[packages/pjproject] Replace Asterisk patches with current set
jajcus
jajcus at pld-linux.org
Mon May 22 15:10:33 CEST 2017
commit e2742f5785148469e609730ba85cc1a8f6a4ecc8
Author: Jacek Konieczny <j.konieczny at eggsoft.pl>
Date: Mon May 22 15:08:10 2017 +0200
Replace Asterisk patches with current set
Fixes Security issues:
http://downloads.asterisk.org/pub/security/AST-2017-002.html
http://downloads.asterisk.org/pub/security/AST-2017-003.html
Release: 1
0001-r5397-pjsip_generic_array_max_count.patch | 58 ------
0001-r5400-pjsip_tx_data_dec_ref.patch | 24 ---
...oid-deinitialization-of-uninitialized-cli.patch | 56 ------
0002-r5435-add-pjsip_inv_session-ref_cnt.patch | 212 ---------------------
0003-r5403-pjsip_IPV6_V6ONLY.patch | 13 --
...Prevent-SERVFAIL-from-marking-name-server.patch | 48 -----
...-crash-on-using-an-already-destroyed-SSL-.patch | 164 ----------------
0010-evsub-Add-pjsip_evsub_set_uas_timeout.patch | 84 ++++++++
...ackport-Increase-SENDER_WIDTH-column-size.patch | 77 ++++++++
...n-backport-Fix-to-resolve-DNS-SRV-crashes.patch | 112 +++++++++++
0014-Add-pjsip-transport-register-type-ipv6.patch | 62 ++++++
0025-fix-print-xml-crash.patch | 24 +++
...ero-length-multipart-body-parts-correctly.patch | 41 ++++
...43-transaction-key-buffer-is-large-enough.patch | 29 +++
pjproject.spec | 30 +--
15 files changed, 444 insertions(+), 590 deletions(-)
---
diff --git a/pjproject.spec b/pjproject.spec
index e94c1b7..7e72a47 100644
--- a/pjproject.spec
+++ b/pjproject.spec
@@ -20,7 +20,7 @@
Summary: PJSIP - free and open source multimedia communication library
Name: pjproject
Version: 2.6
-Release: 0.1
+Release: 1
License: GPL v2+
Group: Libraries
Source0: http://www.pjsip.org/release/%{version}/%{name}-%{version}.tar.bz2
@@ -29,13 +29,13 @@ Source1: config_site.h
Patch0: %{name}-ilbc-link.patch
Patch1: webrtc_build.patch
# patches from Asterisk
-Patch100: 0001-r5397-pjsip_generic_array_max_count.patch
-Patch101: 0001-r5400-pjsip_tx_data_dec_ref.patch
-Patch102: 0002-Fix-1946-Avoid-deinitialization-of-uninitialized-cli.patch
-Patch103: 0002-r5435-add-pjsip_inv_session-ref_cnt.patch
-Patch104: 0003-r5403-pjsip_IPV6_V6ONLY.patch
-Patch105: 0004-resolver.c-Prevent-SERVFAIL-from-marking-name-server.patch
-Patch106: 0005-Re-1969-Fix-crash-on-using-an-already-destroyed-SSL-.patch
+Patch100: 0010-evsub-Add-pjsip_evsub_set_uas_timeout.patch
+Patch101: 0011-r5554-svn-backport-Increase-SENDER_WIDTH-column-size.patch
+Patch102: 0013-r5559-svn-backport-Fix-to-resolve-DNS-SRV-crashes.patch
+Patch103: 0014-Add-pjsip-transport-register-type-ipv6.patch
+Patch104: 0025-fix-print-xml-crash.patch
+Patch105: 0058-Parse-zero-length-multipart-body-parts-correctly.patch
+Patch106: 0059-Ensure-2543-transaction-key-buffer-is-large-enough.patch
URL: http://www.pjsip.org/
%{?with_video:BuildRequires: SDL2-devel}
BuildRequires: SILK_SDK-devel
@@ -109,13 +109,13 @@ Statyczna biblioteka %{name}.
%patch0 -p1
%patch1 -p1
-#%patch100 -p1
-#%patch101 -p1
-#%patch102 -p1
-#%patch103 -p1
-#%patch104 -p1
-#%patch105 -p1
-#%patch106 -p1
+%patch100 -p1
+%patch101 -p1
+%patch102 -p1
+%patch103 -p1
+%patch104 -p1
+%patch105 -p1
+%patch106 -p1
cp -p %{SOURCE1} pjlib/include/pj/config_site.h
diff --git a/0001-r5397-pjsip_generic_array_max_count.patch b/0001-r5397-pjsip_generic_array_max_count.patch
deleted file mode 100644
index 3cc328a..0000000
--- a/0001-r5397-pjsip_generic_array_max_count.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-This patch updates array limit checks and docs
-in pjsip_evsub_register_pkg() and pjsip_endpt_add_capability().
-
-Index: pjsip/include/pjsip/sip_endpoint.h
-===================================================================
---- a/pjsip/include/pjsip/sip_endpoint.h (revision 5396)
-+++ b/pjsip/include/pjsip/sip_endpoint.h (revision 5397)
-@@ -583,7 +583,8 @@
- * @param hname If htype specifies PJSIP_H_OTHER, then the header name
- * must be supplied in this argument. Otherwise the value
- * must be set to NULL.
-- * @param count The number of tags in the array.
-+ * @param count The number of tags in the array. The value must not
-+ * be greater than PJSIP_GENERIC_ARRAY_MAX_COUNT.
- * @param tags Array of tags describing the capabilities or extensions
- * to be added to the appropriate header.
- *
-Index: pjsip/include/pjsip-simple/evsub.h
-===================================================================
---- a/pjsip/include/pjsip-simple/evsub.h (revision 5396)
-+++ b/pjsip/include/pjsip-simple/evsub.h (revision 5397)
-@@ -246,7 +246,8 @@
- * registered.
- * @param event_name Event package identification.
- * @param expires Default subscription expiration time, in seconds.
-- * @param accept_cnt Number of strings in Accept array.
-+ * @param accept_cnt Number of strings in Accept array. The value must
-+ * not be greater than PJSIP_GENERIC_ARRAY_MAX_COUNT.
- * @param accept Array of Accept value.
- *
- * @return PJ_SUCCESS on success.
