Merged revisions 132713 via svnmerge from
authorTilghman Lesher <tilghman@meg.abyt.es>
Tue, 22 Jul 2008 21:53:40 +0000 (21:53 +0000)
committerTilghman Lesher <tilghman@meg.abyt.es>
Tue, 22 Jul 2008 21:53:40 +0000 (21:53 +0000)
https://origsvn.digium.com/svn/asterisk/branches/1.4

................
r132713 | tilghman | 2008-07-22 16:19:39 -0500 (Tue, 22 Jul 2008) | 10 lines

Merged revisions 132711 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.2

........
r132711 | tilghman | 2008-07-22 16:14:10 -0500 (Tue, 22 Jul 2008) | 2 lines

Fixes for AST-2008-010 and AST-2008-011

........

................

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@132778 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_iax2.c
configs/iax.conf.sample

index 7cb507d..294e10b 100644 (file)
@@ -276,6 +276,7 @@ enum iax2_flags {
        IAX_DELAYPBXSTART =     (1 << 25),      /*!< Don't start a PBX on the channel until the peer sends us a
                                                     response, so that we've achieved a three-way handshake with
                                                     them before sending voice or anything else*/
        IAX_DELAYPBXSTART =     (1 << 25),      /*!< Don't start a PBX on the channel until the peer sends us a
                                                     response, so that we've achieved a three-way handshake with
                                                     them before sending voice or anything else*/
+       IAX_ALLOWFWDOWNLOAD = (1 << 26),        /*!< Allow the FWDOWNL command? */
 };
 
 static int global_rtautoclear = 120;
 };
 
 static int global_rtautoclear = 120;
@@ -1727,10 +1728,10 @@ static int __find_callno(unsigned short callno, unsigned short dcallno, struct s
                        snprintf(host, sizeof(host), "%s:%d", ast_inet_ntoa(sin->sin_addr), ntohs(sin->sin_port));
 
                now = ast_tvnow();
                        snprintf(host, sizeof(host), "%s:%d", ast_inet_ntoa(sin->sin_addr), ntohs(sin->sin_port));
 
                now = ast_tvnow();
-               start = 1 + (ast_random() % (TRUNK_CALL_START - 1));
+               start = 2 + (ast_random() % (TRUNK_CALL_START - 1));
                for (x = start; 1; x++) {
                        if (x == TRUNK_CALL_START) {
                for (x = start; 1; x++) {
                        if (x == TRUNK_CALL_START) {
-                               x = 0;
+                               x = 1;
                                continue;
                        }
 
                                continue;
                        }
 
@@ -3483,6 +3484,15 @@ struct parsed_dial_string {
        char *options;
 };
 
        char *options;
 };
 
