[asterisk-bugs] [Asterisk 0017276]: [patch] bypass "contactdeny" with nat=yes

Asterisk Bug Tracker noreply at bugs.digium.com
Tue Jun 15 17:16:53 CDT 2010


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17276 
====================================================================== 
Reported By:                klaus3000
Assigned To:                twilson
====================================================================== 
Project:                    Asterisk
Issue ID:                   17276
Category:                   Channels/chan_sip/Registration
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     closed
Asterisk Version:           SVN 
JIRA:                       SWP-1462 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!):  
Request Review:              
Resolution:                 fixed
Fixed in Version:           
====================================================================== 
Date Submitted:             2010-05-03 09:56 CDT
Last Modified:              2010-06-15 17:16 CDT
====================================================================== 
Summary:                    [patch] bypass "contactdeny" with nat=yes
Description: 
Hi!

chan_sip's "contactdeny" feature screens the "to be registered contact".
In case of nat=yes it should not use the address information from the
Contact header (which is not used at all for routing), but the source IP
address of the request.

Thus, if nat=yes and a client sends a request from a denied IP address
(e.g. by spoofing the src-IP address) it can bypass the screening.
====================================================================== 

---------------------------------------------------------------------- 
 (0123456) svnbot (reporter) - 2010-06-15 17:16
 https://issues.asterisk.org/view.php?id=17276#c123456 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 270693

_U  branches/1.6.2/
U   branches/1.6.2/channels/chan_sip.c

------------------------------------------------------------------------
r270693 | twilson | 2010-06-15 17:16:52 -0500 (Tue, 15 Jun 2010) | 27
lines

Merged revisions 270658 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/trunk

........
  r270658 | twilson | 2010-06-15 15:18:04 -0500 (Tue, 15 Jun 2010) | 20
lines
  
  Make contactdeny apply to src ip when nat=yes
  
  chan_sip's "contactdeny" feature screens the "to be registered contact".
  In case of nat=yes it should not use the address information from the
  Contact header (which is not used at all for routing), but the source
  IP address of the request.
  
  Thus, if nat=yes and a client sends a request from a denied IP address
  (e.g. by spoofing the src-IP address) it can bypass the screening.
  
  This commit makes contactdeny apply to the src ip when nat=yes instead.
  
  (closes issue https://issues.asterisk.org/view.php?id=17276)
  Reported by: klaus3000
  Patches: 
        patch-asterisk-trunk-contactdeny.txt uploaded by klaus3000
(license 65)
  Tested by: klaus3000
  
  Review: [full review board URL with trailing slash]
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=270693 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-06-15 17:16 svnbot         Checkin                                      
2010-06-15 17:16 svnbot         Note Added: 0123456                          
======================================================================




More information about the asterisk-bugs mailing list