diff --git a/libs/pjproject/Makefile b/libs/pjproject/Makefile index 8df3c80..d132727 100644 --- a/libs/pjproject/Makefile +++ b/libs/pjproject/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pjproject PKG_VERSION:=2.9 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=pjproject-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://www.pjsip.org/release/$(PKG_VERSION) diff --git a/libs/pjproject/patches/0040-ICE-Add-callback-for-finding-valid-pair.patch b/libs/pjproject/patches/0040-ICE-Add-callback-for-finding-valid-pair.patch new file mode 100644 index 0000000..062e75e --- /dev/null +++ b/libs/pjproject/patches/0040-ICE-Add-callback-for-finding-valid-pair.patch @@ -0,0 +1,84 @@ +From 8b8199180766e3eab6014feaa64ccaedcdc12816 Mon Sep 17 00:00:00 2001 +From: Ben Ford +Date: Mon, 23 Dec 2019 11:11:13 -0600 +Subject: [PATCH] ICE: Add callback for finding valid pair. + +It's possible to start sending as soon as one valid pair is found during +ICE negotiation. The reason we would want to do this is because it is +possible for a delay to occur at the start of a call for up to 3 seconds +until ICE negotiation has actually completed. More information can be +found here: +https://bugs.chromium.org/p/chromium/issues/detail?id=1024096 + +This patch adds a callback once a valid pair is found that applications +can use to start sending to avoid this scenario. Since only one valid +pair is needed to start media, we only trigger the callback once. +--- + pjnath/include/pjnath/ice_session.h | 9 +++++++++ + pjnath/src/pjnath/ice_session.c | 16 ++++++++++++++++ + 2 files changed, 25 insertions(+) + +diff --git a/pjnath/include/pjnath/ice_session.h b/pjnath/include/pjnath/ice_session.h +index 15f0d04..8971220 100644 +--- a/pjnath/include/pjnath/ice_session.h ++++ b/pjnath/include/pjnath/ice_session.h +@@ -468,6 +468,14 @@ typedef struct pj_ice_sess_cb + { + /** + * An optional callback that will be called by the ICE session when ++ * a valid pair has been found during ICE negotiation. ++ * ++ * @param ice The ICE session. ++ */ ++ void (*on_valid_pair)(pj_ice_sess *ice); ++ ++ /** ++ * An optional callback that will be called by the ICE session when + * ICE negotiation has completed, successfully or with failure. + * + * @param ice The ICE session. +@@ -625,6 +633,7 @@ struct pj_ice_sess + pj_bool_t is_nominating; /**< Nominating stage */ + pj_bool_t is_complete; /**< Complete? */ + pj_bool_t is_destroying; /**< Destroy is called */ ++ pj_bool_t valid_pair_found; /**< First pair found */ + pj_status_t ice_status; /**< Error status. */ + pj_timer_entry timer; /**< ICE timer. */ + pj_ice_sess_cb cb; /**< Callback. */ +diff --git a/pjnath/src/pjnath/ice_session.c b/pjnath/src/pjnath/ice_session.c +index c51dba7..ed4138a 100644 +--- a/pjnath/src/pjnath/ice_session.c ++++ b/pjnath/src/pjnath/ice_session.c +@@ -418,6 +418,8 @@ PJ_DEF(pj_status_t) pj_ice_sess_create(pj_stun_config *stun_cfg, + + pj_list_init(&ice->early_check); + ++ ice->valid_pair_found = PJ_FALSE; ++ + /* Done */ + *p_ice = ice; + +@@ -1348,6 +1350,20 @@ static pj_bool_t on_check_complete(pj_ice_sess *ice, + GET_CHECK_ID(&ice->clist, check), + (check->nominated ? " and nominated" : ""))); + ++ { ++ /* On the