summaryrefslogtreecommitdiff
path: root/net-libs/pjproject/files
diff options
context:
space:
mode:
Diffstat (limited to 'net-libs/pjproject/files')
-rw-r--r--net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch125
-rw-r--r--net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch45
-rw-r--r--net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch108
3 files changed, 278 insertions, 0 deletions
diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch
new file mode 100644
index 000000000000..0d7df686a157
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2020-15260-tls-hostname-check.patch
@@ -0,0 +1,125 @@
+From 67e46c1ac45ad784db5b9080f5ed8b133c122872 Mon Sep 17 00:00:00 2001
+From: sauwming <ming@teluu.com>
+Date: Mon, 8 Mar 2021 17:39:36 +0800
+Subject: [PATCH] Merge pull request from GHSA-8hcp-hm38-mfph
+
+* Check hostname during TLS transport selection
+
+* revision based on feedback
+
+* remove the code in create_request that has been moved
+---
+ pjsip/include/pjsip/sip_dialog.h | 1 +
+ pjsip/src/pjsip/sip_dialog.c | 15 +++++++++++++++
+ pjsip/src/pjsip/sip_transport.c | 13 +++++++++++++
+ pjsip/src/pjsip/sip_util.c | 11 ++++++++---
+ 4 files changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/pjsip/include/pjsip/sip_dialog.h b/pjsip/include/pjsip/sip_dialog.h
+index a0214d28c..e314c2ece 100644
+--- a/pjsip/include/pjsip/sip_dialog.h
++++ b/pjsip/include/pjsip/sip_dialog.h
+@@ -165,6 +165,7 @@ struct pjsip_dialog
+ pjsip_route_hdr route_set; /**< Route set. */
+ pj_bool_t route_set_frozen; /**< Route set has been set. */
+ pjsip_auth_clt_sess auth_sess; /**< Client authentication session. */
++ pj_str_t initial_dest;/**< Initial destination host. */
+
+ /** Session counter. */
+ int sess_count; /**< Number of sessions. */
+diff --git a/pjsip/src/pjsip/sip_dialog.c b/pjsip/src/pjsip/sip_dialog.c
+index 27530e4f2..9571b5a35 100644
+--- a/pjsip/src/pjsip/sip_dialog.c
++++ b/pjsip/src/pjsip/sip_dialog.c
+@@ -467,6 +467,10 @@ pj_status_t create_uas_dialog( pjsip_user_agent *ua,
+
+ /* Save the remote info. */
+ pj_strdup(dlg->pool, &dlg->remote.info_str, &tmp);
++
++ /* Save initial destination host from transport's info */
++ pj_strdup(dlg->pool, &dlg->initial_dest,
++ &rdata->tp_info.transport->remote_name.host);
+
+
+ /* Init remote's contact from Contact header.
+@@ -1192,6 +1196,12 @@ static pj_status_t dlg_create_request_throw( pjsip_dialog *dlg,
+ return status;
+ }
+
++ /* Copy the initial destination host to tdata. This information can be
++ * used later by transport for transport selection.
++ */
++ if (dlg->initial_dest.slen)
++ pj_strdup(tdata->pool, &tdata->dest_info.name, &dlg->initial_dest);
++
+ /* Done. */
+ *p_tdata = tdata;
+
+@@ -1822,6 +1832,11 @@ static void dlg_update_routeset(pjsip_dialog *dlg, const pjsip_rx_data *rdata)
+ * transaction as the initial transaction that establishes dialog.
+ */
+ if (dlg->role == PJSIP_ROLE_UAC) {
++ /* Save initial destination host from transport's info. */
++ if (!dlg->initial_dest.slen) {
++ pj_strdup(dlg->pool, &dlg->initial_dest,
++ &rdata->tp_info.transport->remote_name.host);
++ }
+
+ /* Ignore subsequent request from remote */
+ if (msg->type != PJSIP_RESPONSE_MSG)
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index bef6d24fe..177274b08 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -2335,6 +2335,19 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ if (!tp_iter->tp->is_shutdown &&
+ !tp_iter->tp->is_destroying)
+ {
++ if ((type & PJSIP_TRANSPORT_SECURE) && tdata) {
++ /* For secure transport, make sure tdata's
++ * destination host matches the transport's
++ * remote host.
