diff options
Diffstat (limited to 'net-libs/pjproject/files')
3 files changed, 278 insertions, 0 deletions
diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch new file mode 100644 index 000000000000..0d7df686a157 --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch @@ -0,0 +1,125 @@ +From 67e46c1ac45ad784db5b9080f5ed8b133c122872 Mon Sep 17 00:00:00 2001 +From: sauwming <ming@teluu.com> +Date: Mon, 8 Mar 2021 17:39:36 +0800 +Subject: [PATCH] Merge pull request from GHSA-8hcp-hm38-mfph + +* Check hostname during TLS transport selection + +* revision based on feedback + +* remove the code in create_request that has been moved +--- + pjsip/include/pjsip/sip_dialog.h | 1 + + pjsip/src/pjsip/sip_dialog.c | 15 +++++++++++++++ + pjsip/src/pjsip/sip_transport.c | 13 +++++++++++++ + pjsip/src/pjsip/sip_util.c | 11 ++++++++--- + 4 files changed, 37 insertions(+), 3 deletions(-) + +diff --git a/pjsip/include/pjsip/sip_dialog.h b/pjsip/include/pjsip/sip_dialog.h +index a0214d28c..e314c2ece 100644 +--- a/pjsip/include/pjsip/sip_dialog.h ++++ b/pjsip/include/pjsip/sip_dialog.h +@@ -165,6 +165,7 @@ struct pjsip_dialog + pjsip_route_hdr route_set; /**< Route set. */ + pj_bool_t route_set_frozen; /**< Route set has been set. */ + pjsip_auth_clt_sess auth_sess; /**< Client authentication session. */ ++ pj_str_t initial_dest;/**< Initial destination host. */ + + /** Session counter. */ + int sess_count; /**< Number of sessions. */ +diff --git a/pjsip/src/pjsip/sip_dialog.c b/pjsip/src/pjsip/sip_dialog.c +index 27530e4f2..9571b5a35 100644 +--- a/pjsip/src/pjsip/sip_dialog.c ++++ b/pjsip/src/pjsip/sip_dialog.c +@@ -467,6 +467,10 @@ pj_status_t create_uas_dialog( pjsip_user_agent *ua, + + /* Save the remote info. */ + pj_strdup(dlg->pool, &dlg->remote.info_str, &tmp); ++ ++ /* Save initial destination host from transport's info */ ++ pj_strdup(dlg->pool, &dlg->initial_dest, ++ &rdata->tp_info.transport->remote_name.host); + + + /* Init remote's contact from Contact header. +@@ -1192,6 +1196,12 @@ static pj_status_t dlg_create_request_throw( pjsip_dialog *dlg, + return status; + } + ++ /* Copy the initial destination host to tdata. This information can be ++ * used later by transport for transport selection. ++ */ ++ if (dlg->initial_dest.slen) ++ pj_strdup(tdata->pool, &tdata->dest_info.name, &dlg->initial_dest); ++ + /* Done. */ + *p_tdata = tdata; + +@@ -1822,6 +1832,11 @@ static void dlg_update_routeset(pjsip_dialog *dlg, const pjsip_rx_data *rdata) + * transaction as the initial transaction that establishes dialog. + */ + if (dlg->role == PJSIP_ROLE_UAC) { ++ /* Save initial destination host from transport's info. */ ++ if (!dlg->initial_dest.slen) { ++ pj_strdup(dlg->pool, &dlg->initial_dest, ++ &rdata->tp_info.transport->remote_name.host); ++ } + + /* Ignore subsequent request from remote */ + if (msg->type != PJSIP_RESPONSE_MSG) +diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c +index bef6d24fe..177274b08 100644 +--- a/pjsip/src/pjsip/sip_transport.c ++++ b/pjsip/src/pjsip/sip_transport.c +@@ -2335,6 +2335,19 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + if (!tp_iter->tp->is_shutdown && + !tp_iter->tp->is_destroying) + { ++ if ((type & PJSIP_TRANSPORT_SECURE) && tdata) { ++ /* For secure transport, make sure tdata's ++ * destination host matches the transport's ++ * remote host. ++ */ ++ if (pj_stricmp(&tdata->dest_info.name, ++ &tp_iter->tp->remote_name.host)) ++ { ++ tp_iter = tp_iter->next; ++ continue; ++ } ++ } ++ + if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER && + sel->u.listener) + { +diff --git a/pjsip/src/pjsip/sip_util.c b/pjsip/src/pjsip/sip_util.c +index a1bf878ea..cf916805d 100644 +--- a/pjsip/src/pjsip/sip_util.c ++++ b/pjsip/src/pjsip/sip_util.c +@@ -1417,7 +1417,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_request_stateless(pjsip_endpoint *endpt, + */ + if (tdata->dest_info.addr.count == 0) { + /* Copy the destination host name to TX data */ +- pj_strdup(tdata->pool, &tdata->dest_info.name, &dest_info.addr.host); ++ if (!tdata->dest_info.name.slen) { ++ pj_strdup(tdata->pool, &tdata->dest_info.name, ++ &dest_info.addr.host); ++ } + + pjsip_endpt_resolve( endpt, tdata->pool, &dest_info, stateless_data, + &stateless_send_resolver_callback); +@@ -1810,8 +1813,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_response( pjsip_endpoint *endpt, + } + } else { + /* Copy the destination host name to TX data */ +- pj_strdup(tdata->pool, &tdata->dest_info.name, +- &res_addr->dst_host.addr.host); ++ if (!tdata->dest_info.name.slen) { ++ pj_strdup(tdata->pool, &tdata->dest_info.name, ++ &res_addr->dst_host.addr.host); ++ } + + pjsip_endpt_resolve(endpt, tdata->pool, &res_addr->dst_host, + send_state, &send_response_resolver_cb); +-- +2.26.2 + diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch new file mode 100644 index 000000000000..9dc9016e491a --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch @@ -0,0 +1,45 @@ +From 97b3d7addbaa720b7ddb0af9bf6f3e443e664365 Mon Sep 17 00:00:00 2001 +From: Nanang Izzuddin <nanang@teluu.com> +Date: Mon, 8 Mar 2021 16:09:34 +0700 +Subject: [PATCH] Merge pull request from GHSA-hvq6-f89p-frvp + +--- + pjmedia/src/pjmedia/sdp_neg.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/pjmedia/src/pjmedia/sdp_neg.c b/pjmedia/src/pjmedia/sdp_neg.c +index f4838f75d..9f76b5200 100644 +--- a/pjmedia/src/pjmedia/sdp_neg.c ++++ b/pjmedia/src/pjmedia/sdp_neg.c +@@ -304,7 +304,6 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2( + { + pjmedia_sdp_session *new_offer; + pjmedia_sdp_session *old_offer; +- char media_used[PJMEDIA_MAX_SDP_MEDIA]; + unsigned oi; /* old offer media index */ + pj_status_t status; + +@@ -323,8 +322,19 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2( + /* Change state to STATE_LOCAL_OFFER */ + neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER; + ++ /* When there is no active local SDP in state PJMEDIA_SDP_NEG_STATE_DONE, ++ * it means that the previous initial SDP nego must have been failed, ++ * so we'll just set the local SDP offer here. ++ */ ++ if (!neg->active_local_sdp) { ++ neg->initial_sdp_tmp = NULL; ++ neg->initial_sdp = pjmedia_sdp_session_clone(pool, local); ++ neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local); ++ ++ return PJ_SUCCESS; ++ } ++ + /* Init vars */ +- pj_bzero(media_used, sizeof(media_used)); + old_offer = neg->active_local_sdp; + new_offer = pjmedia_sdp_session_clone(pool, local); + +-- +2.26.2 + diff --git a/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch new file mode 100644 index 000000000000..b036951d9edd --- /dev/null +++ b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch @@ -0,0 +1,108 @@ +From 90a16c523bfdf4d43c10506c972c5fd4250b2856 Mon Sep 17 00:00:00 2001 +From: Nanang Izzuddin <nanang@teluu.com> +Date: Fri, 20 Nov 2020 10:52:22 +0700 +Subject: [PATCH] Race condition between transport destroy and acquire (#2470) + +* Handle race condition between