[Git][pkg-voip-team/asterisk][debian/latest] 5 commits: New upstream version 20.0.1~dfsg+~cs6.12.40431414

Jonas Smedegaard (@js) gitlab at salsa.debian.org
Thu Dec 8 09:59:55 GMT 2022



Jonas Smedegaard pushed to branch debian/latest at Debian VoIP Packaging Team / asterisk


Commits:
70e3c181 by Jonas Smedegaard at 2022-12-08T09:28:55+01:00
New upstream version 20.0.1~dfsg+~cs6.12.40431414
- - - - -
869a5e40 by Jonas Smedegaard at 2022-12-08T09:29:46+01:00
Update upstream source from tag 'upstream/20.0.1_dfsg+_cs6.12.40431414'

Update to upstream version '20.0.1~dfsg+~cs6.12.40431414'
with Debian dir fcc8b556effb9b9123a3b5d906534931cb12fd40
- - - - -
8a6ca248 by Jonas Smedegaard at 2022-12-08T09:54:01+01:00
fix build module chan_sip; closes: bug#1024443, thanks to James Bottomley

- - - - -
9f7fb5b4 by Jonas Smedegaard at 2022-12-08T10:50:04+01:00
add NEWS entry about new AMI live_dangerously option

- - - - -
27e31283 by Jonas Smedegaard at 2022-12-08T10:51:05+01:00
prepare for release: update changelog and copyright hints

- - - - -


22 changed files:

- .version
- ChangeLog
- UPGRADE.txt
- addons/ooh323c/src/ooq931.c
- − asterisk-20.0.0-summary.html
- − asterisk-20.0.0-summary.txt
- + asterisk-20.0.1-summary.html
- + asterisk-20.0.1-summary.txt
- configs/samples/asterisk.conf.sample
- debian/NEWS
- debian/changelog
- debian/copyright_hints
- debian/rules
- include/asterisk/manager.h
- include/asterisk/res_pjsip.h
- main/manager.c
- main/options.c
- res/res_pjsip/pjsip_transport_events.c
- res/res_pjsip_outbound_registration.c
- res/res_pjsip_pubsub.c
- + third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch
- + third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch


Changes:

=====================================
.version
=====================================
@@ -1 +1 @@
-20.0.0
\ No newline at end of file
+20.0.1
\ No newline at end of file


=====================================
ChangeLog
=====================================
@@ -1,3 +1,90 @@
+2022-12-01 20:08 +0000  Asterisk Development Team <asteriskteam at digium.com>
+
+	* asterisk 20.0.1 Released.
+
+2022-12-01 13:49 +0000 [cdc655b2a6]  Asterisk Development Team <asteriskteam at digium.com>
+
+	* Update CHANGES and UPGRADE.txt for 20.0.1
+2022-11-29 14:02 +0000 [702f400e3e]  Ben Ford <bford at digium.com>
+
+	* pjproject: 2.13 security fixes
+
+	  Backports two security fixes (c4d3498 and 450baca) from pjproject 2.13.
+
+	  ASTERISK-30338
+
+	  Change-Id: I86fdc003d5d22cb66e7cc6dc3313a8194f27eb69
+
+2022-10-10 09:35 +0000 [ed45a9182d]  George Joseph <gjoseph at digium.com>
+
+	* pjsip_transport_events: Fix possible use after free on transport
+
+	  It was possible for a module that registered for transport monitor
+	  events to pass in a pjsip_transport that had already been freed.
+	  This caused pjsip_transport_events to crash when looking up the
+	  monitor for the transport.  The fix is a two pronged approach.
+
+	  1. We now increment the reference count on pjsip_transports when we
+	  create monitors for them, then decrement the count when the
+	  transport is going to be destroyed.
+
+	  2. There are now APIs to register and unregister monitor callbacks
+	  by "transport key" which is a string concatenation of the remote ip
+	  address and port.  This way the module needing to monitor the
+	  transport doesn't have to hold on to the transport object itself to
+	  unregister.  It just has to save the transport_key.
+
+	  * Added the pjsip_transport reference increment and decrement.
+
+	  * Changed the internal transport monitor container key from the
+	    transport->obj_name (which may not be unique anyway) to the
+	    transport_key.
+
+	  * Added a helper macro AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR() that
+	    fills a buffer with the transport_key using a passed-in
+	    pjsip_transport.
+
+	  * Added the following functions:
+	    ast_sip_transport_monitor_register_key
+	    ast_sip_transport_monitor_register_replace_key
+	    ast_sip_transport_monitor_unregister_key
+	    and marked their non-key counterparts as deprecated.
+
+	  * Updated res_pjsip_pubsub and res_pjsip_outbound_register to use
+	    the new "key" monitor functions.
+
+	  NOTE: res_pjsip_registrar also uses the transport monitor
+	  functionality but doesn't have a persistent object other than
+	  contact to store a transport key.  At this time, it continues to
+	  use the non-key monitor functions.
+
+	  ASTERISK-30244
+
+	  Change-Id: I1a20baf2a8643c272dcf819871d6c395f148f00b
+
+2022-10-03 13:54 +0000 [0f44cd885a]  Mike Bradeen <mbradeen at sangoma.com>
+
+	* manager: prevent file access outside of config dir
+
+	  Add live_dangerously flag to manager and use this flag to
+	  determine if a configuation file outside of AST_CONFIG_DIR
+	  should be read.
+
+	  ASTERISK-30176
+
+	  Change-Id: I46b26af4047433b49ae5c8a85cb8cda806a07404
+
+2022-06-06 18:11 +0000 [d420314ffd]  Mike Bradeen <mbradeen at sangoma.com>
+
+	* ooh323c: not checking for IE minimum length
+
+	  When decoding q.931 encoded calling/called number
+	  now checking for length being less than minimum required.
+
+	  ASTERISK-30103
+
+	  Change-Id: I3dcfce0f35eca258dc450f87c92d4d7af402c2e7
+
 2022-10-19 14:31 +0000  Asterisk Development Team <asteriskteam at digium.com>
 
 	* asterisk 20.0.0 Released.


=====================================
UPGRADE.txt
=====================================
@@ -18,6 +18,19 @@
 ===
 ===========================================================
 
+------------------------------------------------------------------------------
+--- Functionality changes from Asterisk 20.0.0 to Asterisk 20.0.1 ------------
+------------------------------------------------------------------------------
+
+AMI (Asterisk Manager Interface)
+------------------
+ * Previously, GetConfig and UpdateConfig were able to access files outside of
+   the Asterisk configuration directory. Now this access is put behind the
+   live_dangerously configuration option in asterisk.conf, which is disabled by
+   default. If access to configuration files outside of the Asterisk configuation
+   directory is required via AMI, then the live_dangerously configuration option
+   must be set to yes.
+
 ------------------------------------------------------------------------------
 --- Functionality changes from Asterisk 19.0.0 to Asterisk 20.0.0 ------------
 ------------------------------------------------------------------------------


=====================================
addons/ooh323c/src/ooq931.c
=====================================
@@ -192,11 +192,13 @@ EXTERN int ooQ931Decode
          screening indicators ;-) */
       if(ie->discriminator == Q931CallingPartyNumberIE)
       {
+         int numoffset=1;
          OOTRACEDBGB1("   CallingPartyNumber IE = {\n");
-         if(ie->length < OO_MAX_NUMBER_LENGTH)
+         if(!(0x80 & ie->data[0])) numoffset = 2;
+
+         if( (ie->length >= numoffset) &&
+             (ie->length < OO_MAX_NUMBER_LENGTH) )
          {
-            int numoffset=1;
-            if(!(0x80 & ie->data[0])) numoffset = 2;
             memcpy(number, ie->data+numoffset,ie->length-numoffset);
             number[ie->length-numoffset]='\0';
             OOTRACEDBGB2("      %s\n", number);
@@ -204,7 +206,7 @@ EXTERN int ooQ931Decode
                ooCallSetCallingPartyNumber(call, number);
          }
          else{
-            OOTRACEERR3("Error:Calling party number too long. (%s, %s)\n",
+            OOTRACEERR3("Error:Calling party number outside range. (%s, %s)\n",
                            call->callType, call->callToken);
          }
          OOTRACEDBGB1("   }\n");
@@ -214,7 +216,8 @@ EXTERN int ooQ931Decode
       if(ie->discriminator == Q931CalledPartyNumberIE)
       {
          OOTRACEDBGB1("   CalledPartyNumber IE = {\n");
-         if(ie->length < OO_MAX_NUMBER_LENGTH)
+         if( (ie->length >= 1) &&
+             (ie->length < OO_MAX_NUMBER_LENGTH) )
          {
             memcpy(number, ie->data+1,ie->length-1);
             number[ie->length-1]='\0';
@@ -223,7 +226,7 @@ EXTERN int ooQ931Decode
                ooCallSetCalledPartyNumber(call, number);
          }
          else{
-            OOTRACEERR3("Error:Calling party number too long. (%s, %s)\n",
+            OOTRACEERR3("Error:Calling party number outside range. (%s, %s)\n",
                            call->callType, call->callToken);
          }
          OOTRACEDBGB1("   }\n");


=====================================
asterisk-20.0.0-summary.html deleted
=====================================
The diff for this file was not included because it is too large.