++ */
++ if (pj_stricmp(&tdata->dest_info.name,
++ &tp_iter->tp->remote_name.host))
++ {
++ tp_iter = tp_iter->next;
++ continue;
++ }
++ }
++
+ if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER &&
+ sel->u.listener)
+ {
+diff --git a/pjsip/src/pjsip/sip_util.c b/pjsip/src/pjsip/sip_util.c
+index a1bf878ea..cf916805d 100644
+--- a/pjsip/src/pjsip/sip_util.c
++++ b/pjsip/src/pjsip/sip_util.c
+@@ -1417,7 +1417,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_request_stateless(pjsip_endpoint *endpt,
+ */
+ if (tdata->dest_info.addr.count == 0) {
+ /* Copy the destination host name to TX data */
+- pj_strdup(tdata->pool, &tdata->dest_info.name, &dest_info.addr.host);
++ if (!tdata->dest_info.name.slen) {
++ pj_strdup(tdata->pool, &tdata->dest_info.name,
++ &dest_info.addr.host);
++ }
+
+ pjsip_endpt_resolve( endpt, tdata->pool, &dest_info, stateless_data,
+ &stateless_send_resolver_callback);
+@@ -1810,8 +1813,10 @@ PJ_DEF(pj_status_t) pjsip_endpt_send_response( pjsip_endpoint *endpt,
+ }
+ } else {
+ /* Copy the destination host name to TX data */
+- pj_strdup(tdata->pool, &tdata->dest_info.name,
+- &res_addr->dst_host.addr.host);
++ if (!tdata->dest_info.name.slen) {
++ pj_strdup(tdata->pool, &tdata->dest_info.name,
++ &res_addr->dst_host.addr.host);
++ }
+
+ pjsip_endpt_resolve(endpt, tdata->pool, &res_addr->dst_host,
+ send_state, &send_response_resolver_cb);
+--
+2.26.2
+
diff --git a/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch
new file mode 100644
index 000000000000..9dc9016e491a
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-CVE-2021-21375-negotiation-failure-crash.patch
@@ -0,0 +1,45 @@
+From 97b3d7addbaa720b7ddb0af9bf6f3e443e664365 Mon Sep 17 00:00:00 2001
+From: Nanang Izzuddin <nanang@teluu.com>
+Date: Mon, 8 Mar 2021 16:09:34 +0700
+Subject: [PATCH] Merge pull request from GHSA-hvq6-f89p-frvp
+
+---
+ pjmedia/src/pjmedia/sdp_neg.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/pjmedia/src/pjmedia/sdp_neg.c b/pjmedia/src/pjmedia/sdp_neg.c
+index f4838f75d..9f76b5200 100644
+--- a/pjmedia/src/pjmedia/sdp_neg.c
++++ b/pjmedia/src/pjmedia/sdp_neg.c
+@@ -304,7 +304,6 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2(
+ {
+ pjmedia_sdp_session *new_offer;
+ pjmedia_sdp_session *old_offer;
+- char media_used[PJMEDIA_MAX_SDP_MEDIA];
+ unsigned oi; /* old offer media index */
+ pj_status_t status;
+
+@@ -323,8 +322,19 @@ PJ_DEF(pj_status_t) pjmedia_sdp_neg_modify_local_offer2(
+ /* Change state to STATE_LOCAL_OFFER */
+ neg->state = PJMEDIA_SDP_NEG_STATE_LOCAL_OFFER;
+
++ /* When there is no active local SDP in state PJMEDIA_SDP_NEG_STATE_DONE,
++ * it means that the previous initial SDP nego must have been failed,
++ * so we'll just set the local SDP offer here.
++ */
++ if (!neg->active_local_sdp) {
++ neg->initial_sdp_tmp = NULL;
++ neg->initial_sdp = pjmedia_sdp_session_clone(pool, local);
++ neg->neg_local_sdp = pjmedia_sdp_session_clone(pool, local);
++
++ return PJ_SUCCESS;
++ }
++
+ /* Init vars */
+- pj_bzero(media_used, sizeof(media_used));
+ old_offer = neg->active_local_sdp;
+ new_offer = pjmedia_sdp_session_clone(pool, local);
+
+--
+2.26.2
+
diff --git a/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch
new file mode 100644
index 000000000000..b036951d9edd
--- /dev/null
+++ b/net-libs/pjproject/files/pjproject-2.10-race-condition-between-transport-destroy-and-acquire.patch
@@ -0,0 +1,108 @@
+From 90a16c523bfdf4d43c10506c972c5fd4250b2856 Mon Sep 17 00:00:00 2001
+From: Nanang Izzuddin <nanang@teluu.com>
+Date: Fri, 20 Nov 2020 10:52:22 +0700
+Subject: [PATCH] Race condition between transport destroy and acquire (#2470)
+
+* Handle race condition between transport_idle_callback() and pjsip_tpmgr_acquire_transport2().