-Index: pjsip/src/pjsip/sip_endpoint.c
-===================================================================
---- a/pjsip/src/pjsip/sip_endpoint.c (revision 5396)
-+++ b/pjsip/src/pjsip/sip_endpoint.c (revision 5397)
-@@ -371,6 +371,7 @@
-
- /* Check arguments. */
- PJ_ASSERT_RETURN(endpt!=NULL && count>0 && tags, PJ_EINVAL);
-+ PJ_ASSERT_RETURN(count <= PJSIP_GENERIC_ARRAY_MAX_COUNT, PJ_ETOOMANY);
- PJ_ASSERT_RETURN(htype==PJSIP_H_ACCEPT ||
- htype==PJSIP_H_ALLOW ||
- htype==PJSIP_H_SUPPORTED,
-Index: pjsip/src/pjsip-simple/evsub.c
-===================================================================
---- a/pjsip/src/pjsip-simple/evsub.c (revision 5396)
-+++ b/pjsip/src/pjsip-simple/evsub.c (revision 5397)
-@@ -412,7 +412,9 @@
- unsigned i;
-
- PJ_ASSERT_RETURN(pkg_mod && event_name, PJ_EINVAL);
-- PJ_ASSERT_RETURN(accept_cnt < PJ_ARRAY_SIZE(pkg->pkg_accept->values),
-+
-+ /* Make sure accept_cnt < PJ_ARRAY_SIZE(pkg->pkg_accept->values) */
-+ PJ_ASSERT_RETURN(accept_cnt <= PJSIP_GENERIC_ARRAY_MAX_COUNT,
- PJ_ETOOMANY);
-
- /* Make sure evsub module has been initialized */
diff --git a/0001-r5400-pjsip_tx_data_dec_ref.patch b/0001-r5400-pjsip_tx_data_dec_ref.patch
deleted file mode 100644
index b5c11db..0000000
--- a/0001-r5400-pjsip_tx_data_dec_ref.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-This patch fixes the issue in pjsip_tx_data_dec_ref()
-when tx_data_destroy can be called more than once,
-and checks if invalid value (e.g. NULL) is passed to.
-
-Index: pjsip/src/pjsip/sip_transport.c
-===================================================================
---- a/pjsip/src/pjsip/sip_transport.c (revision 5399)
-+++ b/pjsip/src/pjsip/sip_transport.c (revision 5400)
-@@ -491,8 +491,13 @@
- */
- PJ_DEF(pj_status_t) pjsip_tx_data_dec_ref( pjsip_tx_data *tdata )
- {
-- pj_assert( pj_atomic_get(tdata->ref_cnt) > 0);
-- if (pj_atomic_dec_and_get(tdata->ref_cnt) <= 0) {
-+ pj_atomic_value_t ref_cnt;
-+
-+ PJ_ASSERT_RETURN(tdata && tdata->ref_cnt, PJ_EINVAL);
-+
-+ ref_cnt = pj_atomic_dec_and_get(tdata->ref_cnt);
-+ pj_assert( ref_cnt >= 0);
-+ if (ref_cnt == 0) {
- tx_data_destroy(tdata);
- return PJSIP_EBUFDESTROYED;
- } else {
diff --git a/0002-Fix-1946-Avoid-deinitialization-of-uninitialized-cli.patch b/0002-Fix-1946-Avoid-deinitialization-of-uninitialized-cli.patch
deleted file mode 100644
index c4288a3..0000000
--- a/0002-Fix-1946-Avoid-deinitialization-of-uninitialized-cli.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 33fd755e819dc85a96718abc0ae26a9b46f14800 Mon Sep 17 00:00:00 2001
-From: nanang <nanang at localhost>
-Date: Thu, 28 Jul 2016 08:21:45 +0000
-Subject: [PATCH 2/3] Fix #1946: Avoid deinitialization of uninitialized client
- auth session.
-
----
- pjsip/src/pjsip/sip_dialog.c | 18 ++++++------------
- 1 file changed, 6 insertions(+), 12 deletions(-)
-
-diff --git a/pjsip/src/pjsip/sip_dialog.c b/pjsip/src/pjsip/sip_dialog.c
-index f03885d..421ddc4 100644
---- a/pjsip/src/pjsip/sip_dialog.c
-+++ b/pjsip/src/pjsip/sip_dialog.c
-@@ -92,6 +92,12 @@ static pj_status_t create_dialog( pjsip_user_agent *ua,
- pj_list_init(&dlg->inv_hdr);
- pj_list_init(&dlg->rem_cap_hdr);
-
-+ /* Init client authentication session. */
-+ status = pjsip_auth_clt_init(&dlg->auth_sess, dlg->endpt,
-+ dlg->pool, 0);
-+ if (status != PJ_SUCCESS)
-+ goto on_error;
-+
- status = pj_mutex_create_recursive(pool, dlg->obj_name, &dlg->mutex_);
- if (status != PJ_SUCCESS)
- goto on_error;
-@@ -283,12 +289,6 @@ PJ_DEF(pj_status_t) pjsip_dlg_create_uac( pjsip_user_agent *ua,
- /* Initial route set is empty. */
- pj_list_init(&dlg->route_set);
-
-- /* Init client authentication session. */
-- status = pjsip_auth_clt_init(&dlg->auth_sess, dlg->endpt,
-- dlg->pool, 0);
-- if (status != PJ_SUCCESS)
-- goto on_error;
--
- /* Register this dialog to user agent. */
- status = pjsip_ua_register_dlg( ua, dlg );
- if (status != PJ_SUCCESS)
-@@ -506,12 +506,6 @@ pj_status_t create_uas_dialog( pjsip_user_agent *ua,
- }
- dlg->route_set_frozen = PJ_TRUE;
-
-- /* Init client authentication session. */
-- status = pjsip_auth_clt_init(&dlg->auth_sess, dlg->endpt,
-- dlg->pool, 0);
-- if (status != PJ_SUCCESS)
-- goto on_error;
--
- /* Increment the dialog's lock since tsx may cause the dialog to be
- * destroyed prematurely (such as in case of transport error).
- */
---
-2.7.4
-
diff --git a/0002-r5435-add-pjsip_inv_session-ref_cnt.patch b/0002-r5435-add-pjsip_inv_session-ref_cnt.patch
deleted file mode 100644
index 12ae6a0..0000000
--- a/0002-r5435-add-pjsip_inv_session-ref_cnt.patch
+++ /dev/null
@@ -1,212 +0,0 @@
-When a transport error occured on an INVITE session
-the stack calls on_tsx_state_changed with new state
-PJSIP_INV_STATE_DISCONNECTED and immediately destroys
-the INVITE session.
-At the same time this INVITE session could being processed
-on another thread. This thread could use the session's
-memory pools which were already freed, so we get segfault.
-
-This patch adds a reference counter and new functions:
-pjsip_inv_add_ref and pjsip_inv_dec_ref.
-The INVITE session is destroyed only when the reference
-counter has reached zero.
-
-To avoid race condition an application should call
-pjsip_inv_add_ref/pjsip_inv_dec_ref.