first valid pair, we call the callback, if present */ ++ if (ice->valid_pair_found == PJ_FALSE) { ++ void (*on_valid_pair)(pj_ice_sess *ice); ++ ++ ice->valid_pair_found = PJ_TRUE; ++ on_valid_pair = ice->cb.on_valid_pair; ++ ++ if (on_valid_pair) { ++ (*on_valid_pair)(ice); ++ } ++ } ++ } ++ + } + + /* 8.2. Updating States +-- +2.7.4 + diff --git a/libs/pjproject/patches/0040-brackets-in-via-received-params.patch b/libs/pjproject/patches/0040-brackets-in-via-received-params.patch new file mode 100644 index 0000000..bf96d3d --- /dev/null +++ b/libs/pjproject/patches/0040-brackets-in-via-received-params.patch @@ -0,0 +1,40 @@ +From 6324760c2fb0ffeb2e29c6c0a96a33906caa8d5f Mon Sep 17 00:00:00 2001 +From: Sean Bright +Date: Thu, 16 Jan 2020 10:46:11 -0500 +Subject: [PATCH] sip_parser.c: Allow brackets in via parameters + +From RFC 5118 section 4.5: + + While it would be beneficial if the same non-terminal + ("IPv6reference") was used for both the "sent-by" and "via-received" + production rules, there has not been a consensus in the working group + to that effect. Thus, the best that can be suggested is that + implementations must follow the Robustness Principle [RFC1122] and be + liberal in accepting a "received" parameter with or without the + delimiting "[" and "]" tokens. When sending a request, + implementations must not put the delimiting "[" and "]" tokens. +--- + pjsip/src/pjsip/sip_parser.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pjsip/src/pjsip/sip_parser.c b/pjsip/src/pjsip/sip_parser.c +index e01e672fb..4f9c7fca4 100644 +--- a/pjsip/src/pjsip/sip_parser.c ++++ b/pjsip/src/pjsip/sip_parser.c +@@ -384,11 +384,11 @@ static pj_status_t init_parser() + + status = pj_cis_dup(&pconst.pjsip_VIA_PARAM_SPEC, &pconst.pjsip_TOKEN_SPEC); + PJ_ASSERT_RETURN(status == PJ_SUCCESS, status); +- pj_cis_add_str(&pconst.pjsip_VIA_PARAM_SPEC, ":"); ++ pj_cis_add_str(&pconst.pjsip_VIA_PARAM_SPEC, "[:]"); + + status = pj_cis_dup(&pconst.pjsip_VIA_PARAM_SPEC_ESC, &pconst.pjsip_TOKEN_SPEC_ESC); + PJ_ASSERT_RETURN(status == PJ_SUCCESS, status); +- pj_cis_add_str(&pconst.pjsip_VIA_PARAM_SPEC_ESC, ":"); ++ pj_cis_add_str(&pconst.pjsip_VIA_PARAM_SPEC_ESC, "[:]"); + + status = pj_cis_dup(&pconst.pjsip_HOST_SPEC, &pconst.pjsip_ALNUM_SPEC); + PJ_ASSERT_RETURN(status == PJ_SUCCESS, status); +-- +2.20.1 + diff --git a/net/asterisk-16.x/Makefile b/net/asterisk-16.x/Makefile index 6c1d2cb..4b139eb 100644 --- a/net/asterisk-16.x/Makefile +++ b/net/asterisk-16.x/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk AST_MAJOR_VERSION:=16 PKG_NAME:=asterisk$(AST_MAJOR_VERSION) -PKG_VERSION:=$(AST_MAJOR_VERSION).6.1 -PKG_RELEASE:=4 +PKG_VERSION:=$(AST_MAJOR_VERSION).10.0 +PKG_RELEASE:=1 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases -PKG_HASH:=9a028b4e3e608c1b8325671a249183adc00e1b29a95d82cb5e6fb35980aef053 +PKG_HASH:=8733f137b4b4e01d90bb796fa41d992e656b4cf1c28d2d7e81863a6839975702 PKG_BUILD_DIR:=$(BUILD_DIR)/asterisk-$(PKG_VERSION) PKG_BUILD_DEPENDS:=libxml2/host @@ -334,7 +334,7 @@ endef define Package/$(PKG_NAME)/install/conffile $(INSTALL_DIR) $(1)/etc/asterisk - $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/asterisk/$(2) $(1)/etc/asterisk/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/asterisk/$(2) $(1)/etc/asterisk/ endef define Package/$(PKG_NAME)/install/lib @@ -354,7 +354,7 @@ endef define Package/$(PKG_NAME)/install/util-conffile $(INSTALL_DIR) $(1)/etc - $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/asterisk/$(2) $(1)/etc + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/asterisk/$(2) $(1)/etc endef define Package/$(PKG_NAME)/config @@ -496,9 +496,12 @@ $(call Package/$(PKG_NAME)/install/sbin,$(1),safe_asterisk) $(call Package/$(PKG_NAME)/install/sbin,$(1),astgenkey) $(foreach m,$(AST_CFG_FILES),$(call Package/$(PKG_NAME)/install/conffile,$(1),$(m));) $(foreach m,$(AST_EMB_MODULES),$(call Package/$(PKG_NAME)/install/module,$(1),$(m));) - $(INSTALL_DIR) $(1)/usr/share/asterisk/sounds/ $(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_DIR) $(1)/usr/share/asterisk/agi-bin + $(INSTALL_DIR) $(1)/usr/share/asterisk/firmware/iax + $(INSTALL_DIR) $(1)/usr/share/asterisk/keys + $(INSTALL_DIR) $(1)/usr/share/asterisk/sounds $(INSTALL_BIN) ./files/asterisk.init $(1)/etc/init.d/asterisk $(INSTALL_CONF) ./files/asterisk.conf $(1)/etc/config/asterisk endef @@ -920,7 +923,7 @@ $(eval $(call BuildAsteriskModule,odbc,ODBC,ODBC support.,+libpthread +libc +uni $(eval $(call BuildAsteriskModule,pbx-ael,Asterisk Extension Logic,Asterisk Extension Language compiler.,+$(PKG_NAME)-res-ael-share,extensions.ael,pbx_ael,,)) $(eval $(call BuildAsteriskModule,pbx-dundi,Dundi,Distributed Universal Number Discovery.,,dundi.conf,pbx_dundi,,)) $(eval $(call BuildAsteriskModule,pbx-loopback,Loopback switch,Loopback switch.,,,pbx_loopback,,)) -$(eval $(call BuildAsteriskModule,pbx-lua,Lua,Lua PBX switch.,+liblua5.3,extensions.lua,pbx_lua,,)) +$(eval $(call BuildAsteriskModule,pbx-lua,Lua,Lua PBX switch.,+liblua,extensions.lua,pbx_lua,,)) $(eval $(call BuildAsteriskModule,pbx-realtime,Realtime Switch,Realtime switch.,,,pbx_realtime,,)) $(eval $(call BuildAsteriskModule,pbx-spool,Call Spool,Outgoing spool support.,,,pbx_spool,,)) $(eval $(call BuildAsteriskModule,pgsql,PostgreSQL,PostgreSQL support.,+libpq,cel_pgsql.conf cdr_pgsql.conf res_pgsql.conf,cel_pgsql cdr_pgsql res_config_pgsql,,)) diff --git a/net/asterisk-16.x/files/asterisk.conf b/net/asterisk-16.x/files/asterisk.conf index 3c05e0a..f175df8 100644 --- a/net/asterisk-16.x/files/asterisk.conf +++ b/net/asterisk-16.x/files/asterisk.conf @@ -1,26 +1,16 @@ +# The init script will create below default directories automatically. +# In case you change these paths in your Asterisk configuration, make +# sure that your directories exist and have the appropriate permissions +# (Asterisk will use the user "asterisk", not root). + +# dbdir => '/var/lib/asterisk/astdb' +# logdir => '/var/log/asterisk' +# rundir => '/var/run/asterisk' +# spooldir => '/var/spool/asterisk' +# varlibdir => '/var/lib/asterisk' config asterisk 'general' option enabled '0' - # If you have problems running Asterisk as user "asterisk" we'd - # like to hear from you. Please raise an issue at: - # https://github.com/openwrt/telephony/issues - option user 'asterisk' - option group 'asterisk' option log_stderr '1' option log_stdout '1' option options '' - -config asterisk 'directories' - # The init script