=====================================
asterisk-20.0.0-summary.txt deleted
=====================================
The diff for this file was not included because it is too large.

=====================================
asterisk-20.0.1-summary.html
=====================================
@@ -0,0 +1,34 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><title>Release Summary - asterisk-20.0.1</title><h1 align="center"><a name="top">Release Summary</a></h1><h3 align="center">asterisk-20.0.1</h3><h3 align="center">Date: 2022-12-01</h3><h3 align="center"><asteriskteam at digium.com></h3><hr><h2 align="center">Table of Contents</h2><ol>
+<li><a href="#summary">Summary</a></li>
+<li><a href="#contributors">Contributors</a></li>
+<li><a href="#closed_issues">Closed Issues</a></li>
+<li><a href="#commits">Other Changes</a></li>
+<li><a href="#diffstat">Diffstat</a></li>
+</ol><hr><a name="summary"><h2 align="center">Summary</h2></a><center><a href="#top">[Back to Top]</a></center><p>This release has been made to address one or more security vulnerabilities that have been identified. A security advisory document has been published for each vulnerability that includes additional information. Users of versions of Asterisk that are affected are strongly encouraged to review the advisories and determine what action they should take to protect their systems from these issues.</p><p>Security Advisories:</p><ul>
+<li><a href="http://downloads.asterisk.org/pub/security/AST-2022-007,AST-2022-008,AST-2022-009.html">AST-2022-007,AST-2022-008,AST-2022-009</a></li>
+</ul><p>The data in this summary reflects changes that have been made since the previous release, asterisk-20.0.0.</p><hr><a name="contributors"><h2 align="center">Contributors</h2></a><center><a href="#top">[Back to Top]</a></center><p>This table lists the people who have submitted code, those that have tested patches, as well as those that reported issues on the issue tracker that were resolved in this release. For coders, the number is how many of their patches (of any size) were committed into this release. For testers, the number is the number of times their name was listed as assisting with testing a patch. Finally, for reporters, the number is the number of issues that they reported that were affected by commits that went into this release.</p><table width="100%" border="0">
+<tr><th width="33%">Coders</th><th width="33%">Testers</th><th width="33%">Reporters</th></tr>
+<tr valign="top"><td width="33%">2 Mike Bradeen <mbradeen at sangoma.com><br/>1 Asterisk Development Team <asteriskteam at digium.com><br/>1 George Joseph <gjoseph at digium.com><br/>1 Ben Ford <bford at digium.com><br/></td><td width="33%"><td width="33%">1 shawty <shawty.d.ds at googlemail.com><br/>1 nappsoft <infos at nappsoft.ch><br/>1 Benjamin Keith Ford <bford at digium.com><br/>1 Michael Bradeen <mbradeen at sangoma.com><br/></td></tr>
+</table><hr><a name="closed_issues"><h2 align="center">Closed Issues</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all issues from the issue tracker that were closed by changes that went into this release.</p><h3>Security</h3><h4>Category: Addons/chan_ooh323</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-30103">ASTERISK-30103</a>: chan_ooh323 Vulnerability in calling/called party IE<br/>Reported by: Michael Bradeen<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=d420314ffdba7cb143b98a8cc501719e915dc4f7">[d420314ffd]</a> Mike Bradeen -- ooh323c: not checking for IE minimum length</li>
+</ul><br><h4>Category: Core/ManagerInterface</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-30176">ASTERISK-30176</a>: manager: GetConfig can read files outside of Asterisk<br/>Reported by: shawty<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=0f44cd885a3723774f63a25048057a8bd7acd94b">[0f44cd885a]</a> Mike Bradeen -- manager: prevent file access outside of config dir</li>
+</ul><br><h4>Category: pjproject/pjsip</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-30338">ASTERISK-30338</a>: pjproject: Backport security fixes from 2.13<br/>Reported by: Benjamin Keith Ford<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=702f400e3e2ae2e301d3399906e246487b2f517f">[702f400e3e]</a> Ben Ford -- pjproject: 2.13 security fixes</li>
+</ul><br><h3>Bug</h3><h4>Category: Resources/res_pjsip_pubsub</h4><a href="https://issues.asterisk.org/jira/browse/ASTERISK-30244">ASTERISK-30244</a>: res_pjsip_pubsub: Occasional crash when TCP/TLS connection terminated and subscription persistence is removed<br/>Reported by: nappsoft<ul>
+<li><a href="https://code.asterisk.org/code/changelog/asterisk?cs=ed45a9182d17b27fb78546da4ef392210f19464c">[ed45a9182d]</a> George Joseph -- pjsip_transport_events: Fix possible use after free on transport</li>
+</ul><br><hr><a name="commits"><h2 align="center">Commits Not Associated with an Issue</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a list of all changes that went into this release that did not reference a JIRA issue.</p><table width="100%" border="1">
+<tr><th>Revision</th><th>Author</th><th>Summary</th></tr>
+<tr><td><a href="https://code.asterisk.org/code/changelog/asterisk?cs=cdc655b2a6804aedc279d5fd0a5e2317a3c146a9">cdc655b2a6</a></td><td>Asterisk Development Team</td><td>Update CHANGES and UPGRADE.txt for 20.0.1</td></tr>
+</table><hr><a name="diffstat"><h2 align="center">Diffstat Results</h2></a><center><a href="#top">[Back to Top]</a></center><p>This is a summary of the changes to the source code that went into this release that was generated using the diffstat utility.</p><pre>UPGRADE.txt                                                                                     |   13
+addons/ooh323c/src/ooq931.c                                                                     |   15
+configs/samples/asterisk.conf.sample                                                            |   11
+include/asterisk/manager.h                                                                      |   12
+include/asterisk/res_pjsip.h                                                                    |   83 ++
+main/manager.c                                                                                  |   42 +
+main/options.c                                                                                  |    1
+res/res_pjsip/pjsip_transport_events.c                                                          |  214 ++++++-
+res/res_pjsip_outbound_registration.c                                                           |   28
+res/res_pjsip_pubsub.c                                                                          |   25
+third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch |  289 ++++++++++
+11 files changed, 680 insertions(+), 53 deletions(-)</pre><br></html>
\ No newline at end of file


=====================================
asterisk-20.0.1-summary.txt
=====================================
@@ -0,0 +1,137 @@
+                                Release Summary
+
+                                asterisk-20.0.1
+
+                                Date: 2022-12-01
+
+                           <asteriskteam at digium.com>
+
+     ----------------------------------------------------------------------
+
+                               Table of Contents
+
+    1. Summary
+    2. Contributors
+    3. Closed Issues
+    4. Other Changes
+    5. Diffstat
+
+     ----------------------------------------------------------------------
+
+                                    Summary
+
+                                 [Back to Top]
+
+   This release has been made to address one or more security vulnerabilities
+   that have been identified. A security advisory document has been published
+   for each vulnerability that includes additional information. Users of
+   versions of Asterisk that are affected are strongly encouraged to review
+   the advisories and determine what action they should take to protect their
+   systems from these issues.
+
+   Security Advisories:
+
+     * AST-2022-007,AST-2022-008,AST-2022-009
+
+   The data in this summary reflects changes that have been made since the
+   previous release, asterisk-20.0.0.
+
+     ----------------------------------------------------------------------
+
+                                  Contributors
+
+                                 [Back to Top]
+
+   This table lists the people who have submitted code, those that have
+   tested patches, as well as those that reported issues on the issue tracker
+   that were resolved in this release. For coders, the number is how many of
+   their patches (of any size) were committed into this release. For testers,
+   the number is the number of times their name was listed as assisting with
+   testing a patch. Finally, for reporters, the number is the number of
+   issues that they reported that were affected by commits that went into
+   this release.
+
+   Coders                      Testers               Reporters                
+   2 Mike Bradeen                                    1 shawty                 
+   1 Asterisk Development Team                       1 nappsoft               
+   1 George Joseph                                   1 Benjamin Keith Ford    
+   1 Ben Ford                                        1 Michael Bradeen        
+
+     ----------------------------------------------------------------------
+
+                                 Closed Issues
+
+                                 [Back to Top]
+
+   This is a list of all issues from the issue tracker that were closed by
+   changes that went into this release.
+
+  Security
+
+    Category: Addons/chan_ooh323
+
+   ASTERISK-30103: chan_ooh323 Vulnerability in calling/called party IE
+   Reported by: Michael Bradeen
+     * [d420314ffd] Mike Bradeen -- ooh323c: not checking for IE minimum
+       length
+
+    Category: Core/ManagerInterface
+
+   ASTERISK-30176: manager: GetConfig can read files outside of Asterisk
+   Reported by: shawty
+     * [0f44cd885a] Mike Bradeen -- manager: prevent file access outside of
+       config dir
+
+    Category: pjproject/pjsip
+
+   ASTERISK-30338: pjproject: Backport security fixes from 2.13
+   Reported by: Benjamin Keith Ford
+     * [702f400e3e] Ben Ford -- pjproject: 2.13 security fixes
+
+  Bug
+
+    Category: Resources/res_pjsip_pubsub
+
+   ASTERISK-30244: res_pjsip_pubsub: Occasional crash when TCP/TLS connection
+   terminated and subscription persistence is removed
+   Reported by: nappsoft
+     * [ed45a9182d] George Joseph -- pjsip_transport_events: Fix possible use
+       after free on transport
+
+     ----------------------------------------------------------------------
+
+                      Commits Not Associated with an Issue
+
+                                 [Back to Top]
+
+   This is a list of all changes that went into this release that did not
+   reference a JIRA issue.
+
+   +------------------------------------------------------------------------+
+   | Revision   | Author                    | Summary                       |
+   |------------+---------------------------+-------------------------------|
+   | cdc655b2a6 | Asterisk Development Team | Update CHANGES and            |
+   |            |                           | UPGRADE.txt for 20.0.1        |
+   +------------------------------------------------------------------------+
+
+     ----------------------------------------------------------------------
+
+                                Diffstat Results
+
+                                 [Back to Top]
+
+   This is a summary of the changes to the source code that went into this
+   release that was generated using the diffstat utility.
+
+ UPGRADE.txt                                                                                     |   13
+ addons/ooh323c/src/ooq931.c                                                                     |   15
+ configs/samples/asterisk.conf.sample                                                            |   11
+ include/asterisk/manager.h                                                                      |   12
+ include/asterisk/res_pjsip.h                                                                    |   83 ++
+ main/manager.c                                                                                  |   42 +
+ main/options.c                                                                                  |    1
+ res/res_pjsip/pjsip_transport_events.c                                                          |  214 ++++++-
+ res/res_pjsip_outbound_registration.c                                                           |   28
+ res/res_pjsip_pubsub.c                                                                          |   25
+ third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch |  289 ++++++++++
+ 11 files changed, 680 insertions(+), 53 deletions(-)