-
-Index: pjsip/include/pjsip-ua/sip_inv.h
-===================================================================
---- a/pjsip/include/pjsip-ua/sip_inv.h (revision 5434)
-+++ b/pjsip/include/pjsip-ua/sip_inv.h (revision 5435)
-@@ -383,6 +383,11 @@
- * Other applications that want to use these pools must understand
- * that the flip-flop pool's lifetimes are synchronized to the
- * SDP offer-answer negotiation.
-+ *
-+ * The lifetime of this session is controlled by the reference counter in this
-+ * structure, which is manipulated by calling #pjsip_inv_add_ref and
-+ * #pjsip_inv_dec_ref. When the reference counter has reached zero, then
-+ * this session will be destroyed.
- */
- struct pjsip_inv_session
- {
-@@ -412,6 +417,7 @@
- struct pjsip_timer *timer; /**< Session Timers. */
- pj_bool_t following_fork; /**< Internal, following
- forked media? */
-+ pj_atomic_t *ref_cnt; /**< Reference counter. */
- };
-
-
-@@ -631,6 +637,30 @@
-
-
- /**
-+ * Add reference counter to the INVITE session. The reference counter controls
-+ * the life time of the session, ie. when the counter reaches zero, then it
-+ * will be destroyed.
-+ *
-+ * @param inv The INVITE session.
-+ * @return PJ_SUCCESS if the INVITE session reference counter
-+ * was increased.
-+ */
-+PJ_DECL(pj_status_t) pjsip_inv_add_ref( pjsip_inv_session *inv );
-+
-+/**
-+ * Decrement reference counter of the INVITE session.
-+ * When the session is no longer used, it will be destroyed and
-+ * caller is informed with PJ_EGONE return status.
-+ *
-+ * @param inv The INVITE session.
-+ * @return PJ_SUCCESS if the INVITE session reference counter
-+ * was decreased. A status PJ_EGONE will be returned to
-+ * inform that session is destroyed.
-+ */
-+PJ_DECL(pj_status_t) pjsip_inv_dec_ref( pjsip_inv_session *inv );
-+
-+
-+/**
- * Forcefully terminate and destroy INVITE session, regardless of
- * the state of the session. Note that this function should only be used
- * when there is failure in the INVITE session creation. After the
-Index: pjsip/src/pjsip-ua/sip_inv.c
-===================================================================
---- a/pjsip/src/pjsip-ua/sip_inv.c (revision 5434)
-+++ b/pjsip/src/pjsip-ua/sip_inv.c (revision 5435)
-@@ -195,6 +195,65 @@
- }
-
- /*
-+ * Add reference to INVITE session.
-+ */
-+PJ_DEF(pj_status_t) pjsip_inv_add_ref( pjsip_inv_session *inv )
-+{
-+ PJ_ASSERT_RETURN(inv && inv->ref_cnt, PJ_EINVAL);
-+
-+ pj_atomic_inc(inv->ref_cnt);
-+
-+ return PJ_SUCCESS;
-+}
-+
-+static void inv_session_destroy(pjsip_inv_session *inv)
-+{
-+ if (inv->last_ack) {
-+ pjsip_tx_data_dec_ref(inv->last_ack);
-+ inv->last_ack = NULL;
-+ }
-+ if (inv->invite_req) {
-+ pjsip_tx_data_dec_ref(inv->invite_req);
-+ inv->invite_req = NULL;
-+ }
-+ if (inv->pending_bye) {
-+ pjsip_tx_data_dec_ref(inv->pending_bye);
-+ inv->pending_bye = NULL;
-+ }
-+ pjsip_100rel_end_session(inv);
-+ pjsip_timer_end_session(inv);
-+ pjsip_dlg_dec_session(inv->dlg, &mod_inv.mod);
-+
-+ /* Release the flip-flop pools */
-+ pj_pool_release(inv->pool_prov);
-+ inv->pool_prov = NULL;
-+ pj_pool_release(inv->pool_active);
-+ inv->pool_active = NULL;
-+
-+ pj_atomic_destroy(inv->ref_cnt);
-+ inv->ref_cnt = NULL;
-+}
-+
-+/*
-+ * Decrease INVITE session reference, destroy it when the reference count
-+ * reaches zero.
-+ */
-+PJ_DEF(pj_status_t) pjsip_inv_dec_ref( pjsip_inv_session *inv )
-+{
-+ pj_atomic_value_t ref_cnt;
-+
-+ PJ_ASSERT_RETURN(inv && inv->ref_cnt, PJ_EINVAL);
-+
-+ ref_cnt = pj_atomic_dec_and_get(inv->ref_cnt);
-+ pj_assert( ref_cnt >= 0);
-+ if (ref_cnt == 0) {
-+ inv_session_destroy(inv);
-+ return PJ_EGONE;
-+ }
-+ return PJ_SUCCESS;
-+}
-+
-+/*
- * Set session state.
