From d1d956fb60c3c3596e5279b5cca04e1f2a529011 Mon Sep 17 00:00:00 2001 From: George Joseph Date: Tue, 6 Feb 2018 11:07:18 -0700 Subject: [PATCH 3/3] AST-2018-005: res_pjsip_transport_management: Move to core Since res_pjsip_transport_management provides several attack mitigation features, its functionality moved to res_pjsip and this module has been removed. This way the features will always be available if res_pjsip is loaded. ASTERISK-27618 Reported By: Sandro Gauci Change-Id: I21a2d33d9dda001452ea040d350d7a075f9acf0d --- CHANGES | 7 ++++++ UPGRADE.txt | 7 ++++++ res/res_pjsip.c | 6 +++++ res/res_pjsip/include/res_pjsip_private.h | 28 ++++++++++++++++++++++ .../pjsip_transport_management.c} | 28 ++++------------------ 5 files changed, 52 insertions(+), 24 deletions(-) rename res/{res_pjsip_transport_management.c => res_pjsip/pjsip_transport_management.c} (94%) diff --git a/CHANGES b/CHANGES index 3b2be7125b..4f91c73d01 100644 --- a/CHANGES +++ b/CHANGES @@ -70,6 +70,13 @@ res_pjsip_pubsub need to run the "alembic upgrade head" process to add the column to the schema. +res_pjsip_transport_management +------------------ + * Since res_pjsip_transport_management provides several attack + mitigation features, its functionality moved to res_pjsip and + this module has been removed. This way the features will always + be available if res_pjsip is loaded. + ------------------------------------------------------------------------------ --- Functionality changes from Asterisk 15.1.0 to Asterisk 15.2.0 ------------ ------------------------------------------------------------------------------ diff --git a/UPGRADE.txt b/UPGRADE.txt index 5e138e8eaa..6df39f1fe6 100644 --- a/UPGRADE.txt +++ b/UPGRADE.txt @@ -50,6 +50,13 @@ res_pjsip_endpoint_identifier_ip you can now predict which endpoint is matched when a request comes in that matches both. +res_pjsip_transport_management +------------------ + * Since res_pjsip_transport_management provides several attack + mitigation features, its functionality moved to res_pjsip and + this module has been removed. This way the features will always + be available if res_pjsip is loaded. + New in 15.0.0: Build System: diff --git a/res/res_pjsip.c b/res/res_pjsip.c index ac13652e49..1e74a69530 100644 --- a/res/res_pjsip.c +++ b/res/res_pjsip.c @@ -4817,6 +4817,7 @@ static int unload_pjsip(void *data) * If they're not set, then there's nothing to clean up anyway. */ if (ast_pjsip_endpoint && serializer_pool[0]) { + ast_sip_destroy_transport_management(); ast_res_pjsip_cleanup_options_handling(); ast_res_pjsip_cleanup_message_filter(); ast_sip_destroy_distributor(); @@ -4985,6 +4986,11 @@ static int load_module(void) ast_sip_initialize_resolver(); ast_sip_initialize_dns(); + if (ast_sip_initialize_transport_management()) { + ast_log(LOG_ERROR, "Failed to initialize SIP transport management. Aborting load\n"); + goto error; + } + if (ast_sip_initialize_distributor()) { ast_log(LOG_ERROR, "Failed to register distributor module. Aborting load\n"); goto error; diff --git a/res/res_pjsip/include/res_pjsip_private.h b/res/res_pjsip/include/res_pjsip_private.h index 46526597d3..04ed990eec 100644 --- a/res/res_pjsip/include/res_pjsip_private.h +++ b/res/res_pjsip/include/res_pjsip_private.h @@ -409,4 +409,32 @@ int ast_sip_destroy_scheduler(void); int ast_sip_will_uri_survive_restart(pjsip_sip_uri *uri, struct ast_sip_endpoint *endpoint, pjsip_rx_data *rdata); +/*! + * \internal + * \brief Initialize the transport management module + * \since 13.20.0 + * + * The transport management module is responsible for 3 things... + * 1. It automatically destroys any reliable transport that does not + * receive a valid request within system/timer_b milliseconds of the + * connection being opened. (Attack mitigation) + * 2. Since it increments the reliable transport's reference count + * for that period of time, it also prevents issues if the transport + * disconnects while we're still trying to process a response. + * (Attack mitigation) + * 3. If enabled by global/keep_alive_interval, it sends '\r\n' + * keepalives on reliable transports at the interval specified. + * + * \retval -1 Failure + * \retval 0 Success + */ +int ast_sip_initialize_transport_management(void); + +/*! + * \internal + * \brief Destruct the transport management module. + * \since 13.20.0 + */ +void ast_sip_destroy_transport_management(void); + #endif /* RES_PJSIP_PRIVATE_H_ */ diff --git a/res/res_pjsip_transport_management.c b/res/res_pjsip/pjsip_transport_management.c similarity index 94% rename from res/res_pjsip_transport_management.c rename to res/res_pjsip/pjsip_transport_management.c index eb92eb7a51..63feeacfa0 100644 --- a/res/res_pjsip_transport_management.c +++ b/res/res_pjsip/pjsip_transport_management.c @@ -16,12 +16,6 @@ * at the top of the source tree. */ -/*** MODULEINFO - pjproject - res_pjsip - core - ***/ - #include "asterisk.h" #include @@ -32,6 +26,7 @@ #include "asterisk/res_pjsip.h" #include "asterisk/module.h" #include "asterisk/astobj2.h" +#include "include/res_pjsip_private.h" /*! \brief Number of buckets for monitored transports */ #define TRANSPORTS_BUCKETS 127 @@ -319,7 +314,7 @@ static pjsip_module idle_monitor_module = { .on_rx_request = idle_monitor_on_rx_request, }; -static int load_module(void) +int ast_sip_initialize_transport_management(void) { struct ao2_container *transports; @@ -356,11 +351,10 @@ static int load_module(void) ast_sorcery_observer_add(ast_sip_get_sorcery(), "global", &keepalive_global_observer); ast_sorcery_reload_object(ast_sip_get_sorcery(), "global"); - ast_module_shutdown_ref(ast_module_info->self); return AST_MODULE_LOAD_SUCCESS; } -static int unload_module(void) +void ast_sip_destroy_transport_management(void) { if (keepalive_interval) { keepalive_interval = 0; @@ -382,19 +376,5 @@ static int unload_module(void) ao2_global_obj_release(monitored_transports); - return 0; -} - -static int reload_module(void) -{ - ast_sorcery_reload_object(ast_sip_get_sorcery(), "global"); - return 0; + return; } - -AST_MODULE_INFO(ASTERISK_GPL_KEY, AST_MODFLAG_LOAD_ORDER, "PJSIP Reliable Transport Management", - .support_level = AST_MODULE_SUPPORT_CORE, - .load = load_module, - .reload = reload_module, - .unload = unload_module, - .load_pri = AST_MODPRI_CHANNEL_DEPEND - 4, -); -- 2.14.3