[asterisk-bugs] [JIRA] (ASTERISK-20578) sip handle_incoming needs more calls to sec. framework
Joshua Colp (JIRA)
noreply at issues.asterisk.org
Tue Dec 19 05:25:08 CST 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-20578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joshua Colp updated ASTERISK-20578:
-----------------------------------
Assignee: (was: Michael L. Young)
> sip handle_incoming needs more calls to sec. framework
> ------------------------------------------------------
>
> Key: ASTERISK-20578
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-20578
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Channels/chan_sip/Security Framework
> Affects Versions: 10.10.0, 13.18.4
> Reporter: Walter Doekes
> Severity: Trivial
>
> From ASTERISK-20506:
> {quote}
> You do have a valid point there. auth_options_requests=no (the default) does mitigate the OPTIONS problem. But there are indeed a couple of other methods that do get the authentication process working and they should be sent to the security framework. \[Make new bug report #1]
> {quote}
> Two issues here:
> - handle_incoming() sports the magic number 9:
> if (res < 9) { sip_report_security_event(p, req, res); }
> should be fixed using extra constants in sip/include/sip.h
> - handle_incoming() calls other methods which can be used for brute forcing (OPTIONS, MESSAGE, ...).
> the calls to sip_report_security_event() are missing there.
> (perhaps it should be moved to check_auth)
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list