- */
- static void inv_set_state(pjsip_inv_session *inv, pjsip_inv_state state,
-@@ -261,27 +320,7 @@
- if (inv->state == PJSIP_INV_STATE_DISCONNECTED &&
- prev_state != PJSIP_INV_STATE_DISCONNECTED)
- {
-- if (inv->last_ack) {
-- pjsip_tx_data_dec_ref(inv->last_ack);
-- inv->last_ack = NULL;
-- }
-- if (inv->invite_req) {
-- pjsip_tx_data_dec_ref(inv->invite_req);
-- inv->invite_req = NULL;
-- }
-- if (inv->pending_bye) {
-- pjsip_tx_data_dec_ref(inv->pending_bye);
-- inv->pending_bye = NULL;
-- }
-- pjsip_100rel_end_session(inv);
-- pjsip_timer_end_session(inv);
-- pjsip_dlg_dec_session(inv->dlg, &mod_inv.mod);
--
-- /* Release the flip-flop pools */
-- pj_pool_release(inv->pool_prov);
-- inv->pool_prov = NULL;
-- pj_pool_release(inv->pool_active);
-- inv->pool_active = NULL;
-+ pjsip_inv_dec_ref(inv);
- }
- }
-
-@@ -838,6 +877,12 @@
- inv = PJ_POOL_ZALLOC_T(dlg->pool, pjsip_inv_session);
- pj_assert(inv != NULL);
-
-+ status = pj_atomic_create(dlg->pool, 0, &inv->ref_cnt);
-+ if (status != PJ_SUCCESS) {
-+ pjsip_dlg_dec_lock(dlg);
-+ return status;
-+ }
-+
- inv->pool = dlg->pool;
- inv->role = PJSIP_ROLE_UAC;
- inv->state = PJSIP_INV_STATE_NULL;
-@@ -881,6 +926,7 @@
- pjsip_100rel_attach(inv);
-
- /* Done */
-+ pjsip_inv_add_ref(inv);
- *p_inv = inv;
-
- pjsip_dlg_dec_lock(dlg);
-@@ -1471,6 +1517,12 @@
- inv = PJ_POOL_ZALLOC_T(dlg->pool, pjsip_inv_session);
- pj_assert(inv != NULL);
-
-+ status = pj_atomic_create(dlg->pool, 0, &inv->ref_cnt);
-+ if (status != PJ_SUCCESS) {
-+ pjsip_dlg_dec_lock(dlg);
-+ return status;
-+ }
-+
- inv->pool = dlg->pool;
- inv->role = PJSIP_ROLE_UAS;
- inv->state = PJSIP_INV_STATE_NULL;
-@@ -1540,6 +1592,7 @@
- }
-
- /* Done */
-+ pjsip_inv_add_ref(inv);
- pjsip_dlg_dec_lock(dlg);
- *p_inv = inv;
-
diff --git a/0003-r5403-pjsip_IPV6_V6ONLY.patch b/0003-r5403-pjsip_IPV6_V6ONLY.patch
deleted file mode 100644
index b324b53..0000000
--- a/0003-r5403-pjsip_IPV6_V6ONLY.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- a/pjlib/src/pj/sock_bsd.c
-+++ b/pjlib/src/pj/sock_bsd.c
-@@ -539,6 +539,10 @@
- pj_sock_setsockopt(*sock, pj_SOL_SOCKET(), pj_SO_NOSIGPIPE(),
- &val, sizeof(val));
- }
-+ if (af != PJ_AF_INET) { /* Linux Kernel 2.4.21; June 2003 */
-+ pj_sock_setsockopt(*sock, PJ_SOL_IPV6, IPV6_V6ONLY,
-+ &val, sizeof(val));
-+ }
- #if defined(PJ_IPHONE_OS_HAS_MULTITASKING_SUPPORT) && \
- PJ_IPHONE_OS_HAS_MULTITASKING_SUPPORT!=0
- if (type == pj_SOCK_DGRAM()) {
diff --git a/0004-resolver.c-Prevent-SERVFAIL-from-marking-name-server.patch b/0004-resolver.c-Prevent-SERVFAIL-from-marking-name-server.patch
deleted file mode 100644
index 55f3d2d..0000000
--- a/0004-resolver.c-Prevent-SERVFAIL-from-marking-name-server.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From a5efddbe9151e9ad99279e59566c86f8bc27d3a9 Mon Sep 17 00:00:00 2001
-From: George Joseph <gjoseph at digium.com>
-Date: Wed, 7 Sep 2016 13:10:57 -0600
-Subject: [PATCH] resolver.c: Prevent SERVFAIL from marking name server bad
-
-A name server that returns "Server Failure" is indicating only that
-the server couldn't process that particular request. We should NOT
-assume that the name server is incapable of serving other requests.
-
-Here's the scenario we've been encountering...
-
-* 2 local name servers configured in resolv.conf.
-* An OPTIONS request causes a request for A and AAAA records to go out
- to both nameservers.
-* The A responses both come back successfully resolved.
-* Because of an issue at some upstream nameserver, the AAAA responses
- for that particular query come back as "SERVFAIL" from both local
- name servers.
-* Both local servers are marked as bad and no further queries can be
- sent until the 60 second ttl expires. Only previously cached results
- can be used.
-* In this case, 60 seconds is just enough time for another OPTIONS
- request to go out to the same host so the cycle repeats.
-
-We could set the bad ttl really low but that also affects REFUSED and
-NOTAUTH which probably DO signal a real server issue. Besides, even
-a really low bad ttl would be an issue on a pbx.
----
- pjlib-util/src/pjlib-util/resolver.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/pjlib-util/src/pjlib-util/resolver.c b/pjlib-util/src/pjlib-util/resolver.c
-index d277e4f..540f88f 100644
---- a/pjlib-util/src/pjlib-util/resolver.c
-+++ b/pjlib-util/src/pjlib-util/resolver.c
-@@ -1384,8 +1384,7 @@ static void report_nameserver_status(pj_dns_resolver *resolver,
- q_id = (pj_uint32_t)-1;
- }
-
-- if (!pkt || rcode == PJ_DNS_RCODE_SERVFAIL ||
-- rcode == PJ_DNS_RCODE_REFUSED ||
-+ if (!pkt || rcode == PJ_DNS_RCODE_REFUSED ||
- rcode == PJ_DNS_RCODE_NOTAUTH)
- {
- is_good = PJ_FALSE;
---
-2.7.4
-
diff --git a/0005-Re-1969-Fix-crash-on-using-an-already-destroyed-SSL-.patch b/0005-Re-1969-Fix-crash-on-using-an-already-destroyed-SSL-.patch
deleted file mode 100644
index 551e61a..0000000
--- a/0005-Re-1969-Fix-crash-on-using-an-already-destroyed-SSL-.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-From 9e67e0d5c3fdc747530a956038b374fca4748b76 Mon Sep 17 00:00:00 2001
-From: riza <riza at localhost>
-Date: Thu, 13 Oct 2016 09:02:50 +0000
-Subject: [PATCH 1/4] Re #1969: Fix crash on using an already destroyed SSL
- socket.
-
----
- pjlib/src/pj/ssl_sock_ossl.c | 66 ++++++++++++++++++++++++++++----------------
- 1 file changed, 42 insertions(+), 24 deletions(-)
-
-diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c
-index fa0db2d..ceab67a 100644
---- a/pjlib/src/pj/ssl_sock_ossl.c
-+++ b/pjlib/src/pj/ssl_sock_ossl.c
-@@ -822,7 +822,10 @@ static void close_sockets(pj_ssl_sock_t *ssock)
- pj_lock_acquire(ssock->write_mutex);
- asock = ssock->asock;
- if (asock) {
-- ssock->asock = NULL;
-+ // Don't set ssock->asock to NULL, as it may trigger assertion in
-+ // send operation. This should be safe as active socket will simply
-+ // return PJ_EINVALIDOP on any operation if it is already closed.
