtone for the entire call. Dialtone may return
if the far end hangs up first.
dialtone_detect=yes
dialtone_detect=5000
dialtone_detect=always
(closes issue ASTERISK-19316)
Reported by: Jeremy Pepper
Patch by: Jeremy Pepper
Tested by: rmudgett,Jeremy Pepper
Review: https://reviewboard.asterisk.org/r/1737/
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@358344 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Matthew Jordan
Paul Belanger
Richard Mudgett
Russell Bryant
Terry Wilson
Tilghman Lesher
Igor Goncharovskiy
Joshua Colp
Sean Bright
Jonathan Rose