[asterisk-bugs] [Asterisk 0017276]: [patch] bypass "contactdeny" with nat=yes

Asterisk Bug Tracker noreply at bugs.digium.com
Mon May 17 13:55:40 CDT 2010 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17276 
====================================================================== 
Reported By:                klaus3000
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17276
Category:                   Channels/chan_sip/Registration
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     acknowledged
Asterisk Version:           SVN 
JIRA:                       SWP-1462 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-05-03 09:56 CDT
Last Modified:              2010-05-17 13:55 CDT
====================================================================== 
Summary:                    [patch] bypass "contactdeny" with nat=yes
Description: 
Hi!

chan_sip's "contactdeny" feature screens the "to be registered contact".
In case of nat=yes it should not use the address information from the
Contact header (which is not used at all for routing), but the source IP
address of the request.

Thus, if nat=yes and a client sends a request from a denied IP address
(e.g. by spoofing the src-IP address) it can bypass the screening.
====================================================================== 

---------------------------------------------------------------------- 
 (0122022) lmadsen (administrator) - 2010-05-17 13:55
 https://issues.asterisk.org/view.php?id=17276#c122022 
---------------------------------------------------------------------- 
My blog post
(http://blogs.asterisk.org/2010/04/29/installing-the-asterisk-test-suite/)
at least starts introducing it by getting it installed and running. The
README.txt should have some introductions to getting started on building a
test, but the best information probably stems from looking at an existing
test in the testsuite to determine how to build one.

I'm sure any questions asked on the asterisk-dev mailing list would be
enthusiastically replied to as we're trying to get more contributions to
the testsuite. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-05-17 13:55 lmadsen        Note Added: 0122022                          
======================================================================

More information about the asterisk-bugs mailing list