[asterisk-bugs] [JIRA] (ASTERISK-20578) sip handle_incoming needs more calls to sec. framework

Michael L. Young (JIRA) noreply at issues.asterisk.org
Thu Oct 18 13:32:18 CDT 2012


    [ https://issues.asterisk.org/jira/browse/ASTERISK-20578?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=198740#comment-198740 ] 

Michael L. Young commented on ASTERISK-20578:
---------------------------------------------

Since I am familiar with this code, do you want me to take a stab at this at all?

Should it go into 10 the second part about reporting other SIP methods?

If I recall, it was crunch time for Asterisk 10 when we tried to get this in and what prompted the addition was an email on the -dev list looking for registration events.  So, that is what the original patch focused on and didn't include the other methods.
                
> sip handle_incoming needs more calls to sec. framework
> ------------------------------------------------------
>
>                 Key: ASTERISK-20578
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20578
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/Security Framework
>    Affects Versions: 10.10.0
>            Reporter: Walter Doekes
>            Severity: Trivial
>
> From ASTERISK-20506:
> {quote}
> You do have a valid point there. auth_options_requests=no (the default) does mitigate the OPTIONS problem. But there are indeed a couple of other methods that do get the authentication process working and they should be sent to the security framework. \[Make new bug report #1]
> {quote}
> Two issues here:
> - handle_incoming() sports the magic number 9:
>   if (res < 9) { sip_report_security_event(p, req, res); }
>   should be fixed using extra constants in sip/include/sip.h
> - handle_incoming() calls other methods which can be used for brute forcing (OPTIONS, MESSAGE, ...).
>   the calls to sip_report_security_event() are missing there.
>   (perhaps it should be moved to check_auth)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list