=====================================
configs/samples/asterisk.conf.sample
=====================================
@@ -95,10 +95,13 @@ documentation_language = en_US	; Set the language you want documentation
 				;         documented in extensions.conf.sample.
 				; Default gosub.
 ;live_dangerously = no		; Enable the execution of 'dangerous' dialplan
-				; functions from external sources (AMI,
-				; etc.) These functions (such as SHELL) are
-				; considered dangerous because they can allow
-				; privilege escalation.
+				; functions and configuration file access from
+				; external sources (AMI, etc.) These functions
+				; (such as SHELL) are considered dangerous
+				; because they can allow privilege escalation.
+				; Configuration files are considered dangerous
+				; if they exist outside of the Asterisk
+				; configuration directory.
 				; Default no
 ;entityid=00:11:22:33:44:55	; Entity ID.
 				; This is in the form of a MAC address.


=====================================
debian/NEWS
=====================================
@@ -1,3 +1,11 @@
+asterisk (1:20.0.1~dfsg+~cs6.12.40431414-1) unstable; urgency=high
+
+  Asterisk Manager Interface (AMI) now restricts access
+  for functions GetConfig and UpdateConfig.
+  New option "live_dangerously" relaxes that restriction.
+
+ -- Jonas Smedegaard <dr at jones.dk>  Thu, 08 Dec 2022 09:51:21 +0100
+
 asterisk (1:18.11.1~dfsg+~cs6.10.40431413-1) unstable; urgency=medium
 
   Asterisk no longer provides the module chan_vpb,


=====================================
debian/changelog
=====================================
@@ -1,3 +1,22 @@
+asterisk (1:20.0.1~dfsg+~cs6.12.40431414-1) unstable; urgency=high
+
+  [ upstream ]
+  * new release
+    * closes: bug#1017004, thanks to Neil Williams;
+      also fixes these upstream bugs:
+      ASTERISK-30103 ASTERISK-30176 ASTERISK-30244 ASTERISK-30338
+      CVE-2022-37325 CVE-2022-42706 CVE-2022-42705 CVE-2022-39244
+      CVE-2022-31031
+      GHSA-26j7-ww69-c4qj GHSA-fq45-m3f7-3mhj
+
+  [ Jonas Smedegaard ]
+  * fix build module chan_sip;
+    closes: bug#1024443, thanks to James Bottomley
+  * add NEWS entry about new AMI live_dangerously option
+  * set urgency=high due to multiple security bugfixes
+
+ -- Jonas Smedegaard <dr at jones.dk>  Thu, 08 Dec 2022 09:51:21 +0100
+
 asterisk (1:20.0.0~dfsg+~cs6.12.40431414-2) unstable; urgency=medium
 
   * re-release for building with auto-builder
@@ -23,6 +42,7 @@ asterisk (1:20.0.0~~rc1~dfsg+~cs6.12.40431414-1) experimental; urgency=medium
   [ upstream ]
   * new pre-release
 
+  [ Jonas Smedegaard ]
   * update lintian overrides
   * update copyright info:
     + fix separate License section from corresponding Files section


=====================================
debian/copyright_hints
=====================================
@@ -914,8 +914,8 @@ Files: BSDmakefile
  agi/fastagi-test
  agi/numeralize
  apps/app_voicemail.exports.in
- asterisk-20.0.0-summary.html
- asterisk-20.0.0-summary.txt
+ asterisk-20.0.1-summary.html
+ asterisk-20.0.1-summary.txt
  autoconf/ast_c_compile_check.m4
  autoconf/ast_c_declare_check.m4
  autoconf/ast_c_define_check.m4
@@ -1635,6 +1635,8 @@ Files: BSDmakefile
  third-party/pjproject/patches/0000-configure-ssl-library-path.patch
  third-party/pjproject/patches/0000-remove-third-party.patch
  third-party/pjproject/patches/0100-allow_multiple_auth_headers.patch
+ third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch
+ third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch
  third-party/pjproject/patches/README
  third-party/pjproject/patches/config_site.h
  third-party/pjproject/patches/user.mak


=====================================
debian/rules
=====================================
@@ -51,7 +51,7 @@ endif
 
 ADDONS_ENABLE = app_macro app_voicemail_imap app_voicemail_odbc
 ADDONS_ENABLE += res_config_mysql
-ADDONS_ENABLE += chan_mobile chan_ooh323
+ADDONS_ENABLE += chan_mobile chan_ooh323 chan_sip
 ADDONS_ENABLE += aelparse format_mp3 smsq TEST_FRAMEWORK
 ADDONS_DISABLE = BUILD_NATIVE
 ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))


=====================================
include/asterisk/manager.h
=====================================
@@ -350,6 +350,18 @@ void astman_send_list_complete_start(struct mansession *s, const struct message
  */
 void astman_send_list_complete_end(struct mansession *s);
 
+/*!
+ * \brief Enable/disable the inclusion of 'dangerous' configurations outside
+ * of the ast_config_AST_CONFIG_DIR
+ *
+ * This function can globally enable/disable the loading of configuration files
+ * outside of ast_config_AST_CONFIG_DIR.
+ *
+ * \param new_live_dangerously If true, enable the access of files outside
+ * ast_config_AST_CONFIG_DIR from astman.
+ */
+void astman_live_dangerously(int new_live_dangerously);
+
 void __attribute__((format(printf, 2, 3))) astman_append(struct mansession *s, const char *fmt, ...);
 
 /*! \brief Determine if a manager session ident is authenticated */


=====================================
include/asterisk/res_pjsip.h
=====================================
@@ -87,6 +87,26 @@
 #define AST_STIR_SHAKEN_RESPONSE_STR_UNSUPPORTED_CREDENTIAL "Unsupported Credential"
 #define AST_STIR_SHAKEN_RESPONSE_STR_INVALID_IDENTITY_HEADER "Invalid Identity Header"
 
+/* ":12345" */
+#define COLON_PORT_STRLEN 6
+/*
+ * "<ipaddr>:<port>"
+ * PJ_INET6_ADDRSTRLEN includes the NULL terminator
+ */
+#define IP6ADDR_COLON_PORT_BUFLEN (PJ_INET6_ADDRSTRLEN + COLON_PORT_STRLEN)
+
+/*!
+ * \brief Fill a buffer with a pjsip transport's remote ip address and port
+ *
+ * \param transport The pjsip_transport to use
+ * \param dest The destination buffer of at least IP6ADDR_COLON_PORT_BUFLEN bytes
+ */
+#define AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(_transport, _dest) \
+	snprintf(_dest, IP6ADDR_COLON_PORT_BUFLEN, \
+		PJSTR_PRINTF_SPEC ":%d", \
+		PJSTR_PRINTF_VAR(_transport->remote_name.host), \
+		_transport->remote_name.port);
+
 /* Forward declarations of PJSIP stuff */
 struct pjsip_rx_data;
 struct pjsip_module;
@@ -3598,6 +3618,7 @@ enum ast_transport_monitor_reg {
 
 /*!
  * \brief Register a reliable transport shutdown monitor callback.
+ * \deprecated Replaced with ast_sip_transport_monitor_register_key().
  * \since 13.20.0
  *
  * \param transport Transport to monitor for shutdown.
@@ -3615,8 +3636,29 @@ enum ast_transport_monitor_reg {
 enum ast_transport_monitor_reg ast_sip_transport_monitor_register(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *ao2_data);
 