-+ //ssock->asock = NULL;
- ssock->sock = PJ_INVALID_SOCKET;
- }
- sock = ssock->sock;
-@@ -841,9 +844,9 @@ static void close_sockets(pj_ssl_sock_t *ssock)
- /* Reset SSL socket state */
- static void reset_ssl_sock_state(pj_ssl_sock_t *ssock)
- {
-+ pj_lock_acquire(ssock->write_mutex);
- ssock->ssl_state = SSL_STATE_NULL;
--
-- destroy_ssl(ssock);
-+ pj_lock_release(ssock->write_mutex);
-
- close_sockets(ssock);
-
-@@ -1612,6 +1615,21 @@ static pj_status_t do_handshake(pj_ssl_sock_t *ssock)
- return PJ_EPENDING;
- }
-
-+static void ssl_on_destroy(void *arg)
-+{
-+ pj_pool_t *pool = NULL;
-+ pj_ssl_sock_t *ssock = (pj_ssl_sock_t*)arg;
-+
-+ destroy_ssl(ssock);
-+
-+ pj_lock_destroy(ssock->write_mutex);
-+
-+ pool = ssock->pool;
-+ ssock->pool = NULL;
-+ if (pool)
-+ pj_pool_release(pool);
-+}
-+
-
- /*
- *******************************************************************
-@@ -1830,7 +1848,7 @@ static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,
-
- /* Create new SSL socket instance */
- status = pj_ssl_sock_create(ssock_parent->pool,
-- &ssock_parent->newsock_param, &ssock);
-+ &ssock_parent->newsock_param, &ssock);
- if (status != PJ_SUCCESS)
- goto on_return;
-
-@@ -1906,12 +1924,10 @@ static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,
- if (status != PJ_SUCCESS)
- goto on_return;
-
-- /* Temporarily add ref the group lock until active socket creation,
-- * to make sure that group lock is destroyed if the active socket
-- * creation fails.
-- */
- pj_grp_lock_add_ref(glock);
- asock_cfg.grp_lock = ssock->param.grp_lock = glock;
-+ pj_grp_lock_add_handler(ssock->param.grp_lock, ssock->pool, ssock,
-+ ssl_on_destroy);
- }
-
- pj_bzero(&asock_cb, sizeof(asock_cb));
-@@ -1927,11 +1943,6 @@ static pj_bool_t asock_on_accept_complete (pj_activesock_t *asock,
- ssock,
- &ssock->asock);
-
-- /* This will destroy the group lock if active socket creation fails */
-- if (asock_cfg.grp_lock) {
-- pj_grp_lock_dec_ref(asock_cfg.grp_lock);
-- }
--
- if (status != PJ_SUCCESS)
- goto on_return;
-
-@@ -2251,17 +2262,26 @@ PJ_DEF(pj_status_t) pj_ssl_sock_create (pj_pool_t *pool,
- /* Create secure socket mutex */
- status = pj_lock_create_recursive_mutex(pool, pool->obj_name,
- &ssock->write_mutex);
-- if (status != PJ_SUCCESS)
-+ if (status != PJ_SUCCESS) {
-+ pj_pool_release(pool);
- return status;
-+ }
-
- /* Init secure socket param */
- pj_ssl_sock_param_copy(pool, &ssock->param, param);
-+
-+ if (ssock->param.grp_lock) {
-+ pj_grp_lock_add_ref(ssock->param.grp_lock);
-+ pj_grp_lock_add_handler(ssock->param.grp_lock, pool, ssock,
-+ ssl_on_destroy);
-+ }
-+
- ssock->param.read_buffer_size = ((ssock->param.read_buffer_size+7)>>3)<<3;
- if (!ssock->param.timer_heap) {
- PJ_LOG(3,(ssock->pool->obj_name, "Warning: timer heap is not "
- "available. It is recommended to supply one to avoid "
-- "a race condition if more than one worker threads "
-- "are used."));
-+ "a race condition if more than one worker threads "
-+ "are used."));
- }
-
- /* Finally */
-@@ -2277,8 +2297,6 @@ PJ_DEF(pj_status_t) pj_ssl_sock_create (pj_pool_t *pool,
- */
- PJ_DEF(pj_status_t) pj_ssl_sock_close(pj_ssl_sock_t *ssock)
- {
-- pj_pool_t *pool;
--
- PJ_ASSERT_RETURN(ssock, PJ_EINVAL);
-
- if (!ssock->pool)
-@@ -2290,12 +2308,11 @@ PJ_DEF(pj_status_t) pj_ssl_sock_close(pj_ssl_sock_t *ssock)
- }
-
- reset_ssl_sock_state(ssock);
-- pj_lock_destroy(ssock->write_mutex);
--
-- pool = ssock->pool;
-- ssock->pool = NULL;
-- if (pool)
-- pj_pool_release(pool);
-+ if (ssock->param.grp_lock) {
-+ pj_grp_lock_dec_ref(ssock->param.grp_lock);
-+ } else {
-+ ssl_on_destroy(ssock);
-+ }
-
- return PJ_SUCCESS;
- }
-@@ -2782,6 +2799,7 @@ pj_ssl_sock_start_accept2(pj_ssl_sock_t *ssock,
-
- /* Start accepting */
- pj_ssl_sock_param_copy(pool, &ssock->newsock_param, newsock_param);
-+ ssock->newsock_param.grp_lock = NULL;
- status = pj_activesock_start_accept(ssock->asock, pool);
- if (status != PJ_SUCCESS)
- goto on_error;
---
-2.7.4
-
diff --git a/0010-evsub-Add-pjsip_evsub_set_uas_timeout.patch b/0010-evsub-Add-pjsip_evsub_set_uas_timeout.patch
new file mode 100644
index 0000000..a55aa00
--- /dev/null
+++ b/0010-evsub-Add-pjsip_evsub_set_uas_timeout.patch
@@ -0,0 +1,84 @@
+From b7af9e6639f29feb4db6d0866c98e552b025ec96 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph at digium.com>
+Date: Mon, 6 Feb 2017 15:39:29 -0700
+Subject: [PATCH] evsub: Add pjsip_evsub_set_uas_timeout.
+
+A UAS which needs to recreate incoming subscriptions from a persistent
+store can call pjsip_dlg_create_uas_and_inc_lock and
+pjsip_evsub_create_uas as long as they've persisted the
+correct data but since the timer is triggered by an incoming subscribe,
+it's never set and the subscription never expires.
+
+* Add pjsip_evsub_set_uas_timeout which is just a wrapper around
+ evsub.c:set_timeout(sub, TIMER_TYPE_UAS_TIMEOUT, seconds)
+
+* Also, fixed copy-paste error in pjsip_sub_state_hdr_print when
+ printing retry-after parameter.
+---
+ pjsip/include/pjsip-simple/evsub.h | 14 ++++++++++++++
+ pjsip/src/pjsip-simple/evsub.c | 10 ++++++++++
+ pjsip/src/pjsip-simple/evsub_msg.c | 2 +-
+ 3 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/pjsip/include/pjsip-simple/evsub.h b/pjsip/include/pjsip-simple/evsub.h
+index 82e0a7c..45e6411 100644
+--- a/pjsip/include/pjsip-simple/evsub.h
++++ b/pjsip/include/pjsip-simple/evsub.h
+@@ -511,6 +511,20 @@ PJ_DEF(pj_status_t) pjsip_evsub_add_ref(pjsip_evsub *sub);
+ PJ_DEF(pj_status_t) pjsip_evsub_dec_ref(pjsip_evsub *sub);
+
+
++/**
++ * Sets, resets or cancels the UAS subscription timeout.