will only create below directories and update - # their permissions if they don't exist. - # Note: To change the default paths you need to update your - # "asterisk.conf" file. - option agidir '/usr/share/asterisk/agi-bin' - option datadir '/usr/share/asterisk' - option dbdir '/var/lib/asterisk/astdb' - option keydir '/usr/share/asterisk/keys' - option logdir '/var/log/asterisk' - option rundir '/var/run/asterisk' - option spooldir '/var/spool/asterisk' - option varlibdir '/var/lib/asterisk' - diff --git a/net/asterisk-16.x/files/asterisk.init b/net/asterisk-16.x/files/asterisk.init index fd83948..256a3cf 100644 --- a/net/asterisk-16.x/files/asterisk.init +++ b/net/asterisk-16.x/files/asterisk.init @@ -13,25 +13,13 @@ COMMAND=/usr/sbin/$NAME LOGGER="/usr/bin/logger -p user.err -s -t $NAME --" start_service() { - local enabled - local user - local group - - local log_stderr - local log_stdout - - local agidir - local cdrcsvdir - local datadir - local dbdir - local keydir - local logdir - local rundir - local spooldir - local varlibdir - - local options + dbdir=/var/lib/asterisk/astdb + logdir=/var/log/asterisk + cdrcsvdir=$logdir/cdr-csv + rundir=/var/run/asterisk + spooldir=/var/spool/asterisk + varlibdir=/var/lib/asterisk config_load $NAME @@ -41,85 +29,30 @@ start_service() { exit 1 fi - config_get user general user $NAME - config_get group general group $NAME - - user_exists "$user" || { - $LOGGER user \""$user"\" does not exist - exit 1 - } - group_exists "$group" || { - $LOGGER group \""$group"\" does not exist - exit 1 - } - - if [ "$user" = $NAME ]; then - if ! id -nG $NAME | grep -qwF dialout; then - group_exists dialout && group_add_user dialout $NAME - fi - fi - config_get_bool log_stderr general log_stderr 1 config_get_bool log_stdout general log_stdout 1 - config_get agidir directories agidir /usr/share/$NAME/agi-bin - config_get datadir directories datadir /usr/share/$NAME - config_get dbdir directories dbdir /var/lib/$NAME/astdb - config_get keydir directories keydir /usr/share/$NAME/keys - config_get logdir directories logdir /var/log/$NAME - config_get rundir directories rundir /var/run/$NAME - config_get spooldir directories spooldir /var/spool/$NAME - config_get varlibdir directories varlibdir /var/lib/$NAME - config_get options general options - cdrcsvdir="${logdir}/cdr-csv" - - # do not touch directories that already exist - # posix shell does not support arrays, hence using awk - awk \ - -v user="$user" \ - -v group="$group" \ - -v a="$agidir" \ - -v b="$cdrcsvdir" \ - -v c="$datadir" \ - -v d="$dbdir" \ - -v e="$keydir" \ - -v f="$logdir" \ - -v g="$rundir" \ - -v h="$spooldir" \ - -v i="$varlibdir" \ - ' - BEGIN { - dir[0]=a - dir[1]=b - dir[2]=c - dir[3]=d - dir[4]=e - dir[5]=f - dir[6]=g - dir[7]=h - dir[8]=i - for (x in dir) { - if (system("test ! -e \"" dir[x] "\"" )) { - delete dir[x] - } - } - for (x in dir) { - system("mkdir -p \"" dir[x] "\"" ) - system("chmod 750 \"" dir[x] "\"" ) - system("chown \"" user "\":\"" group "\" \"" dir[x] "\"" ) - } - } - ' - - chown -R "$user":"$group" /etc/$NAME + for i in \ + "$logdir" \ + "$cdrcsvdir" \ + "$rundir" \ + "$spooldir" \ + "$varlibdir" \ + "$dbdir" + do + if ! [ -e "$i" ]; then + mkdir -m 