+/*!
+ * \brief Register a reliable transport shutdown monitor callback.
+ *
+ * \param transport_key Key for the transport to monitor for shutdown.
+ *                      Create the key with AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR.
+ * \param cb Who to call when transport is shutdown.
+ * \param ao2_data Data to pass with the callback.
+ *
+ * \note The data object passed will have its reference count automatically
+ * incremented by this call and automatically decremented after the callback
+ * runs or when the callback is unregistered.
+ *
+ * There is no checking for duplicate registrations.
+ *
+ * \return enum ast_transport_monitor_reg
+ */
+enum ast_transport_monitor_reg ast_sip_transport_monitor_register_key(
+	const char *transport_key, ast_transport_monitor_shutdown_cb cb,
+	void *ao2_data);
+
 /*!
  * \brief Register a reliable transport shutdown monitor callback replacing any duplicate.
+ * \deprecated Replaced with ast_sip_transport_monitor_register_replace_key().
  * \since 13.26.0
  * \since 16.3.0
  *
@@ -3638,8 +3680,32 @@ enum ast_transport_monitor_reg ast_sip_transport_monitor_register(pjsip_transpor
 enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *ao2_data, ast_transport_monitor_data_matcher matches);
 
+/*!
+ * \brief Register a reliable transport shutdown monitor callback replacing any duplicate.
+ *
+ * \param transport_key Key for the transport to monitor for shutdown.
+ *                      Create the key with AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR.
+ * \param cb Who to call when transport is shutdown.
+ * \param ao2_data Data to pass with the callback.
+ * \param matches Matcher function that returns true if data matches a previously
+ *                registered data object
+ *
+ * \note The data object passed will have its reference count automatically
+ * incremented by this call and automatically decremented after the callback
+ * runs or when the callback is unregistered.
+ *
+ * This function checks for duplicates, and overwrites/replaces the old monitor
+ * with the given one.
+ *
+ * \return enum ast_transport_monitor_reg
+ */
+enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace_key(
+	const char *transport_key, ast_transport_monitor_shutdown_cb cb,
+	void *ao2_data, ast_transport_monitor_data_matcher matches);
+
 /*!
  * \brief Unregister a reliable transport shutdown monitor
+ * \deprecated Replaced with ast_sip_transport_monitor_unregister_key().
  * \since 13.20.0
  *
  * \param transport Transport to monitor for shutdown.
@@ -3655,6 +3721,23 @@ enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace(pjsip_
 void ast_sip_transport_monitor_unregister(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *data, ast_transport_monitor_data_matcher matches);
 
+/*!
+ * \brief Unregister a reliable transport shutdown monitor
+ *
+ * \param transport_key Key for the transport to monitor for shutdown.
+ *                      Create the key with AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR.
+ * \param cb The callback that was used for the original register.
+ * \param data Data to pass to the matcher. May be NULL and does NOT need to be an ao2 object.
+ *             If NULL, all monitors with the provided callback are unregistered.
+ * \param matches Matcher function that returns true if data matches the previously
+ *                registered data object.  If NULL, a simple pointer comparison is done.
+ *
+ * \note The data object passed into the original register will have its reference count
+ * automatically decremented.
+ */
+void ast_sip_transport_monitor_unregister_key(const char *transport_key,
+	ast_transport_monitor_shutdown_cb cb, void *data, ast_transport_monitor_data_matcher matches);
+
 /*!
  * \brief Unregister a transport shutdown monitor from all reliable transports
  * \since 13.20.0


=====================================
main/manager.c
=====================================
@@ -1490,6 +1490,11 @@ static struct stasis_forward *rtp_topic_forwarder;
 /*! \brief The \ref stasis_subscription for forwarding the Security topic to the AMI topic */
 static struct stasis_forward *security_topic_forwarder;
 
+/*!
+ * \brief Set to true (non-zero) to globally allow all dangerous AMI actions to run
+ */
+static int live_dangerously;
+
 #ifdef TEST_FRAMEWORK
 /*! \brief The \ref stasis_subscription for forwarding the Test topic to the AMI topic */
 static struct stasis_forward *test_suite_forwarder;
@@ -3609,6 +3614,29 @@ static int action_ping(struct mansession *s, const struct message *m)
 	return 0;
 }
 
+void astman_live_dangerously(int new_live_dangerously)
+{
+	if (new_live_dangerously && !live_dangerously)
+	{
+		ast_log(LOG_WARNING, "Manager Configuration load protection disabled.\n");
+	}
+
+	if (!new_live_dangerously && live_dangerously)
+	{
+		ast_log(LOG_NOTICE, "Manager Configuration load protection enabled.\n");
+	}
+	live_dangerously = new_live_dangerously;
+}
+
+static int restrictedFile(const char *filename)
+{
+	if (!live_dangerously && !strncasecmp(filename, "/", 1) &&
+		 strncasecmp(filename, ast_config_AST_CONFIG_DIR, strlen(ast_config_AST_CONFIG_DIR))) {
+		return 1;
+	}
+	return 0;
+}
+
 static int action_getconfig(struct mansession *s, const struct message *m)
 {
 	struct ast_config *cfg;
@@ -3627,6 +3655,11 @@ static int action_getconfig(struct mansession *s, const struct message *m)
 		return 0;
 	}
 
+	if (restrictedFile(fn)) {
+		astman_send_error(s, m, "File requires escalated priveledges");
+		return 0;
+	}
+
 	cfg = ast_config_load2(fn, "manager", config_flags);
 	if (cfg == CONFIG_STATUS_FILEMISSING) {
 		astman_send_error(s, m, "Config file not found");
@@ -3754,6 +3787,11 @@ static int action_getconfigjson(struct mansession *s, const struct message *m)
 		return 0;
 	}
 
+	if (restrictedFile(fn)) {
+		astman_send_error(s, m, "File requires escalated priveledges");
+		return 0;
+	}
+
 	if (!(cfg = ast_config_load2(fn, "manager", config_flags))) {
 		astman_send_error(s, m, "Config file not found");
 		return 0;
@@ -4105,6 +4143,10 @@ static int action_updateconfig(struct mansession *s, const struct message *m)
 		astman_send_error(s, m, "Filename not specified");
 		return 0;
 	}
+	if (restrictedFile(sfn) || restrictedFile(dfn)) {
+		astman_send_error(s, m, "File requires escalated priveledges");
+		return 0;
+	}
 	if (!(cfg = ast_config_load2(sfn, "manager", config_flags))) {
 		astman_send_error(s, m, "Config file not found");
 		return 0;


=====================================
main/options.c
=====================================
@@ -476,6 +476,7 @@ void load_asterisk_conf(void)
 	}
 	if (!ast_opt_remote) {
 		pbx_live_dangerously(live_dangerously);
+		astman_live_dangerously(live_dangerously);
 	}
 
 	option_debug += option_debug_new;


=====================================
res/res_pjsip/pjsip_transport_events.c
=====================================
@@ -30,6 +30,7 @@
 #include "asterisk.h"
 
 #include "asterisk/res_pjsip.h"
+#include "asterisk/res_pjsip_cli.h"
 #include "include/res_pjsip_private.h"
 #include "asterisk/linkedlists.h"
 #include "asterisk/vector.h"
@@ -49,8 +50,14 @@ struct transport_monitor_notifier {
 
 /*! \brief Structure for transport to be monitored */
 struct transport_monitor {
+	/*! \brief Key <ipaddr>:<port> */
+	char key[IP6ADDR_COLON_PORT_BUFLEN];
 	/*! \brief The underlying PJSIP transport */
 	pjsip_transport *transport;
+	/*! For debugging purposes, we save the obj_name
+	 * in case the transport goes away.
+	 */
+	char *transport_obj_name;
 	/*! Who is interested in when this transport shuts down. */
 	AST_VECTOR(, struct transport_monitor_notifier) monitors;
 };
@@ -64,12 +71,14 @@ static pjsip_tp_state_callback tpmgr_state_callback;
 /*! List of registered transport state callbacks. */
 static AST_RWLIST_HEAD(, ast_sip_tpmgr_state_callback) transport_state_list;
 
-
 /*! \brief Hashing function for struct transport_monitor */
-AO2_STRING_FIELD_HASH_FN(transport_monitor, transport->obj_name);
+AO2_STRING_FIELD_HASH_FN(transport_monitor, key);
 
 /*! \brief Comparison function for struct transport_monitor */
-AO2_STRING_FIELD_CMP_FN(transport_monitor, transport->obj_name);
+AO2_STRING_FIELD_CMP_FN(transport_monitor, key);
+
+/*! \brief Sort function for struct transport_monitor */
+AO2_STRING_FIELD_SORT_FN(transport_monitor, key);
 
 static const char *transport_state2str(pjsip_transport_state state)
 {
@@ -112,6 +121,11 @@ static void transport_monitor_dtor(void *vdoomed)
 		ao2_cleanup(notifier->data);
 	}
 	AST_VECTOR_FREE(&monitored->monitors);
+	ast_debug(3, "Transport %s(%s,%s) RefCnt: %ld : state:MONITOR_DESTROYED\n",
+		monitored->key, monitored->transport->obj_name,
+		monitored->transport->type_name,pj_atomic_get(monitored->transport->ref_cnt));
+	ast_free(monitored->transport_obj_name);
+	pjsip_transport_dec_ref(monitored->transport);
 }
 