+static int send_apathetic_reply(unsigned short callno, unsigned short dcallno, struct sockaddr_in *sin, int command, int ts, unsigned char seqno)
+{
+       struct ast_iax2_full_hdr f = { .scallno = htons(0x8000 | callno), .dcallno = htons(dcallno),
+               .ts = htonl(ts), .iseqno = seqno, .oseqno = seqno, .type = AST_FRAME_IAX,
+               .csub = compress_subclass(command) };
+
+       return sendto(defaultsockfd, &f, sizeof(f), 0, (struct sockaddr *)sin, sizeof(*sin));
+}
+
 /*!
  * \brief Parses an IAX dial string into its component parts.
  * \param data the string to be parsed
 /*!
  * \brief Parses an IAX dial string into its component parts.
  * \param data the string to be parsed
@@ -7995,6 +8005,17 @@ static int socket_process(struct iax2_thread *thread)
                } else {
                        f.subclass = uncompress_subclass(fh->csub);
                }
                } else {
                        f.subclass = uncompress_subclass(fh->csub);
                }
+
+               /* Deal with POKE/PONG without allocating a callno */
+               if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_POKE) {
+                       /* Reply back with a PONG, but don't care about the result. */
+                       send_apathetic_reply(1, ntohs(fh->scallno), &sin, IAX_COMMAND_PONG, ntohs(fh->ts), fh->oseqno);
+                       return 1;
+               } else if (f.frametype == AST_FRAME_IAX && f.subclass == IAX_COMMAND_ACK && dcallno == 1) {
+                       /* Ignore */
+                       return 1;
+               }
+
                if ((f.frametype == AST_FRAME_IAX) && ((f.subclass == IAX_COMMAND_NEW) || (f.subclass == IAX_COMMAND_REGREQ) ||
                                                       (f.subclass == IAX_COMMAND_POKE) || (f.subclass == IAX_COMMAND_FWDOWNL) ||
                                                       (f.subclass == IAX_COMMAND_REGREL)))
                if ((f.frametype == AST_FRAME_IAX) && ((f.subclass == IAX_COMMAND_NEW) || (f.subclass == IAX_COMMAND_REGREQ) ||
                                                       (f.subclass == IAX_COMMAND_POKE) || (f.subclass == IAX_COMMAND_FWDOWNL) ||
                                                       (f.subclass == IAX_COMMAND_REGREL)))
@@ -9382,6 +9403,10 @@ retryowner2:
                                break;
                        case IAX_COMMAND_FWDOWNL:
                                /* Firmware download */
                                break;
                        case IAX_COMMAND_FWDOWNL:
                                /* Firmware download */
+                               if (!ast_test_flag(&globalflags, IAX_ALLOWFWDOWNLOAD)) {
+                                       send_command_final(iaxs[fr->callno], AST_FRAME_IAX, IAX_COMMAND_UNSUPPORT, 0, NULL, 0, -1);
+                                       break;
+                               }
                                memset(&ied0, 0, sizeof(ied0));
                                res = iax_firmware_append(&ied0, (unsigned char *)ies.devicetype, ies.fwdesc);
                                if (res < 0)
                                memset(&ied0, 0, sizeof(ied0));
                                res = iax_firmware_append(&ied0, (unsigned char *)ies.devicetype, ies.fwdesc);
                                if (res < 0)
@@ -11029,6 +11054,8 @@ static int set_config(char *config_file, int reload)
                        ast_set2_flag((&globalflags), ast_true(v->value), IAX_FORCEJITTERBUF);  
                else if (!strcasecmp(v->name, "delayreject"))
                        delayreject = ast_true(v->value);
                        ast_set2_flag((&globalflags), ast_true(v->value), IAX_FORCEJITTERBUF);  
                else if (!strcasecmp(v->name, "delayreject"))
                        delayreject = ast_true(v->value);
+               else if (!strcasecmp(v->name, "allowfwdownload"))
+                       ast_set2_flag((&globalflags), ast_true(v->value), IAX_ALLOWFWDOWNLOAD);
                else if (!strcasecmp(v->name, "rtcachefriends"))
                        ast_set2_flag((&globalflags), ast_true(v->value), IAX_RTCACHEFRIENDS);  
                else if (!strcasecmp(v->name, "rtignoreregexpire"))
                else if (!strcasecmp(v->name, "rtcachefriends"))
                        ast_set2_flag((&globalflags), ast_true(v->value), IAX_RTCACHEFRIENDS);  
                else if (!strcasecmp(v->name, "rtignoreregexpire"))
index 1059400..97faa2b 100644 (file)
@@ -264,6 +264,16 @@ autokill=yes
 ; The default value is 'host'
 ;
 ;codecpriority=host
 ; The default value is 'host'
 ;
 ;codecpriority=host
+;
+; allowfwdownload controls whether this host will serve out firmware to
+; IAX clients which request it.  This has only been used for the IAXy,
+; and it has been recently proven that this firmware distribution method
+; can be used as a source of traffic amplification attacks.  Also, the
+; IAXy firmware has not been updated for at least 18 months, so unless
+; you are provisioning IAXys in a secure network, we recommend that you
+; leave this option to the default, off.
+;
+;allowfwdownload=yes
 
 ;rtcachefriends=yes    ; Cache realtime friends by adding them to the internal list
                        ; just like friends added from the config file only on a
 
 ;rtcachefriends=yes    ; Cache realtime friends by adding them to the internal list
                        ; just like friends added from the config file only on a