0750 -p "$i" + [ -d "$i" ] && chown $NAME:$NAME "$i" + fi + done procd_open_instance procd_set_param command $COMMAND procd_append_param command \ - -G "$group" \ - -U "$user" \ + -G "$NAME" \ + -U "$NAME" \ $options \ -f # forward stderr to logd @@ -127,5 +60,5 @@ start_service() { # same for stdout procd_set_param stdout $log_stdout procd_close_instance -} +} diff --git a/net/asterisk-16.x/patches/001-disable-semaphores-on-uclibc-otherwise-allow.patch b/net/asterisk-16.x/patches/001-disable-semaphores-on-uclibc-otherwise-allow.patch index c295cc6..e8c5a2b 100644 --- a/net/asterisk-16.x/patches/001-disable-semaphores-on-uclibc-otherwise-allow.patch +++ b/net/asterisk-16.x/patches/001-disable-semaphores-on-uclibc-otherwise-allow.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -1033,15 +1033,18 @@ AC_LINK_IFELSE( +@@ -1031,15 +1031,18 @@ AC_LINK_IFELSE( # Some platforms define sem_init(), but only support sem_open(). joyous. AC_MSG_CHECKING(for working unnamed semaphores) diff --git a/net/asterisk-16.x/patches/002-configure-fix-detection-of-re-entrant-resolver-funct.patch b/net/asterisk-16.x/patches/002-configure-fix-detection-of-re-entrant-resolver-funct.patch index c7b91e7..c9e2cae 100644 --- a/net/asterisk-16.x/patches/002-configure-fix-detection-of-re-entrant-resolver-funct.patch +++ b/net/asterisk-16.x/patches/002-configure-fix-detection-of-re-entrant-resolver-funct.patch @@ -18,7 +18,7 @@ Signed-off-by: Bernd Kuhls --- a/configure.ac +++ b/configure.ac -@@ -1427,7 +1427,11 @@ AC_LINK_IFELSE( +@@ -1425,7 +1425,11 @@ AC_LINK_IFELSE( #include #endif #include ], diff --git a/net/asterisk-16.x/patches/056-fix-check_expr2-build.patch b/net/asterisk-16.x/patches/056-fix-check_expr2-build.patch deleted file mode 100644 index dca0193..0000000 --- a/net/asterisk-16.x/patches/056-fix-check_expr2-build.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- a/utils/Makefile -+++ b/utils/Makefile -@@ -180,14 +180,13 @@ conf2ael: conf2ael.o ast_expr2f.o ast_ex - - check_expr2: $(ASTTOPDIR)/main/ast_expr2f.c $(ASTTOPDIR)/main/ast_expr2.c $(ASTTOPDIR)/main/ast_expr2.h astmm.o - $(ECHO_PREFIX) echo " [CC] ast_expr2f.c -> ast_expr2fz.o" -- $(CC) -g -c -I$(ASTTOPDIR)/include -DSTANDALONE $(ASTTOPDIR)/main/ast_expr2f.c -o ast_expr2fz.o -+ $(CC) -g -c -I$(ASTTOPDIR)/include $(_ASTCFLAGS) $(ASTTOPDIR)/main/ast_expr2f.c -o ast_expr2fz.o - $(ECHO_PREFIX) echo " [CC] ast_expr2.c -> ast_expr2z.o" -- $(CC) -g -c -I$(ASTTOPDIR)/include -DSTANDALONE2 $(ASTTOPDIR)/main/ast_expr2.c -o ast_expr2z.o -+ $(CC) -g -c -I$(ASTTOPDIR)/include $(_ASTCFLAGS) -DSTANDALONE2 $(ASTTOPDIR)/main/ast_expr2.c -o ast_expr2z.o - $(ECHO_PREFIX) echo " [LD] ast_expr2fz.o ast_expr2z.o -> check_expr2" - $(CC) -g -o check_expr2 ast_expr2fz.o ast_expr2z.o astmm.o -lm $(_ASTLDFLAGS) - $(ECHO_PREFIX) echo " [RM] ast_expr2fz.o ast_expr2z.o" - rm ast_expr2z.o ast_expr2fz.o -- ./check_expr2 expr2.testinput - - smsq: smsq.o strcompat.o - smsq: LIBS+=$(POPT_LIB) diff --git a/net/asterisk-16.x/patches/100-build-reproducibly.patch b/net/asterisk-16.x/patches/100-build-reproducibly.patch index e7116ff..736fd5d 100644 --- a/net/asterisk-16.x/patches/100-build-reproducibly.patch +++ b/net/asterisk-16.x/patches/100-build-reproducibly.patch @@ -17,7 +17,7 @@ * build.h --- a/Makefile +++ b/Makefile -@@ -484,7 +484,7 @@ doc/core-en_US.xml: makeopts .lastclean +@@ -488,7 +488,7 @@ doc/core-en_US.xml: makeopts .lastclean @echo "" >> $@ @for x in $(MOD_SUBDIRS); do \ printf "$$x " ; \ diff --git a/net/asterisk-16.x/patches/130-eventfd.patch b/net/asterisk-16.x/patches/130-eventfd.patch index de4441b..7746715 100644 --- a/net/asterisk-16.x/patches/130-eventfd.patch +++ b/net/asterisk-16.x/patches/130-eventfd.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -1206,7 +1206,7 @@ if test "${ac_cv_have_variable_fdset}x" +@@ -1204,7 +1204,7 @@ if test "${ac_cv_have_variable_fdset}x" fi AC_MSG_CHECKING([if we have usable eventfd support]) diff --git a/net/asterisk-16.x/patches/140-use-default-lua.patch b/net/asterisk-16.x/patches/140-use-default-lua.patch new file mode 100644 index 0000000..c2ea912 --- /dev/null +++ b/net/asterisk-16.x/patches/140-use-default-lua.patch @@ -0,0 +1,15 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -2556,7 +2556,11 @@ if test -z "$__opus_include" -o x"$__opu + fi + AST_EXT_LIB_CHECK([OPUSFILE], [opusfile], [op_open_callbacks], [opus/opusfile.h], [], [$__opus_include]) + +-for ver in 5.3 5.2 5.1; do ++# This does not work for us. We have both liblua and liblua5.3 in ++# $(STAGING_DIR)/usr. But the headers for liblua5.3 are in ++# (STAGING_DIR)/usr/include/lua5.3. Using the below, Asterisk would ++# use the headers from liblua and link against liblua5.3 :/ ++for ver in ; do + AST_EXT_LIB_CHECK([LUA], lua${ver}, [luaL_newstate], lua${ver}/lua.h, [-lm]) + if test "x${PBX_LUA}" = "x1" ; then + if test x"${LUA_DIR}" = x; then diff --git a/net/asterisk-16.x/patches/AST-2019-006-16.diff b/net/asterisk-16.x/patches/AST-2019-006-16.diff deleted file mode 100644 index 1f589b2..0000000 --- a/net/asterisk-16.x/patches/AST-2019-006-16.diff +++ /dev/null @@ -1,73 +0,0 @@ -From 8cdaa93e658a46e7baf6b606468b5e2c88a0133b Mon Sep 17 00:00:00 2001 -From: Ben Ford -Date: Mon, 21 Oct 2019 14:55:06 -0500 -Subject: [PATCH] chan_sip.c: Prevent address change on unauthenticated SIP request. - -If the name of a peer is known and a SIP request is sent using that -peer's name, the address of the peer will change even if the request -fails the authentication challenge. This means that an endpoint can -be altered and even rendered unusuable, even if it was in a working -state previously. This can only occur when the nat option is set to the -default, or auto_force_rport. - -This change checks the result of authentication first to ensure it is -successful before setting the address and the nat option. - -ASTERISK-28589 #close - -Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df ---- - -diff --git a/channels/chan_sip.c b/channels/chan_sip.c -index 6ac2e61..4d79a47 100644 ---- a/channels/chan_sip.c -+++ b/channels/chan_sip.c -@@ -19245,18 +19245,6 @@ - bogus_peer = NULL; - } - -- /* build_peer, called through sip_find_peer, is not able to check the -- * sip_pvt->natdetected flag in order to determine if the peer is behind -- * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA -- * are set on the peer. So we check for that here and set the peer's -- * address accordingly. -- */ -- set_peer_nat(p, peer); -- -- if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) { -- ast_sockaddr_copy(&peer->addr, &p->recv); -- } -- - if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) { - ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of); - sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED"); -@@ -19325,6 +19313,21 @@ - ast_string_field_set(p, peermd5secret, NULL); - } - if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) { -+ -+ /* build_peer, called through sip_find_peer, is not able to check the -+ * sip_pvt->natdetected flag in order to determine if the peer is behind -+ * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA -+ * are set on the peer. So we check for that here and set the peer's -+ * address accordingly. The address should ONLY be set once we are sure -+ * authentication was a success. If, for example, an INVITE was sent that -+ * matched the peer name but failed the authentication check, the address -+ * would be updated, which is bad. -+ */ -+ set_peer_nat(p, peer); -+ if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) { -+ ast_sockaddr_copy(&peer->addr, &p->recv); -+ } -+ - /* If we have a call limit, set flag */ - if (peer->call_limit) - ast_set_flag(&p->flags[0], SIP_CALL_LIMIT); -@@ -19424,6 +19427,7 @@ - } - } - sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer"); -+ - return res; - } - diff --git a/net/asterisk-16.x/patches/AST-2019-007-16.diff b/net/asterisk-16.x/patches/AST-2019-007-16.diff deleted file mode 100644 index 0f187c1..0000000 --- a/net/asterisk-16.x/patches/AST-2019-007-16.diff +++ /dev/null @@ -1,46 +0,0 @@ -From 7574be5110e049a44b8c8ead52cd1c2a5d442afa Mon Sep 17 00:00:00 2001 -From: George Joseph -Date: Thu, 24 Oct 2019 11:41:23 -0600 -Subject: [PATCH] manager.c: Prevent the Originate action from running the Originate app - -If an AMI user without the "system" authorization calls the -Originate AMI command with the Originate application, -the second Originate could run the "System" command. - -Action: Originate -Channel: Local/1111 -Application: Originate -Data: Local/2222,app,System,touch /tmp/owned - -If the "system" authorization isn't set, we now block the -Originate app as well as the System, Exec, etc. apps. - -ASTERISK-28580 -Reported by: Eliel SardaƱons - -Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa ---- - -diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt -new file mode 100644 -index 0000000..f2d3133 ---- /dev/null -+++ b/doc/UPGRADE-staging/AMI-Originate.txt -@@ -0,0 +1,5 @@ -+Subject: AMI -+ -+The AMI Originate action, which optionally takes a dialplan application as -+an argument, no longer accepts "Originate" as the application due to -+security concerns. -diff --git a/main/manager.c b/main/manager.c -index f138801..1963151 100644 ---- a/main/manager.c -+++ b/main/manager.c -@@ -5744,6 +5744,7 @@ - EAGI(/bin/rm,-rf /) */ - strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */ - strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */ -+ strcasestr(app, "originate") || /* Originate(Local/1234,app,System,rm -rf) */ - (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */ - (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */ - )) {