++ *
++ * If there is an existing timer, it is cancelled before any
++ * other action.
++ *
++ * A timeout of 0 is ignored except that any existing timer
++ * is cancelled.
++ *
++ * @param sub The server subscription instance.
++ * @param seconds The new timeout.
++ */
++PJ_DEF(void) pjsip_evsub_set_uas_timeout(pjsip_evsub *sub, pj_int32_t seconds);
++
+
+ PJ_END_DECL
+
+diff --git a/pjsip/src/pjsip-simple/evsub.c b/pjsip/src/pjsip-simple/evsub.c
+index 3fe4b49..6918a8c 100644
+--- a/pjsip/src/pjsip-simple/evsub.c
++++ b/pjsip/src/pjsip-simple/evsub.c
+@@ -530,6 +530,16 @@ static void set_timer( pjsip_evsub *sub, int timer_id,
+
+
+ /*
++ * Set event subscription UAS timout.
++ */
++PJ_DEF(void) pjsip_evsub_set_uas_timeout(pjsip_evsub *sub, pj_int32_t seconds)
++{
++ PJ_ASSERT_RETURN(sub != NULL, PJ_EINVAL);
++ set_timer(sub, TIMER_TYPE_UAS_TIMEOUT, seconds);
++}
++
++
++/*
+ * Destructor.
+ */
+ static void evsub_on_destroy(void *obj)
+diff --git a/pjsip/src/pjsip-simple/evsub_msg.c b/pjsip/src/pjsip-simple/evsub_msg.c
+index b44a715..b37db1c 100644
+--- a/pjsip/src/pjsip-simple/evsub_msg.c
++++ b/pjsip/src/pjsip-simple/evsub_msg.c
+@@ -179,7 +179,7 @@ static int pjsip_sub_state_hdr_print(pjsip_sub_state_hdr *hdr,
+ }
+ if (hdr->retry_after >= 0) {
+ pj_memcpy(p, ";retry-after=", 13);
+- p += 9;
++ p += 13;
+ printed = pj_utoa(hdr->retry_after, p);
+ p += printed;
+ }
+--
+2.9.3
+
diff --git a/0011-r5554-svn-backport-Increase-SENDER_WIDTH-column-size.patch b/0011-r5554-svn-backport-Increase-SENDER_WIDTH-column-size.patch
new file mode 100644
index 0000000..4c53337
--- /dev/null
+++ b/0011-r5554-svn-backport-Increase-SENDER_WIDTH-column-size.patch
@@ -0,0 +1,77 @@
+From df1ceb301c8a17969c467e3cf00246cfc28d1732 Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett at digium.com>
+Date: Mon, 20 Feb 2017 12:19:05 -0600
+Subject: [PATCH 1/5] r5554 svn backport Increase SENDER_WIDTH column size for
+ 64-bit systems.
+
+Re #1994 (misc): Make the log's sender and thread width a compile-time configurable setting.
+
+Thanks to Richard Mudgett for the suggestion.
+---
+ pjlib/include/pj/config.h | 27 +++++++++++++++++++++++++++
+ pjlib/src/pj/log.c | 4 ++--
+ 2 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/pjlib/include/pj/config.h b/pjlib/include/pj/config.h
+index 079d69b..3523f50 100644
+--- a/pjlib/include/pj/config.h
++++ b/pjlib/include/pj/config.h
+@@ -442,6 +442,33 @@
+ #endif
+
+ /**
++ * Log sender width.
++ *
++ * Default: 22 (for 64-bit machines), 14 otherwise
++ */
++#ifndef PJ_LOG_SENDER_WIDTH
++# if PJ_HAS_STDINT_H
++# include <stdint.h>
++# if (UINTPTR_MAX == 0xffffffffffffffff)
++# define PJ_LOG_SENDER_WIDTH 22
++# else
++# define PJ_LOG_SENDER_WIDTH 14
++# endif
++# else
++# define PJ_LOG_SENDER_WIDTH 14
++# endif
++#endif
++
++/**
++ * Log thread name width.
++ *
++ * Default: 12
++ */
++#ifndef PJ_LOG_THREAD_WIDTH
++# define PJ_LOG_THREAD_WIDTH 12
++#endif
++
++/**
+ * Colorfull terminal (for logging etc).
+ *
+ * Default: 1
+diff --git a/pjlib/src/pj/log.c b/pjlib/src/pj/log.c
+index 293ad46..cf7ac37 100644
+--- a/pjlib/src/pj/log.c
++++ b/pjlib/src/pj/log.c
+@@ -380,7 +380,7 @@ PJ_DEF(void) pj_log( const char *sender, int level,
+ pre += pj_utoa_pad(ptime.msec, pre, 3, '0');
+ }
+ if (log_decor & PJ_LOG_HAS_SENDER) {
+- enum { SENDER_WIDTH = 14 };
++ enum { SENDER_WIDTH = PJ_LOG_SENDER_WIDTH };
+ pj_size_t sender_len = strlen(sender);
+ if (pre!=log_buffer) *pre++ = ' ';
+ if (sender_len <= SENDER_WIDTH) {
+@@ -395,7 +395,7 @@ PJ_DEF(void) pj_log( const char *sender, int level,
+ }
+ }
+ if (log_decor & PJ_LOG_HAS_THREAD_ID) {
+- enum { THREAD_WIDTH = 12 };
++ enum { THREAD_WIDTH = PJ_LOG_THREAD_WIDTH };
+ const char *thread_name = pj_thread_get_name(pj_thread_this());
+ pj_size_t thread_len = strlen(thread_name);
+ *pre++ = ' ';
+--
+2.7.4
+
diff --git a/0013-r5559-svn-backport-Fix-to-resolve-DNS-SRV-crashes.patch b/0013-r5559-svn-backport-Fix-to-resolve-DNS-SRV-crashes.patch
new file mode 100644
index 0000000..dc03cbc
--- /dev/null
+++ b/0013-r5559-svn-backport-Fix-to-resolve-DNS-SRV-crashes.patch
@@ -0,0 +1,112 @@
+From d9d52f005f6d0242ea84e7c59ad6b25f052c8485 Mon Sep 17 00:00:00 2001
+From: Richard Mudgett <rmudgett at digium.com>
+Date: Mon, 20 Feb 2017 12:05:32 -0600
+Subject: [PATCH 3/5] r5559 svn backport Fix to resolve DNS SRV crashes.
+
+Re #1994 (misc): Don't try to resolve a DNS SRV query that is already considered resolved.
+Thanks to Richard Mudgett for the patch.
+
+srv_resolver.c: Don't try to send query if already considered resolved.