+* Add transport destroy state check as additional of transport shutdown state check
+---
+ pjsip/src/pjsip/sip_transaction.c | 2 +-
+ pjsip/src/pjsip/sip_transport.c | 34 +++++++++++++++++++++++++------
+ 2 files changed, 29 insertions(+), 7 deletions(-)
+
+diff --git a/pjsip/src/pjsip/sip_transaction.c b/pjsip/src/pjsip/sip_transaction.c
+index 2b4ece7df..f663c7f4b 100644
+--- a/pjsip/src/pjsip/sip_transaction.c
++++ b/pjsip/src/pjsip/sip_transaction.c
+@@ -2443,7 +2443,7 @@ static void tsx_update_transport( pjsip_transaction *tsx,
+ pjsip_transport_add_ref(tp);
+ pjsip_transport_add_state_listener(tp, &tsx_tp_state_callback, tsx,
+ &tsx->tp_st_key);
+- if (tp->is_shutdown) {
++ if (tp->is_shutdown || tp->is_destroying) {
+ pjsip_transport_state_info info;
+
+ pj_bzero(&info, sizeof(info));
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index 06fce358c..bef6d24fe 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -1071,6 +1071,19 @@ static void transport_idle_callback(pj_timer_heap_t *timer_heap,
+ return;
+
+ entry->id = PJ_FALSE;
++
++ /* Set is_destroying flag under transport manager mutex to avoid
++ * race condition with pjsip_tpmgr_acquire_transport2().
++ */
++ pj_lock_acquire(tp->tpmgr->lock);
++ if (pj_atomic_get(tp->ref_cnt) == 0) {
++ tp->is_destroying = PJ_TRUE;
++ } else {
++ pj_lock_release(tp->tpmgr->lock);
++ return;
++ }
++ pj_lock_release(tp->tpmgr->lock);
++
+ pjsip_transport_destroy(tp);
+ }
+
+@@ -1392,8 +1405,8 @@ PJ_DEF(pj_status_t) pjsip_transport_shutdown2(pjsip_transport *tp,
+ mgr = tp->tpmgr;
+ pj_lock_acquire(mgr->lock);
+
+- /* Do nothing if transport is being shutdown already */
+- if (tp->is_shutdown) {
++ /* Do nothing if transport is being shutdown/destroyed already */
++ if (tp->is_shutdown || tp->is_destroying) {
+ pj_lock_release(mgr->lock);
+ pj_lock_release(tp->lock);
+ return PJ_SUCCESS;
+@@ -2256,6 +2269,13 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ return PJSIP_ETPNOTSUITABLE;
+ }
+
++ /* Make sure the transport is not being destroyed */
++ if (seltp->is_destroying) {
++ pj_lock_release(mgr->lock);
++ TRACE_((THIS_FILE,"Transport to be acquired is being destroyed"));
++ return PJ_ENOTFOUND;
++ }
++
+ /* We could also verify that the destination address is reachable
+ * from this transport (i.e. both are equal), but if application
+ * has requested a specific transport to be used, assume that
+@@ -2311,8 +2331,10 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ if (tp_entry) {
+ transport *tp_iter = tp_entry;
+ do {
+- /* Don't use transport being shutdown */
+- if (!tp_iter->tp->is_shutdown) {
++ /* Don't use transport being shutdown/destroyed */
++ if (!tp_iter->tp->is_shutdown &&
++ !tp_iter->tp->is_destroying)
++ {
+ if (sel && sel->type == PJSIP_TPSELECTOR_LISTENER &&
+ sel->u.listener)
+ {
+@@ -2382,7 +2404,7 @@ PJ_DEF(pj_status_t) pjsip_tpmgr_acquire_transport2(pjsip_tpmgr *mgr,
+ TRACE_((THIS_FILE, "Transport found but from different listener"));
+ }
+
+- if (tp_ref!=NULL && !tp_ref->is_shutdown) {
++ if (tp_ref!=NULL && !tp_ref->is_shutdown && !tp_ref->is_destroying) {
+ /*
+ * Transport found!
+ */
+@@ -2624,7 +2646,7 @@ PJ_DEF(pj_status_t) pjsip_transport_add_state_listener (
+
+ PJ_ASSERT_RETURN(tp && cb && key, PJ_EINVAL);
+
+- if (tp->is_shutdown) {
++ if (tp->is_shutdown || tp->is_destroying) {
+ *key = NULL;
+ return PJ_EINVALIDOP;
+ }
+--
+2.26.2
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-07 14:14:57 +0000