From e3cb83d57113f6d44e94a70f1cac34a03e73d58e Mon Sep 17 00:00:00 2001 From: mnicholson Date: Tue, 5 Apr 2011 14:16:21 +0000 Subject: [PATCH] Merged revisions 312766 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.8 ................ r312766 | mnicholson | 2011-04-05 09:14:50 -0500 (Tue, 05 Apr 2011) | 22 lines Merged revisions 312764 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.6.2 ................ r312764 | mnicholson | 2011-04-05 09:13:07 -0500 (Tue, 05 Apr 2011) | 15 lines Merged revisions 312761 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r312761 | mnicholson | 2011-04-05 09:10:34 -0500 (Tue, 05 Apr 2011) | 8 lines Limit the number of unauthenticated manager sessions and also limit the time they have to authenticate. AST-2011-005 (closes issue #18996) Reported by: tzafrir Tested by: mnicholson ........ ................ ................ git-svn-id: http://svn.digium.com/svn/asterisk/trunk@312767 f38db490-d61c-443f-a65b-d21fe96a405b --- configs/manager.conf.sample | 11 ++++++ main/manager.c | 72 ++++++++++++++++++++++++++++++++++++- 2 files changed, 82 insertions(+), 1 deletion(-) diff --git a/configs/manager.conf.sample b/configs/manager.conf.sample index 82590801a..ef1b0b195 100644 --- a/configs/manager.conf.sample +++ b/configs/manager.conf.sample @@ -63,6 +63,17 @@ bindaddr = 0.0.0.0 ; debug = on ; enable some debugging info in AMI messages (default off). ; Also accessible through the "manager debug" CLI command. +; authtimeout specifies the maximum number of seconds a client has to +; authenticate. If the client does not authenticate beofre this timeout +; expires, the client will be disconnected. (default: 30 seconds) + +;authtimeout = 30 + +; authlimit specifies the maximum number of unauthenticated sessions that will +; be allowed to connect at any given time. + +;authlimit = 50 + ;httptimeout = 60 ; a) httptimeout sets the Max-Age of the http cookie ; b) httptimeout is the amount of time the webserver waits diff --git a/main/manager.c b/main/manager.c index 74f9eccac..da0523be9 100644 --- a/main/manager.c +++ b/main/manager.c @@ -860,12 +860,15 @@ static int httptimeout = 60; static int broken_events_action = 0; static int manager_enabled = 0; static int webmanager_enabled = 0; +static int authtimeout; +static int authlimit; static char *manager_channelvars; #define DEFAULT_REALM "asterisk" static char global_realm[MAXHOSTNAMELEN]; /*!< Default realm */ static int block_sockets; +static int unauth_sessions = 0; static int manager_debug; /*!< enable some debugging code in the manager */ @@ -944,6 +947,7 @@ struct mansession_session { int send_events; /*!< XXX what ? */ struct eventqent *last_ev; /*!< last event processed. */ int writetimeout; /*!< Timeout for ast_carefulwrite() */ + time_t authstart; int pending_event; /*!< Pending events indicator in case when waiting_thread is NULL */ time_t noncetime; /*!< Timer for nonce value expiration */ unsigned long oldnonce; /*!< Stale nonce value */ @@ -2929,6 +2933,7 @@ static int action_login(struct mansession *s, const struct message *m) return -1; } s->session->authenticated = 1; + ast_atomic_fetchadd_int(&unauth_sessions, -1); if (manager_displayconnects(s->session)) { ast_verb(2, "%sManager '%s' logged on from %s\n", (s->session->managerid ? "HTTP " : ""), s->session->username, ast_inet_ntoa(s->session->sin.sin_addr)); } @@ -4535,6 +4540,8 @@ static int get_input(struct mansession *s, char *output) int res, x; int maxlen = sizeof(s->session->inbuf) - 1; char *src = s->session->inbuf; + int timeout = -1; + time_t now; /* * Look for \r\n within the buffer. If found, copy to the output @@ -4563,6 +4570,20 @@ static int get_input(struct mansession *s, char *output) } res = 0; while (res == 0) { + /* calculate a timeout if we are not authenticated */ + if (!s->session->authenticated) { + if(time(&now) == -1) { + ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno)); + return -1; + } + + timeout = (authtimeout - (now - s->session->authstart)) * 1000; + if (timeout < 0) { + /* we have timed out */ + return 0; + } + } + ao2_lock(s->session); if (s->session->pending_event) { s->session->pending_event = 0; @@ -4572,7 +4593,7 @@ static int get_input(struct mansession *s, char *output) s->session->waiting_thread = pthread_self(); ao2_unlock(s->session); - res = ast_wait_for_input(s->session->fd, -1); /* return 0 on timeout ? */ + res = ast_wait_for_input(s->session->fd, timeout); ao2_lock(s->session); s->session->waiting_thread = AST_PTHREADT_NULL; @@ -4607,6 +4628,7 @@ static int do_message(struct mansession *s) struct message m = { 0 }; char header_buf[sizeof(s->session->inbuf)] = { '\0' }; int res; + time_t now; for (;;) { /* Check if any events are pending and do them if needed */ @@ -4615,6 +4637,19 @@ static int do_message(struct mansession *s) } res = get_input(s, header_buf); if (res == 0) { + if (!s->session->authenticated) { + if(time(&now) == -1) { + ast_log(LOG_ERROR, "error executing time(): %s\n", strerror(errno)); + return -1; + } + + if (now - s->session->authstart > authtimeout) { + if (displayconnects) { + ast_verb(2, "Client from %s, failed to authenticate in %d seconds\n", ast_inet_ntoa(s->session->sin.sin_addr), authtimeout); + } + return -1; + } + } continue; } else if (res > 0) { if (ast_strlen_zero(header_buf)) { @@ -4648,10 +4683,18 @@ static void *session_do(void *data) struct sockaddr_in ser_remote_address_tmp; struct protoent *p; + if (ast_atomic_fetchadd_int(&unauth_sessions, +1) >= authlimit) { + fclose(ser->f); + ast_atomic_fetchadd_int(&unauth_sessions, -1); + goto done; + } + ast_sockaddr_to_sin(&ser->remote_address, &ser_remote_address_tmp); session = build_mansession(ser_remote_address_tmp); if (session == NULL) { + fclose(ser->f); + ast_atomic_fetchadd_int(&unauth_sessions, -1); goto done; } @@ -4690,7 +4733,15 @@ static void *session_do(void *data) AST_LIST_HEAD_INIT_NOLOCK(&session->datastores); + if(time(&session->authstart) == -1) { + ast_log(LOG_ERROR, "error executing time(): %s; disconnecting client\n", strerror(errno)); + ast_atomic_fetchadd_int(&unauth_sessions, -1); + ao2_unlock(session); + session_destroy(session); + goto done; + } ao2_unlock(session); + astman_append(&s, "Asterisk Call Manager/%s\r\n", AMI_VERSION); /* welcome prompt */ for (;;) { if ((res = do_message(&s)) < 0 || s.write_error) { @@ -4703,6 +4754,7 @@ static void *session_do(void *data) ast_verb(2, "Manager '%s' logged off from %s\n", session->username, ast_inet_ntoa(session->sin.sin_addr)); } } else { + ast_atomic_fetchadd_int(&unauth_sessions, -1); if (displayconnects) { ast_verb(2, "Connect attempt from '%s' unable to authenticate\n", ast_inet_ntoa(session->sin.sin_addr)); } @@ -6212,6 +6264,8 @@ static int __init_manager(int reload) displayconnects = 1; broken_events_action = 0; + authtimeout = 30; + authlimit = 50; if (!cfg || cfg == CONFIG_STATUS_FILEINVALID) { ast_log(LOG_NOTICE, "Unable to open AMI configuration manager.conf, or configuration is invalid. Asterisk management interface (AMI) disabled.\n"); return 0; @@ -6273,6 +6327,22 @@ static int __init_manager(int reload) manager_debug = ast_true(val); } else if (!strcasecmp(var->name, "httptimeout")) { newhttptimeout = atoi(val); + } else if (!strcasecmp(var->name, "authtimeout")) { + int timeout = atoi(var->value); + + if (timeout < 1) { + ast_log(LOG_WARNING, "Invalid authtimeout value '%s', using default value\n", var->value); + } else { + authtimeout = timeout; + } + } else if (!strcasecmp(var->name, "authlimit")) { + int limit = atoi(var->value); + + if (limit < 1) { + ast_log(LOG_WARNING, "Invalid authlimit value '%s', using default value\n", var->value); + } else { + authlimit = limit; + } } else if (!strcasecmp(var->name, "channelvars")) { struct manager_channel_variable *mcv; char *remaining = ast_strdupa(val), *next;