+
+* In resolve_hostnames() don't try to resolve a query that is already
+considered resolved.
+
+* In resolve_hostnames() fix DNS typo in comments.
+
+* In build_server_entries() move a common expression assigning to cnt
+earlier.
+
+sip_transport.c: Fix tdata object name to actually contain the pointer.
+
+It helps if the logs referencing a tdata object buffer actually have
+a name that includes the correct pointer as part of the name. Also
+since the tdata has its own pool it helps if any logs referencing the
+pool have the same name as the tdata object. This change brings tdata
+logging in line with how tsx objects are named.
+---
+ pjlib-util/src/pjlib-util/srv_resolver.c | 18 +++++++++++++-----
+ pjsip/src/pjsip/sip_transport.c | 3 ++-
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/pjlib-util/src/pjlib-util/srv_resolver.c b/pjlib-util/src/pjlib-util/srv_resolver.c
+index 8a2f7e1..84ad3f6 100644
+--- a/pjlib-util/src/pjlib-util/srv_resolver.c
++++ b/pjlib-util/src/pjlib-util/srv_resolver.c
+@@ -407,8 +407,9 @@ static void build_server_entries(pj_dns_srv_async_query *query_job,
+ for (i=0; i<query_job->srv_cnt; ++i) {
+ pj_in_addr addr;
+ pj_in6_addr addr6;
++ unsigned cnt = query_job->srv[i].addr_cnt;
+
+- if (query_job->srv[i].addr_cnt != 0) {
++ if (cnt != 0) {
+ /* IP address already resolved */
+ continue;
+ }
+@@ -417,7 +418,6 @@ static void build_server_entries(pj_dns_srv_async_query *query_job,
+ pj_inet_pton(pj_AF_INET(), &query_job->srv[i].target_name,
+ &addr) == PJ_SUCCESS)
+ {
+- unsigned cnt = query_job->srv[i].addr_cnt;
+ pj_sockaddr_init(pj_AF_INET(), &query_job->srv[i].addr[cnt],
+ NULL, query_job->srv[i].port);
+ query_job->srv[i].addr[cnt].ipv4.sin_addr = addr;
+@@ -427,7 +427,6 @@ static void build_server_entries(pj_dns_srv_async_query *query_job,
+ pj_inet_pton(pj_AF_INET6(), &query_job->srv[i].target_name,
+ &addr6) == PJ_SUCCESS)
+ {
+- unsigned cnt = query_job->srv[i].addr_cnt;
+ pj_sockaddr_init(pj_AF_INET6(), &query_job->srv[i].addr[cnt],
+ NULL, query_job->srv[i].port);
+ query_job->srv[i].addr[cnt].ipv6.sin6_addr = addr6;
+@@ -480,6 +479,15 @@ static pj_status_t resolve_hostnames(pj_dns_srv_async_query *query_job)
+ for (i=0; i<query_job->srv_cnt; ++i) {
+ struct srv_target *srv = &query_job->srv[i];
+
++ if (srv->addr_cnt != 0) {
++ /*
++ * This query is already counted as resolved because of the
++ * additional records in the SRV response or the target name
++ * is an IP address exception in build_server_entries().
++ */
++ continue;
++ }
++
+ PJ_LOG(5, (query_job->objname,
+ "Starting async DNS A query_job for %.*s",
+ (int)srv->target_name.slen,
+@@ -493,7 +501,7 @@ static pj_status_t resolve_hostnames(pj_dns_srv_async_query *query_job)
+
+ status = PJ_SUCCESS;
+
+- /* Start DNA A record query */
++ /* Start DNS A record query */
+ if ((query_job->option & PJ_DNS_SRV_RESOLVE_AAAA_ONLY) == 0)
+ {
+ if ((query_job->option & PJ_DNS_SRV_RESOLVE_AAAA) != 0) {
+@@ -511,7 +519,7 @@ static pj_status_t resolve_hostnames(pj_dns_srv_async_query *query_job)
+ &srv->common, &srv->q_a);
+ }
+
+- /* Start DNA AAAA record query */
++ /* Start DNS AAAA record query */
+ if (status == PJ_SUCCESS &&
+ (query_job->option & PJ_DNS_SRV_RESOLVE_AAAA) != 0)
+ {
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index d672a6d..6dd14d1 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -422,7 +422,8 @@ PJ_DEF(pj_status_t) pjsip_tx_data_create( pjsip_tpmgr *mgr,
+ tdata = PJ_POOL_ZALLOC_T(pool, pjsip_tx_data);
+ tdata->pool = pool;
+ tdata->mgr = mgr;
+- pj_memcpy(tdata->obj_name, pool->obj_name, PJ_MAX_OBJ_NAME);
++ pj_ansi_snprintf(tdata->obj_name, sizeof(tdata->obj_name), "tdta%p", tdata);
++ pj_memcpy(pool->obj_name, tdata->obj_name, sizeof(pool->obj_name));
+
+ status = pj_atomic_create(tdata->pool, 0, &tdata->ref_cnt);
+ if (status != PJ_SUCCESS) {
+--
+2.7.4
+
diff --git a/0014-Add-pjsip-transport-register-type-ipv6.patch b/0014-Add-pjsip-transport-register-type-ipv6.patch
new file mode 100644
index 0000000..796473a
--- /dev/null
+++ b/0014-Add-pjsip-transport-register-type-ipv6.patch
@@ -0,0 +1,62 @@
+From daeb0956524606b597704a90b54d81340e10b3e4 Mon Sep 17 00:00:00 2001
+From: Joshua Colp <jcolp at digium.com>
+Date: Tue, 7 Mar 2017 12:32:49 +0000
+Subject: [PATCH] Add support for registering IPv6 transport type.
+
+This change allows an IPv6 transport type to be registered
+and used. The IPv4 transport is found (if available) and the
+IPv4 flag added to its type to match how the finding of
+IPv6 transport types works.