transport_idle_callback() and pjsip_tpmgr_acquire_transport2(). +* Add transport destroy state check as additional of transport shutdown state check +--- + pjsip/src/pjsip/sip_transaction.c | 2 +- + pjsip/src/pjsip/sip_transport.c | 34 +++++++++++++++++++++++++------ + 2 files changed, 29 insertions(+), 7 deletions(-) + +diff --git a/pjsip/src/pjsip/sip_transaction.c b/pjsip/src/pjsip/sip_transaction.c +index 2b4ece7df..f663c7f4b 100644 +--- a/pjsip/src/pjsip/sip_transaction.c ++++ b/pjsip/src/pjsip/sip_transaction.c +@@ -2443,7 +2443,7 @@ static void tsx_update_transport( pjsip_transaction *tsx, + pjsip_transport_add_ref(tp); + pjsip_transport_add_state_listener(tp, &tsx_tp_state_callback, tsx, + &tsx->tp_st_key); +- if (tp->is_shutdown) { ++ if (tp->is_shutdown || tp->is_destroying) { + pjsip_transport_state_info info; + + pj_bzero(&info, sizeof(info)); +diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c +index 06fce358c..bef6d24fe 100644 +--- a/pjsip/src/pjsip/sip_transport.c ++++ b/pjsip/src/pjsip/sip_transport.c +@@ -1071,6 +1071,19 @@ static void transport_idle_callback(pj_timer_heap_t *timer_heap, + return; + + entry->id = PJ_FALSE; ++ ++ /* Set is_destroying flag under transport manager mutex to avoid ++ * race condition with pjsip_tpmgr_acquire_transport2(). ++ */ ++ pj_lock_acquire(tp->tpmgr->lock); ++ if (pj_atomic_get(tp->ref_cnt) == 0) { ++ tp->is_destroying = PJ_TRUE; ++ } else { ++ pj_lock_release(tp->tpmgr->lock); ++ return; ++ } ++ pj_lock_release(tp->tpmgr->lock); ++ + pjsip_transport_destroy(tp); + } + +@@ -1392,8 +1405,8 @@ PJ_DEF(pj_status_t) pjsip_transport_shutdown2(pjsip_transport *tp, + mgr = tp->tpmgr; + pj_lock_acquire(mgr->lock); + +- /* Do nothing if transport is being shutdown already */ +- if (tp->is_shutdown) { ++ /* Do nothing if transport is being shutdown/destroyed already */ ++ if (tp->is_shutdown || tp->is_destroying) { + pj_lock_release(mgr->lock); + pj_lock_release(tp->lock); + return PJ_SUCCESS; +@@ -2256,6 +2269,13 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + return PJSIP_ETPNOTSUITABLE; + } + ++ /* Make sure the transport is not being destroyed */ ++ if (seltp->is_destroying) { ++ pj_lock_release(mgr->lock); ++ TRACE_((THIS_FILE,"Transport to be acquired is being destroyed")); ++ return PJ_ENOTFOUND; ++ } ++ + /* We could also verify that the destination address is reachable + * from this transport (i.e. both are equal), but if application + * has requested a specific transport to be used, assume that +@@ -2311,8 +2331,10 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + if (tp_entry) { + transport *tp_iter = tp_entry; + do { +- /* Don't use transport being shutdown */ +- if (!tp_iter->tp->is_shutdown) { ++ /* Don't use transport being shutdown/destroyed */ ++ if (!tp_iter->tp->is_shutdown && ++ !tp_iter->tp->is_destroying) ++ { + if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER && + sel->u.listener) + { +@@ -2382,7 +2404,7 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr, + TRACE_((THIS_FILE, "Transport found but from different listener")); + } + +- if (tp_ref!=NULL && !tp_ref->is_shutdown) { ++ if (tp_ref!=NULL && !tp_ref->is_shutdown && !tp_ref->is_destroying) { + /* + * Transport found! + */ +@@ -2624,7 +2646,7 @@ PJ_DEF(pj_status_t) pjsip_transport_add_state_listener ( + + PJ_ASSERT_RETURN(tp && cb && key, PJ_EINVAL); + +- if (tp->is_shutdown) { ++ if (tp->is_shutdown || tp->is_destroying) { + *key = NULL; + return PJ_EINVALIDOP; + } +-- +2.26.2 + |