 /*!
@@ -125,8 +139,11 @@ static void transport_monitor_dtor(void *vdoomed)
 static void transport_state_do_reg_callbacks(struct ao2_container *transports, pjsip_transport *transport)
 {
 	struct transport_monitor *monitored;
+	char key[IP6ADDR_COLON_PORT_BUFLEN];
+
+	AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(transport, key);
 
-	monitored = ao2_find(transports, transport->obj_name, OBJ_SEARCH_KEY | OBJ_UNLINK);
+	monitored = ao2_find(transports, key, OBJ_SEARCH_KEY | OBJ_UNLINK);
 	if (monitored) {
 		int idx;
 
@@ -134,8 +151,10 @@ static void transport_state_do_reg_callbacks(struct ao2_container *transports, p
 			struct transport_monitor_notifier *notifier;
 
 			notifier = AST_VECTOR_GET_ADDR(&monitored->monitors, idx);
-			ast_debug(3, "running callback %p(%p) for transport %s\n",
-				notifier->cb, notifier->data, transport->obj_name);
+			ast_debug(3, "Transport %s(%s,%s) RefCnt: %ld : running callback %p(%p)\n",
+				monitored->key, monitored->transport->obj_name,
+				monitored->transport->type_name,
+				pj_atomic_get(monitored->transport->ref_cnt), notifier->cb, notifier->data);
 			notifier->cb(notifier->data);
 		}
 		ao2_ref(monitored, -1);
@@ -269,8 +288,11 @@ static void transport_state_callback(pjsip_transport *transport,
 		&& (transports = ao2_global_obj_ref(active_transports))) {
 		struct transport_monitor *monitored;
 
-		ast_debug(3, "Reliable transport '%s' state:%s\n",
-			transport->obj_name, transport_state2str(state));
+		ast_debug(3, "Transport " PJSTR_PRINTF_SPEC ":%d(%s,%s): RefCnt: %ld state:%s\n",
+			PJSTR_PRINTF_VAR(transport->remote_name.host),
+			transport->remote_name.port, transport->obj_name,
+			transport->type_name,
+			pj_atomic_get(transport->ref_cnt), transport_state2str(state));
 		switch (state) {
 		case PJSIP_TP_STATE_CONNECTED:
 			if (PJSIP_TRANSPORT_IS_SECURE(transport) &&
@@ -285,10 +307,18 @@ static void transport_state_callback(pjsip_transport *transport,
 				break;
 			}
 			monitored->transport = transport;
+			AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(transport, monitored->key);
+			monitored->transport_obj_name = ast_strdup(transport->obj_name);
+
 			if (AST_VECTOR_INIT(&monitored->monitors, 5)) {
 				ao2_ref(monitored, -1);
 				break;
 			}
+			pjsip_transport_add_ref(monitored->transport);
+			ast_debug(3, "Transport %s(%s,%s): RefCnt: %ld state:MONITOR_CREATED\n",
+				monitored->key,	monitored->transport_obj_name,
+				monitored->transport->type_name,
+				pj_atomic_get(monitored->transport->ref_cnt));
 
 			ao2_link(transports, monitored);
 			ao2_ref(monitored, -1);
@@ -362,8 +392,10 @@ static int transport_monitor_unregister_cb(void *obj, void *arg, int flags)
 			|| cb_data->matches(cb_data->data, notifier->data))) {
 			ao2_cleanup(notifier->data);
 			AST_VECTOR_REMOVE_UNORDERED(&monitored->monitors, idx);
-			ast_debug(3, "Unregistered monitor %p(%p) from transport %s\n",
-				notifier->cb, notifier->data, monitored->transport->obj_name);
+			ast_debug(3, "Transport %s(%s,%s) RefCnt: %ld : Unregistered monitor %p(%p)\n",
+				monitored->key, monitored->transport_obj_name,
+				monitored->transport->type_name,
+				pj_atomic_get(monitored->transport->ref_cnt), notifier->cb, notifier->data);
 		}
 	}
 	return 0;
@@ -396,11 +428,19 @@ void ast_sip_transport_monitor_unregister_all(ast_transport_monitor_shutdown_cb
 
 void ast_sip_transport_monitor_unregister(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *data, ast_transport_monitor_data_matcher matches)
+{
+	char key[IP6ADDR_COLON_PORT_BUFLEN];
+	AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(transport, key);
+	ast_sip_transport_monitor_unregister_key(key, cb, data, matches);
+}
+
+void ast_sip_transport_monitor_unregister_key(const char *transport_key,
+	ast_transport_monitor_shutdown_cb cb, void *data, ast_transport_monitor_data_matcher matches)
 {
 	struct ao2_container *transports;
 	struct transport_monitor *monitored;
 
-	ast_assert(transport != NULL && cb != NULL);
+	ast_assert(transport_key != NULL && cb != NULL);
 
 	transports = ao2_global_obj_ref(active_transports);
 	if (!transports) {
@@ -408,7 +448,7 @@ void ast_sip_transport_monitor_unregister(pjsip_transport *transport,
 	}
 
 	ao2_lock(transports);
-	monitored = ao2_find(transports, transport->obj_name, OBJ_SEARCH_KEY | OBJ_NOLOCK);
+	monitored = ao2_find(transports, transport_key, OBJ_SEARCH_KEY | OBJ_NOLOCK);
 	if (monitored) {
 		struct callback_data cb_data = {
 			.cb = cb,
@@ -426,17 +466,35 @@ void ast_sip_transport_monitor_unregister(pjsip_transport *transport,
 enum ast_transport_monitor_reg ast_sip_transport_monitor_register(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *ao2_data)
 {
-	return ast_sip_transport_monitor_register_replace(transport, cb, ao2_data, NULL);
+	char key[IP6ADDR_COLON_PORT_BUFLEN];
+	AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(transport, key);
+
+	return ast_sip_transport_monitor_register_replace_key(key, cb, ao2_data, NULL);
+}
+
+enum ast_transport_monitor_reg ast_sip_transport_monitor_register_key(const char *transport_key,
+	ast_transport_monitor_shutdown_cb cb, void *ao2_data)
+{
+	return ast_sip_transport_monitor_register_replace_key(transport_key, cb, ao2_data, NULL);
 }
 
 enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace(pjsip_transport *transport,
 	ast_transport_monitor_shutdown_cb cb, void *ao2_data, ast_transport_monitor_data_matcher matches)
+{
+	char key[IP6ADDR_COLON_PORT_BUFLEN];
+
+	AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(transport, key);
+	return ast_sip_transport_monitor_register_replace_key(key, cb, ao2_data, NULL);
+}
+
+enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace_key(const char *transport_key,
+	ast_transport_monitor_shutdown_cb cb, void *ao2_data, ast_transport_monitor_data_matcher matches)
 {
 	struct ao2_container *transports;
 	struct transport_monitor *monitored;
 	enum ast_transport_monitor_reg res = AST_TRANSPORT_MONITOR_REG_NOT_FOUND;
 
-	ast_assert(transport != NULL && cb != NULL);
+	ast_assert(transport_key != NULL && cb != NULL);
 
 	transports = ao2_global_obj_ref(active_transports);
 	if (!transports) {
@@ -444,7 +502,7 @@ enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace(pjsip_
 	}
 
 	ao2_lock(transports);
-	monitored = ao2_find(transports, transport->obj_name, OBJ_SEARCH_KEY | OBJ_NOLOCK);
+	monitored = ao2_find(transports, transport_key, OBJ_SEARCH_KEY | OBJ_NOLOCK);
 	if (monitored) {
 		struct transport_monitor_notifier new_monitor;
 		struct callback_data cb_data = {
@@ -461,12 +519,15 @@ enum ast_transport_monitor_reg ast_sip_transport_monitor_register_replace(pjsip_
 		if (AST_VECTOR_APPEND(&monitored->monitors, new_monitor)) {
 			ao2_cleanup(ao2_data);
 			res = AST_TRANSPORT_MONITOR_REG_FAILED;
-			ast_debug(3, "Register monitor %p(%p) to transport %s FAILED\n",
-				cb, ao2_data, transport->obj_name);
+			ast_debug(3, "Transport %s(%s) RefCnt: %ld : Monitor registration failed %p(%p)\n",
+				monitored->key, monitored->transport_obj_name,
+				pj_atomic_get(monitored->transport->ref_cnt), cb, ao2_data);
 		} else {
 			res = AST_TRANSPORT_MONITOR_REG_SUCCESS;
-			ast_debug(3, "Registered monitor %p(%p) to transport %s\n",
-				cb, ao2_data, transport->obj_name);
+			ast_debug(3, "Transport %s(%s,%s) RefCnt: %ld : Registered monitor %p(%p)\n",
+				monitored->key, monitored->transport_obj_name,
+				monitored->transport->type_name,
+				pj_atomic_get(monitored->transport->ref_cnt), cb, ao2_data);
 		}
 
 		ao2_ref(monitored, -1);
@@ -499,10 +560,120 @@ void ast_sip_transport_state_register(struct ast_sip_tpmgr_state_callback *eleme
 	AST_RWLIST_UNLOCK(&transport_state_list);
 }
 