+---
+ pjsip/src/pjsip/sip_transport.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/pjsip/src/pjsip/sip_transport.c b/pjsip/src/pjsip/sip_transport.c
+index 7df6138..ce72814 100644
+--- a/pjsip/src/pjsip/sip_transport.c
++++ b/pjsip/src/pjsip/sip_transport.c
+@@ -236,6 +236,7 @@ PJ_DEF(pj_status_t) pjsip_transport_register_type( unsigned tp_flag,
+ int *p_tp_type)
+ {
+ unsigned i;
++ pjsip_transport_type_e parent = 0;
+
+ PJ_ASSERT_RETURN(tp_flag && tp_name && def_port, PJ_EINVAL);
+ PJ_ASSERT_RETURN(pj_ansi_strlen(tp_name) <
+@@ -243,6 +244,11 @@ PJ_DEF(pj_status_t) pjsip_transport_register_type( unsigned tp_flag,
+ PJ_ENAMETOOLONG);
+
+ for (i=1; i<PJ_ARRAY_SIZE(transport_names); ++i) {
++ if (tp_flag & PJSIP_TRANSPORT_IPV6 &&
++ pj_stricmp2(&transport_names[i].name, tp_name) == 0)
++ {
++ parent = transport_names[i].type;
++ }
+ if (transport_names[i].type == 0)
+ break;
+ }
+@@ -250,14 +256,19 @@ PJ_DEF(pj_status_t) pjsip_transport_register_type( unsigned tp_flag,
+ if (i == PJ_ARRAY_SIZE(transport_names))
+ return PJ_ETOOMANY;
+
+- transport_names[i].type = (pjsip_transport_type_e)i;
++ if (tp_flag & PJSIP_TRANSPORT_IPV6 && parent) {
++ transport_names[i].type = parent | PJSIP_TRANSPORT_IPV6;
++ } else {
++ transport_names[i].type = (pjsip_transport_type_e)i;
++ }
++
+ transport_names[i].port = (pj_uint16_t)def_port;
+ pj_ansi_strcpy(transport_names[i].name_buf, tp_name);
+ transport_names[i].name = pj_str(transport_names[i].name_buf);
+ transport_names[i].flag = tp_flag;
+
+ if (p_tp_type)
+- *p_tp_type = i;
++ *p_tp_type = transport_names[i].type;
+
+ return PJ_SUCCESS;
+ }
+--
+2.7.4
+
diff --git a/0025-fix-print-xml-crash.patch b/0025-fix-print-xml-crash.patch
new file mode 100644
index 0000000..eafc389
--- /dev/null
+++ b/0025-fix-print-xml-crash.patch
@@ -0,0 +1,24 @@
+From 1bc5ca699f523bd8e910203a3eb4dee58f366976 Mon Sep 17 00:00:00 2001
+From: Joshua Elson <joshelson at gmail.com>
+Date: Mon, 20 Mar 2017 19:28:47 -0600
+Subject: [PATCH] Prevent memory corruption on xml tag write
+
+---
+ pjlib-util/src/pjlib-util/xml.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pjlib-util/src/pjlib-util/xml.c b/pjlib-util/src/pjlib-util/xml.c
+index 296b232..b0aad26 100644
+--- a/pjlib-util/src/pjlib-util/xml.c
++++ b/pjlib-util/src/pjlib-util/xml.c
+@@ -248,6 +248,7 @@ static int xml_print_node( const pj_xml_node *node, int indent,
+ if (node->content.slen==0 &&
+ node->node_head.next==(pj_xml_node*)&node->node_head)
+ {
++ if (SIZE_LEFT() < 3) return -1;
+ *p++ = ' ';
+ *p++ = '/';
+ *p++ = '>';
+--
+2.10.1 (Apple Git-78)
+
diff --git a/0058-Parse-zero-length-multipart-body-parts-correctly.patch b/0058-Parse-zero-length-multipart-body-parts-correctly.patch
new file mode 100644
index 0000000..49334c3
--- /dev/null
+++ b/0058-Parse-zero-length-multipart-body-parts-correctly.patch
@@ -0,0 +1,41 @@
+From f0c717463d569f87a16f9b014033c8ca8939a7b4 Mon Sep 17 00:00:00 2001
+From: Mark Michelson <mmichelson at digium.com>
+Date: Thu, 13 Apr 2017 16:59:40 -0500
+Subject: [PATCH] Parse zero-length multipart body parts correctly.
+
+The calculation of end_body could result in a negative length being
+passed to multipart_body_parse_part().
+---
+ pjsip/src/pjsip/sip_multipart.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/pjsip/src/pjsip/sip_multipart.c b/pjsip/src/pjsip/sip_multipart.c
+index 8351f7e..b302139 100644
+--- a/pjsip/src/pjsip/sip_multipart.c
++++ b/pjsip/src/pjsip/sip_multipart.c
+@@ -653,13 +653,15 @@ PJ_DEF(pjsip_msg_body*) pjsip_multipart_parse(pj_pool_t *pool,
+
+ end_body = curptr;
+
+- /* The newline preceeding the delimiter is conceptually part of
+- * the delimiter, so trim it from the body.
+- */
+- if (*(end_body-1) == '\n')
+- --end_body;
+- if (*(end_body-1) == '\r')
+- --end_body;
++ if (end_body > start_body) {
++ /* The newline preceeding the delimiter is conceptually part of
++ * the delimiter, so trim it from the body.
++ */
++ if (*(end_body-1) == '\n')
++ --end_body;
++ if (*(end_body-1) == '\r')
++ --end_body;
++ }
+
+ /* Now that we have determined the part's boundary, parse it
+ * to get the header and body part of the part.
+--
+1.9.1
+
diff --git a/0059-Ensure-2543-transaction-key-buffer-is-large-enough.patch b/0059-Ensure-2543-transaction-key-buffer-is-large-enough.patch
new file mode 100644
index 0000000..eb5a7db
--- /dev/null
+++ b/0059-Ensure-2543-transaction-key-buffer-is-large-enough.patch
@@ -0,0 +1,29 @@
+From b5f0f8868363c482a2c4ce343e3ee6ad256b0708 Mon Sep 17 00:00:00 2001
+From: Mark Michelson <mmichelson at digium.com>
+Date: Thu, 13 Apr 2017 16:20:07 -0500
+Subject: [PATCH] Ensure 2543 transaction key buffer is large enough.
+
+The CSeq method length needs to be factored into the allocated buffer
+length. Otherwise, the buffer may not be large enough to accommodate the
+entire key.
+---
+ pjsip/src/pjsip/sip_transaction.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/pjsip/src/pjsip/sip_transaction.c b/pjsip/src/pjsip/sip_transaction.c
+index c1750dc..2200d8d 100644
+--- a/pjsip/src/pjsip/sip_transaction.c
++++ b/pjsip/src/pjsip/sip_transaction.c
+@@ -288,7 +288,8 @@ static pj_status_t create_tsx_key_2543( pj_pool_t *pool,
+ host = &rdata->msg_info.via->sent_by.host;
+
+ /* Calculate length required. */
+- len_required = 9 + /* CSeq number */
++ len_required = method->name.slen + /* Method */
++ 9 + /* CSeq number */
+ rdata->msg_info.from->tag.slen + /* From tag. */
+ rdata->msg_info.cid->id.slen + /* Call-ID */
+ host->slen + /* Via host. */
+--
+1.9.1
+
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/pjproject.git/commitdiff/e2742f5785148469e609730ba85cc1a8f6a4ecc8
More information about the pld-cvs-commit
mailing list