[asterisk-bugs] [JIRA] (ASTERISK-22738) "Security denial" error in calls from H323 trunk (ooh323.c)

Matt Jordan (JIRA) noreply at issues.asterisk.org
Fri Mar 28 14:00:24 CDT 2014 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-22738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-22738:
-----------------------------------

    Target Release Version/s: 12.2.0

> "Security denial" error in calls from H323 trunk (ooh323.c)
> -----------------------------------------------------------
>
>                 Key: ASTERISK-22738
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-22738
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Addons/chan_ooh323
>    Affects Versions: 11.4.0, 11.5.1, 12.0.0-beta1
>         Environment: Linux RH 5.5
>            Reporter: Gabriele Odone
>            Assignee: Alexander Anikin
>      Target Release: 12.2.0
>
>         Attachments: ASTERISK-22738-1.patch, h323.pcap, h323_successful.pcap
>
>
> Environment: Asterisk 11.4
> Attempting H.323 trunk integration with a H323 Gateway ("Polycom CMA") using ooh323 module.
> When placing H323 calls from the H323 Gateway, the call goes through the trunk (as shown by tcpdump on Asterisk server) but is rejected by Asterisk with the following error in /var/log/asterisk/h323_log
> {noformat}
> 10:40:28:564 ERROR: Security denial remote sig IP isn't a socket ip, 10.44.1.156 not 10.71.0.55 (incoming, ooh323c_1)
> 10:40:28:565 ERROR:Failed ooH2250Receive - Clearing call (incoming, ooh323c_1)
> {noformat}
> In this log, 10.44.1.156 being IP address of H323 client registered to Polycom CMA, 10.71.0.55 being the address of Polycom CMA.
> tcpdump shows "disengageRequest" H.225 sent by Asterisk to Polycom CMA.
> I solved this problem by commenting these lines in ooh323.c and recompiling:
> {noformat}
>    if (strncmp(remoteIP, call->remoteIP, strlen(remoteIP))) {
>      OOTRACEERR5("ERROR: Security denial remote sig IP isn't a socket ip, %s not %s "
> 		     "(%s, %s)\n", remoteIP, call->remoteIP, call->callType, 
> 		     call->callToken);
>      return OO_FAILED;
>    }
> {noformat}
> Same code on the latest 12.0 beta.
> I suppose this check is made for security reasons, but as you can see it blocks legitimate calls, thus making the trunk useless.
> I think a cofiguration parameter should be introduced to disable the check.
> I will attach the tcpdump. 10.71.0.55 being the address of Polycom CMA, 10.100.202.88 Asterisk server.
> Thanks
> Kind Regards,
> Gabriele Odone



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list