+static char *cli_show_monitors(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
+{
+	char *cli_rc = CLI_FAILURE;
+	int rc = 0;
+	int using_regex = 0;
+	regex_t regex = { 0, };
+	int container_count;
+	struct ao2_iterator iter;
+	struct ao2_container *sorted_monitors = NULL;
+	struct ao2_container *transports;
+	struct transport_monitor *monitored;
+
+	switch (cmd) {
+	case CLI_INIT:
+		e->command = "pjsip show transport-monitors";
+		e->usage = "Usage: pjsip show transport-monitors [ like <pattern> ]\n"
+		            "      Show pjsip transport monitors\n";
+		return NULL;
+	case CLI_GENERATE:
+		return NULL;
+	}
+
+	if (a->argc != 3 && a->argc != 5) {
+		return CLI_SHOWUSAGE;
+	}
+
+	if (a->argc == 5) {
+		int regrc;
+		if (strcasecmp(a->argv[3], "like")) {
+			return CLI_SHOWUSAGE;
+		}
+		regrc = regcomp(&regex, a->argv[4], REG_EXTENDED | REG_ICASE | REG_NOSUB);
+		if (regrc) {
+			char err[256];
+			regerror(regrc, &regex, err, 256);
+			ast_cli(a->fd, "PJSIP Transport Monitor: Error: %s\n", err);
+			return CLI_FAILURE;
+		}
+		using_regex = 1;
+	}
+
+	/* Get a sorted snapshot of the scheduled tasks */
+	sorted_monitors = ao2_container_alloc_rbtree(AO2_ALLOC_OPT_LOCK_NOLOCK, 0,
+		transport_monitor_sort_fn, NULL);
+	if (!sorted_monitors) {
+		ast_cli(a->fd, "PJSIP Transport Monitor: Unable to allocate temporary container\n");
+		goto error;
+	}
+
+	transports = ao2_global_obj_ref(active_transports);
+	if (!transports) {
+		ast_cli(a->fd, "PJSIP Transport Monitor: Unable to get transports\n");
+		goto error;
+	}
+
+	ao2_lock(transports);
+	rc = ao2_container_dup(sorted_monitors, transports, 0);
+	ao2_unlock(transports);
+	ao2_ref(transports, -1);
+	if (rc != 0) {
+		ast_cli(a->fd, "PJSIP Transport Monitors: Unable to sort temporary container\n");
+		goto error;
+	}
+	container_count = ao2_container_count(sorted_monitors);
+
+	ast_cli(a->fd, "PJSIP Transport Monitors:\n\n");
+
+	ast_cli(a->fd,
+		"<Remote Host...................................> <State.....> <Direction> <RefCnt> <Monitors> <ObjName............>\n");
+
+	iter = ao2_iterator_init(sorted_monitors, AO2_ITERATOR_UNLINK);
+	for (; (monitored = ao2_iterator_next(&iter)); ao2_ref(monitored, -1)) {
+		char *state;
+
+		if (using_regex && regexec(&regex, monitored->key, 0, NULL, 0) == REG_NOMATCH) {
+			continue;
+		}
+
+		if (monitored->transport->is_destroying) {
+			state = "DESTROYING";
+		} else if (monitored->transport->is_shutdown) {
+			state = "SHUTDOWN";
+		} else {
+			state = "ACTIVE";
+		}
+
+		ast_cli(a->fd, " %-46.46s   %-10s   %-9s   %6ld   %8" PRIu64 "   %s\n",
+			monitored->key, state,
+			monitored->transport->dir == PJSIP_TP_DIR_OUTGOING ? "Outgoing" : "Incoming",
+			pj_atomic_get(monitored->transport->ref_cnt),
+			AST_VECTOR_SIZE(&monitored->monitors), monitored->transport->obj_name);
+	}
+	ao2_iterator_destroy(&iter);
+	ast_cli(a->fd, "\nTotal Transport Monitors: %d\n\n", container_count);
+	cli_rc = CLI_SUCCESS;
+error:
+	if (using_regex) {
+		regfree(&regex);
+	}
+	ao2_cleanup(sorted_monitors);
+
+	return cli_rc;
+}
+
+static struct ast_cli_entry cli_commands[] = {
+	AST_CLI_DEFINE(cli_show_monitors, "Show pjsip transport monitors"),
+};
+
 void ast_sip_destroy_transport_events(void)
 {
 	pjsip_tpmgr *tpmgr;
 
+	ast_cli_unregister_multiple(cli_commands, ARRAY_LEN(cli_commands));
+
 	tpmgr = pjsip_endpt_get_tpmgr(ast_sip_get_pjsip_endpoint());
 	if (tpmgr) {
 		pjsip_tpmgr_set_state_cb(tpmgr, tpmgr_state_callback);
@@ -522,7 +693,7 @@ int ast_sip_initialize_transport_events(void)
 	}
 
 	transports = ao2_container_alloc_hash(AO2_ALLOC_OPT_LOCK_MUTEX, 0,
-		ACTIVE_TRANSPORTS_BUCKETS, transport_monitor_hash_fn, NULL,
+		ACTIVE_TRANSPORTS_BUCKETS, transport_monitor_hash_fn, transport_monitor_sort_fn,
 		transport_monitor_cmp_fn);
 	if (!transports) {
 		return -1;
@@ -533,5 +704,8 @@ int ast_sip_initialize_transport_events(void)
 	tpmgr_state_callback = pjsip_tpmgr_get_state_cb(tpmgr);
 	pjsip_tpmgr_set_state_cb(tpmgr, &transport_state_callback);
 
+	ast_cli_register_multiple(cli_commands, ARRAY_LEN(cli_commands));
+
+
 	return 0;
 }


=====================================
res/res_pjsip_outbound_registration.c
=====================================
@@ -851,6 +851,8 @@ struct registration_response {
 	pjsip_rx_data *rdata;
 	/*! \brief Request for which the response was received */
 	pjsip_tx_data *old_request;
+	/*! \brief Key for the reliable transport in use */
+	char transport_key[IP6ADDR_COLON_PORT_BUFLEN];
 };
 
 /*! \brief Registration response structure destructor */
@@ -966,13 +968,10 @@ static int monitor_matcher(void *a, void *b)
 	return strcmp(ma, mb) == 0;
 }
 
-static void registration_transport_monitor_setup(pjsip_transport *transport, const char *registration_name)
+static void registration_transport_monitor_setup(const char *transport_key, const char *registration_name)
 {
 	char *monitor;
 
-	if (!PJSIP_TRANSPORT_IS_RELIABLE(transport)) {
-		return;
-	}
 	monitor = ao2_alloc_options(strlen(registration_name) + 1, NULL,
 		AO2_ALLOC_OPT_LOCK_NOLOCK);
 	if (!monitor) {
@@ -985,8 +984,8 @@ static void registration_transport_monitor_setup(pjsip_transport *transport, con
 	 * register the monitor.  We might get into a message spamming infinite
 	 * loop of registration, shutdown, reregistration...
 	 */
-	ast_sip_transport_monitor_register(transport, registration_transport_shutdown_cb,
-		monitor);
+	ast_sip_transport_monitor_register_replace_key(transport_key, registration_transport_shutdown_cb,
+		monitor, monitor_matcher);
 	ao2_ref(monitor, -1);
 }
 
@@ -1139,14 +1138,18 @@ static int handle_registration_response(void *data)
 			schedule_registration(response->client_state, next_registration_round);
 
 			/* See if we should monitor for transport shutdown */
-			registration_transport_monitor_setup(response->rdata->tp_info.transport,
-				response->client_state->registration_name);
+			if (PJSIP_TRANSPORT_IS_RELIABLE(response->rdata->tp_info.transport)) {
+				registration_transport_monitor_setup(response->transport_key,
+					response->client_state->registration_name);
+			}
 		} else {
 			ast_debug(1, "Outbound unregistration to '%s' with client '%s' successful\n", server_uri, client_uri);
 			update_client_state_status(response->client_state, SIP_REGISTRATION_UNREGISTERED);
-			ast_sip_transport_monitor_unregister(response->rdata->tp_info.transport,
-				registration_transport_shutdown_cb, response->client_state->registration_name,
-				monitor_matcher);
+			if (PJSIP_TRANSPORT_IS_RELIABLE(response->rdata->tp_info.transport)) {
+				ast_sip_transport_monitor_unregister_key(response->transport_key,
+					registration_transport_shutdown_cb, response->client_state->registration_name,
+					monitor_matcher);
+			}
 		}
 
 		save_response_fields_to_transport(response);
@@ -1262,6 +1265,9 @@ static void sip_outbound_registration_response_cb(struct pjsip_regc_cbparam *par
 		response->old_request = tsx->last_tx;
 		pjsip_tx_data_add_ref(response->old_request);
 		pjsip_rx_data_clone(param->rdata, 0, &response->rdata);
+		AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(param->rdata->tp_info.transport,
+			response->transport_key);
+
 	} else {
 		/* old_request steals the reference */
 		response->old_request = client_state->last_tdata;


