ASTERISK-21429: Distributed Device State using JABBER/XMPP not working since Secuity Advisory AST-2012-015

[Home]

Summary: ASTERISK-21429: Distributed Device State using JABBER/XMPP not working since Secuity Advisory AST-2012-015

Reporter: Alec Davis (alecdavis) Labels:

Date Opened: 2013-04-13 05:25:36 Date Closed: 2013-04-17 08:59:40

Priority: Major Regression? Yes

Status: Closed/Complete Components: Resources/res_jabber Resources/res_xmpp

Versions: 1.8.19.1 1.8.20.0 1.8.21.0 11.1.1 11.1.2 11.2.0 11.3.0 Frequency of
Occurrence Constant

Related
Issues:
must be completed before resolving ASTERISK-21773 Asterisk 1.8.22.0 Open Blockers

must be completed before resolving ASTERISK-21774 Asterisk 11.4.0 Open Blockers

is caused by ASTERISK-20175 Security Vulnerability: denial of service attack through exploitation of device state caching

is related to ASTERISK-21069 xmpp distributed device states aggregation update fails

is related to ASTERISK-21164 Need clarification on distributed device state behavior and whether this behavior is a possible regression

Environment: SiteA SVN-branch-11-r376441 SiteB SVN-branch-11-r378321 Attachments: ( 0) r2452_diff3.txt

Description: Prior to the cachable devicestate changes from ASTERISK-20175, both sites worked fine.

Site B is the site having issues, it doesn't update it's hints, and the phones that subscribe to the hint don't update there BLF.

Reverting back to asterisk-11-r378287 at SiteB and it works again.

SiteA is running a version without the devicestate cachable changes, thus is not sending the new IE cachable=1, but from what I can tell the default is to assume cachable.

Comments: By: Alec Davis (alecdavis) 2013-04-13 07:33:11.033-0500

Tested with Site A not sending the IE 'cachable'.

'core show hints' at SiteB, correctly showed the ringing state of a phone in siteA.

By: Alec Davis (alecdavis) 2013-04-13 17:53:28.913-0500

attached bug21429.diff.txt

This fixes the scenario when an older system doesn't send the IE cachable=1 in the XMPP message, to a newer system that expects to see it.

If the IE 'cachable' isn't present we need to default to AST_DEVSTATE_CACHABLE.
Assigning the cachable variable directly from ast_event_get_ie_uint is wrong, if the IE 'cachable' isn't found ast_event_get_ie_uint() will return 0, 0 = AST_DEVSTATE_NOT_CACHABLE

We need to read the 'cachable' IE into a string first, allowing us to check that it exists, if it doesn't exist then default to cachable=AST_DEVSTATE_CACHABLE.
If the 'cachable' IE does exist, then convert to a uint, validate value and go with it.
By: Alec Davis (alecdavis) 2013-04-13 18:34:02.365-0500

updated bug21429.diff2.txt
By: Alec Davis (alecdavis) 2013-05-10 00:10:28.964-0500

patch from reviewboard that was commited