[asterisk-bugs] [Asterisk 0017276]: [patch] bypass "contactdeny" with nat=yes
Asterisk Bug Tracker
noreply at bugs.digium.com
Tue Jun 15 15:18:06 CDT 2010
The following issue has been RESOLVED.
======================================================================
https://issues.asterisk.org/view.php?id=17276
======================================================================
Reported By: klaus3000
Assigned To: twilson
======================================================================
Project: Asterisk
Issue ID: 17276
Category: Channels/chan_sip/Registration
Reproducibility: always
Severity: minor
Priority: normal
Status: resolved
Asterisk Version: SVN
JIRA: SWP-1462
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): trunk
SVN Revision (number only!):
Request Review:
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2010-05-03 09:56 CDT
Last Modified: 2010-06-15 15:18 CDT
======================================================================
Summary: [patch] bypass "contactdeny" with nat=yes
Description:
Hi!
chan_sip's "contactdeny" feature screens the "to be registered contact".
In case of nat=yes it should not use the address information from the
Contact header (which is not used at all for routing), but the source IP
address of the request.
Thus, if nat=yes and a client sends a request from a denied IP address
(e.g. by spoofing the src-IP address) it can bypass the screening.
======================================================================
----------------------------------------------------------------------
(0123448) svnbot (reporter) - 2010-06-15 15:18
https://issues.asterisk.org/view.php?id=17276#c123448
----------------------------------------------------------------------
Repository: asterisk
Revision: 270658
U trunk/channels/chan_sip.c
------------------------------------------------------------------------
r270658 | twilson | 2010-06-15 15:18:04 -0500 (Tue, 15 Jun 2010) | 20
lines
Make contactdeny apply to src ip when nat=yes
chan_sip's "contactdeny" feature screens the "to be registered contact".
In case of nat=yes it should not use the address information from the
Contact header (which is not used at all for routing), but the source
IP address of the request.
Thus, if nat=yes and a client sends a request from a denied IP address
(e.g. by spoofing the src-IP address) it can bypass the screening.
This commit makes contactdeny apply to the src ip when nat=yes instead.
(closes issue https://issues.asterisk.org/view.php?id=17276)
Reported by: klaus3000
Patches:
patch-asterisk-trunk-contactdeny.txt uploaded by klaus3000 (license
65)
Tested by: klaus3000
Review: [full review board URL with trailing slash]
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=270658
Issue History
Date Modified Username Field Change
======================================================================
2010-06-15 15:18 svnbot Note Added: 0123448
2010-06-15 15:18 svnbot Status acknowledged =>
assigned
2010-06-15 15:18 svnbot Assigned To => twilson
2010-06-15 15:18 svnbot Status assigned => resolved
2010-06-15 15:18 svnbot Resolution open => fixed
======================================================================
More information about the asterisk-bugs
mailing list