=====================================
res/res_pjsip_pubsub.c
=====================================
@@ -389,8 +389,8 @@ struct subscription_persistence {
 	char src_name[PJ_INET6_ADDRSTRLEN];
 	/*! Source port of the message */
 	int src_port;
-	/*! Local transport key type */
-	char transport_key[32];
+	/*! Local transport type (UDP,TCP,TLS)*/
+	char transport_type[32];
 	/*! Local transport address */
 	char local_name[PJ_INET6_ADDRSTRLEN];
 	/*! Local transport port */
@@ -474,7 +474,7 @@ struct sip_subscription_tree {
 	/*! The transport the subscription was received on.
 	 * Only used for reliable transports.
 	 */
-	pjsip_transport *transport;
+	char transport_key[IP6ADDR_COLON_PORT_BUFLEN];
 	/*! Indicator if initial notify should be generated.
 	 * Used to refresh modified RLS.
 	 */
@@ -711,8 +711,9 @@ static void subscription_persistence_update(struct sip_subscription_tree *sub_tr
 							rdata->tp_info.transport->obj_name,
 							sub_tree->persistence->endpoint, sub_tree->root->resource,
 							sub_tree->persistence->prune_on_boot);
-						sub_tree->transport = rdata->tp_info.transport;
-						ast_sip_transport_monitor_register(rdata->tp_info.transport,
+						AST_SIP_MAKE_REMOTE_IPADDR_PORT_STR(rdata->tp_info.transport,
+							sub_tree->transport_key);
+						ast_sip_transport_monitor_register_key(sub_tree->transport_key,
 							sub_tree_transport_cb, sub_tree);
 						/*
 						 * FYI: ast_sip_transport_monitor_register holds a reference to the sub_tree
@@ -746,8 +747,8 @@ static void subscription_persistence_update(struct sip_subscription_tree *sub_tr
 		ast_copy_string(sub_tree->persistence->src_name, rdata->pkt_info.src_name,
 				sizeof(sub_tree->persistence->src_name));
 		sub_tree->persistence->src_port = rdata->pkt_info.src_port;
-		ast_copy_string(sub_tree->persistence->transport_key, rdata->tp_info.transport->type_name,
-			sizeof(sub_tree->persistence->transport_key));
+		ast_copy_string(sub_tree->persistence->transport_type, rdata->tp_info.transport->type_name,
+			sizeof(sub_tree->persistence->transport_type));
 		ast_copy_pj_str(sub_tree->persistence->local_name, &rdata->tp_info.transport->local_name.host,
 			sizeof(sub_tree->persistence->local_name));
 		sub_tree->persistence->local_port = rdata->tp_info.transport->local_name.port;
@@ -763,12 +764,12 @@ static void subscription_persistence_remove(struct sip_subscription_tree *sub_tr
 		return;
 	}
 
-	if (sub_tree->persistence->prune_on_boot && sub_tree->transport) {
+	if (sub_tree->persistence->prune_on_boot && !ast_strlen_zero(sub_tree->transport_key)) {
 		ast_debug(3, "Unregistering transport monitor on %s '%s->%s'\n",
-			sub_tree->transport->obj_name,
+			sub_tree->transport_key,
 			sub_tree->endpoint ? ast_sorcery_object_get_id(sub_tree->endpoint) : "Unknown",
 			sub_tree->root ? sub_tree->root->resource : "Unknown");
-		ast_sip_transport_monitor_unregister(sub_tree->transport,
+		ast_sip_transport_monitor_unregister_key(sub_tree->transport_key,
 			sub_tree_transport_cb, sub_tree, NULL);
 	}
 
@@ -1743,7 +1744,7 @@ static int subscription_persistence_recreate(void *obj, void *arg, int flags)
 	rdata.tp_info.pool = pool;
 
 	if (ast_sip_create_rdata_with_contact(&rdata, persistence->packet, persistence->src_name,
-		persistence->src_port, persistence->transport_key, persistence->local_name,
+		persistence->src_port, persistence->transport_type, persistence->local_name,
 		persistence->local_port, persistence->contact_uri)) {
 		ast_log(LOG_WARNING, "Failed recreating '%s' subscription: The message could not be parsed\n",
 			persistence->endpoint);
@@ -5759,7 +5760,7 @@ static int load_module(void)
 	ast_sorcery_object_field_register(sorcery, "subscription_persistence", "src_port", "0", OPT_UINT_T, 0,
 		FLDSET(struct subscription_persistence, src_port));
 	ast_sorcery_object_field_register(sorcery, "subscription_persistence", "transport_key", "0", OPT_CHAR_ARRAY_T, 0,
-		CHARFLDSET(struct subscription_persistence, transport_key));
+		CHARFLDSET(struct subscription_persistence, transport_type));
 	ast_sorcery_object_field_register(sorcery, "subscription_persistence", "local_name", "", OPT_CHAR_ARRAY_T, 0,
 		CHARFLDSET(struct subscription_persistence, local_name));
 	ast_sorcery_object_field_register(sorcery, "subscription_persistence", "local_port", "0", OPT_UINT_T, 0,


=====================================
third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch
=====================================
@@ -0,0 +1,306 @@
+From c4d34984ec92b3d5252a7d5cddd85a1d3a8001ae Mon Sep 17 00:00:00 2001
+From: sauwming <ming at teluu.com>
+Date: Mon, 3 Oct 2022 08:07:22 +0800
+Subject: [PATCH] Merge pull request from GHSA-fq45-m3f7-3mhj
+
+* Initial patch
+
+* Use 'pj_scan_is_eof(scanner)'
+
+Co-authored-by: Aaron Lichtman <aaronlichtman at gmail.com>
+
+* Use 'pj_scan_is_eof(scanner)'
+
+Co-authored-by: Aaron Lichtman <aaronlichtman at gmail.com>
+
+* Use 'pj_scan_is_eof(scanner)'
+
+Co-authored-by: Aaron Lichtman <aaronlichtman at gmail.com>
+
+* Use `!pj_scan_is_eof` instead of manually checking `scanner->curptr < scanner->end`
+
+Co-authored-by: Maksim Mukosey <mmukosey at gmail.com>
+
+* Update pjlib-util/src/pjlib-util/scanner.c
+
+Co-authored-by: Aaron Lichtman <aaronlichtman at gmail.com>
+
+* Update pjlib-util/src/pjlib-util/scanner.c
+
+Co-authored-by: Aaron Lichtman <aaronlichtman at gmail.com>
+
+* Update pjlib-util/src/pjlib-util/scanner.c
+
+Co-authored-by: Aaron Lichtman <aaronlichtman at gmail.com>
+
+* Revert '>=' back to '>' in pj_scan_stricmp_alnum()
+
+* Fix error compiles.
+
+Co-authored-by: Nanang Izzuddin <nanang at teluu.com>
+Co-authored-by: Aaron Lichtman <aaronlichtman at gmail.com>
+Co-authored-by: Maksim Mukosey <mmukosey at gmail.com>
+---
+ pjlib-util/src/pjlib-util/scanner.c | 41 +++++++++++++++++++----------
+ pjmedia/src/pjmedia/rtp.c           | 11 +++++---
+ pjmedia/src/pjmedia/sdp.c           | 24 ++++++++++-------
+ 3 files changed, 48 insertions(+), 28 deletions(-)
+
+diff --git a/pjlib-util/src/pjlib-util/scanner.c b/pjlib-util/src/pjlib-util/scanner.c
+index a54edf2d8..6541bbae3 100644
+--- a/pjlib-util/src/pjlib-util/scanner.c
++++ b/pjlib-util/src/pjlib-util/scanner.c
+@@ -195,7 +195,13 @@ PJ_DEF(void) pj_scan_skip_whitespace( pj_scanner *scanner )
+ 
+ PJ_DEF(void) pj_scan_skip_line( pj_scanner *scanner )
+ {
+-    char *s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);
++    char *s;
++
++    if (pj_scan_is_eof(scanner)) {
++        return;
++    }
++
++    s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);
+     if (!s) {
+ 	scanner->curptr = scanner->end;
+     } else {
+@@ -264,8 +270,7 @@ PJ_DEF(void) pj_scan_get( pj_scanner *scanner,
+ 
+     pj_assert(pj_cis_match(spec,0)==0);
+ 
+-    /* EOF is detected implicitly */
+-    if (!pj_cis_match(spec, *s)) {
++    if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s)) {
+ 	pj_scan_syntax_err(scanner);
+ 	return;
+     }
+@@ -299,8 +304,7 @@ PJ_DEF(void) pj_scan_get_unescape( pj_scanner *scanner,
+     /* Must not match character '%' */
+     pj_assert(pj_cis_match(spec,'%')==0);
+ 
+-    /* EOF is detected implicitly */
+-    if (!pj_cis_match(spec, *s) && *s != '%') {
++    if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s) && *s != '%') {
+ 	pj_scan_syntax_err(scanner);
+ 	return;
+     }
+@@ -436,7 +440,9 @@ PJ_DEF(void) pj_scan_get_n( pj_scanner *scanner,
+     
+     scanner->curptr += N;
+ 
+-    if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws) {
++    if (!pj_scan_is_eof(scanner) &&
++	PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws)
++    {
+ 	pj_scan_skip_whitespace(scanner);
+     }
+ }
+@@ -467,15 +473,16 @@ PJ_DEF(int) pj_scan_get_char( pj_scanner *scanner )
+ 
+ PJ_DEF(void) pj_scan_get_newline( pj_scanner *scanner )
+ {
+-    if (!PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {
++    if (pj_scan_is_eof(scanner) || !PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {
+ 	pj_scan_syntax_err(scanner);
+ 	return;
+     }
+ 
++    /* We have checked scanner->curptr validity above */
+     if (*scanner->curptr == '\r') {
+ 	++scanner->curptr;
+     }
+-    if (*scanner->curptr == '\n') {
++    if (!pj_scan_is_eof(scanner) && *scanner->curptr == '\n') {
+ 	++scanner->curptr;
+     }
+ 
+@@ -520,7 +527,9 @@ PJ_DEF(void) pj_scan_get_until( pj_scanner *scanner,
+ 
+     scanner->curptr = s;
+ 
+-    if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
++    if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
++	scanner->skip_ws)
++    {
+ 	pj_scan_skip_whitespace(scanner);
+     }
+ }
+@@ -544,7 +553,9 @@ PJ_DEF(void) pj_scan_get_until_ch( pj_scanner *scanner,
+ 
+     scanner->curptr = s;
+ 
+-    if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
++    if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
++	scanner->skip_ws)
++    {
+ 	pj_scan_skip_whitespace(scanner);
+     }
+ }
+@@ -570,7 +581,9 @@ PJ_DEF(void) pj_scan_get_until_chr( pj_scanner *scanner,
+ 
+     scanner->curptr = s;
+ 
+-    if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
++    if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
++	scanner->skip_ws)
++    {
+ 	pj_scan_skip_whitespace(scanner);
+     }
+ }
+@@ -585,7 +598,9 @@ PJ_DEF(void) pj_scan_advance_n( pj_scanner *scanner,
+ 
+     scanner->curptr += N;
+ 
+-    if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws) {
++    if (!pj_scan_is_eof(scanner) && 
++	PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws)
++    {
+ 	pj_scan_skip_whitespace(scanner);
+     }
+ }
+@@ -636,5 +651,3 @@ PJ_DEF(void) pj_scan_restore_state( pj_scanner *scanner,
+     scanner->line = state->line;
+     scanner->start_line = state->start_line;
+ }
+-
+-
+diff --git a/pjmedia/src/pjmedia/rtp.c b/pjmedia/src/pjmedia/rtp.c
+index 18917f18b..d29348cc5 100644
+--- a/pjmedia/src/pjmedia/rtp.c
++++ b/pjmedia/src/pjmedia/rtp.c
+@@ -188,6 +188,11 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(
+     /* Payload is located right after header plus CSRC */
+     offset = sizeof(pjmedia_rtp_hdr) + ((*hdr)->cc * sizeof(pj_uint32_t));
+ 
++    /* Check that offset is less than packet size */
++    if (offset >= pkt_len) {
++        return PJMEDIA_RTP_EINLEN;
++    }
++
+     /* Decode RTP extension. */
+     if ((*hdr)->x) {
+         if (offset + sizeof (pjmedia_rtp_ext_hdr) > (unsigned)pkt_len)
+@@ -202,8 +207,8 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(
+ 	dec_hdr->ext_len = 0;
+     }
+ 
+-    /* Check that offset is less than packet size */
+-    if (offset > pkt_len)
++    /* Check again that offset is still less than packet size */
++    if (offset >= pkt_len)
+ 	return PJMEDIA_RTP_EINLEN;
+ 
+     /* Find and set payload. */
+@@ -393,5 +398,3 @@ void pjmedia_rtp_seq_update( pjmedia_rtp_seq_session *sess,
+ 	seq_status->status.value = st.status.value;
+     }
+ }
+-
+-
+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
+index 3905c2f52..647f49e13 100644
+--- a/pjmedia/src/pjmedia/sdp.c
++++ b/pjmedia/src/pjmedia/sdp.c
+@@ -983,13 +983,13 @@ static void parse_version(pj_scanner *scanner,
+     ctx->last_error = PJMEDIA_SDP_EINVER;
+ 
+     /* check equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+ 
+     /* check version is 0 */
+-    if (*(scanner->curptr+2) != '0') {
++    if (scanner->curptr+2 >= scanner->end || *(scanner->curptr+2) != '0') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+@@ -1006,7 +1006,7 @@ static void parse_origin(pj_scanner *scanner, pjmedia_sdp_session *ses,
+     ctx->last_error = PJMEDIA_SDP_EINORIGIN;
+ 
+     /* check equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+@@ -1052,7 +1052,7 @@ static void parse_time(pj_scanner *scanner, pjmedia_sdp_session *ses,
+     ctx->last_error = PJMEDIA_SDP_EINTIME;
+ 
+     /* check equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+@@ -1080,7 +1080,7 @@ static void parse_generic_line(pj_scanner *scanner, pj_str_t *str,
+     ctx->last_error = PJMEDIA_SDP_EINSDP;
+ 
+     /* check equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if ((scanner->curptr+1 >= scanner->end) || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+@@ -1149,7 +1149,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
+     ctx->last_error = PJMEDIA_SDP_EINMEDIA;
+ 
+     /* check the equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return;
+     }
+@@ -1164,6 +1164,10 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
+     /* port */
+     pj_scan_get(scanner, &cs_token, &str);
+     med->desc.port = (unsigned short)pj_strtoul(&str);
++    if (pj_scan_is_eof(scanner)) {
++        on_scanner_error(scanner);
++        return;
++    }
+     if (*scanner->curptr == '/') {
+ 	/* port count */
+ 	pj_scan_get_char(scanner);
+@@ -1175,7 +1179,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
+     }
+ 
+     if (pj_scan_get_char(scanner) != ' ') {
+-	PJ_THROW(SYNTAX_ERROR);
++	on_scanner_error(scanner);
+     }
+ 
+     /* transport */
+@@ -1183,7 +1187,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
+ 
+     /* format list */
+     med->desc.fmt_count = 0;
+-    while (*scanner->curptr == ' ') {
++    while (scanner->curptr < scanner->end && *scanner->curptr == ' ') {
+ 	pj_str_t fmt;
+ 
+ 	pj_scan_get_char(scanner);
+@@ -1223,7 +1227,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,
+     attr = PJ_POOL_ALLOC_T(pool, pjmedia_sdp_attr);
+ 
+     /* check equal sign */
+-    if (*(scanner->curptr+1) != '=') {
++    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
+ 	on_scanner_error(scanner);
+ 	return NULL;
+     }
+@@ -1242,7 +1246,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,
+ 	    pj_scan_get_char(scanner);
+ 
+ 	/* get value */
+-	if (*scanner->curptr != '\r' && *scanner->curptr != '\n') {
++	if (!pj_scan_is_eof(scanner) && *scanner->curptr != '\r' && *scanner->curptr != '\n') {
+ 	    pj_scan_get_until_chr(scanner, "\r\n", &attr->value);
+ 	} else {
+ 	    attr->value.ptr = NULL;
+-- 
+2.25.1
+


=====================================
third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch
=====================================
@@ -0,0 +1,44 @@
+From 450baca94f475345542c6953832650c390889202 Mon Sep 17 00:00:00 2001
+From: sauwming <ming at teluu.com>
+Date: Tue, 7 Jun 2022 12:00:13 +0800
+Subject: [PATCH] Merge pull request from GHSA-26j7-ww69-c4qj
+
+---
+ pjlib-util/src/pjlib-util/stun_simple.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/pjlib-util/src/pjlib-util/stun_simple.c b/pjlib-util/src/pjlib-util/stun_simple.c
+index 722519584..d0549176d 100644
+--- a/pjlib-util/src/pjlib-util/stun_simple.c
++++ b/pjlib-util/src/pjlib-util/stun_simple.c
+@@ -54,6 +54,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
+ {
+     pj_uint16_t msg_type, msg_len;
+     char *p_attr;
++    int attr_max_cnt = PJ_ARRAY_SIZE(msg->attr);
+ 
+     PJ_CHECK_STACK();
+ 
+@@ -83,7 +84,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
+     msg->attr_count = 0;
+     p_attr = (char*)buf + sizeof(pjstun_msg_hdr);
+ 
+-    while (msg_len > 0) {
++    while (msg_len > 0 && msg->attr_count < attr_max_cnt) {
+ 	pjstun_attr_hdr **attr = &msg->attr[msg->attr_count];
+ 	pj_uint32_t len;
+ 	pj_uint16_t attr_type;
+@@ -111,6 +112,10 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
+ 	p_attr += len;
+ 	++msg->attr_count;
+     }
++    if (msg->attr_count == attr_max_cnt) {
++	PJ_LOG(4, (THIS_FILE, "Warning: max number attribute %d reached.",
++		   attr_max_cnt));
++    }
+ 
+     return PJ_SUCCESS;
+ }
+-- 
+2.25.1
+



View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/compare/4d6539bcc7b46d0c387944596f5eae58a865ab77...27e31283b23528b5ab3661e7e6cb75df63d1645f

-- 
View it on GitLab: https://salsa.debian.org/pkg-voip-team/asterisk/-/compare/4d6539bcc7b46d0c387944596f5eae58a865ab77...27e31283b23528b5ab3661e7e6cb75df63d1645f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/attachments/20221208/aa27507d/attachment-0001.htm>


More information about the Pkg-voip-maintainers mailing list