<p>Friendly Automation <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/13237">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Benjamin Keith Ford: Looks good to me, approved
Friendly Automation: Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">chan_sip.c: Prevent address change on unauthenticated SIP request.<br><br>If the name of a peer is known and a SIP request is sent using that<br>peer's name, the address of the peer will change even if the request<br>fails the authentication challenge. This means that an endpoint can<br>be altered and even rendered unusuable, even if it was in a working<br>state previously. This can only occur when the nat option is set to the<br>default, or auto_force_rport.<br><br>This change checks the result of authentication first to ensure it is<br>successful before setting the address and the nat option.<br><br>ASTERISK-28589 #close<br><br>Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df<br>---<br>M channels/chan_sip.c<br>1 file changed, 16 insertions(+), 12 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/channels/chan_sip.c b/channels/chan_sip.c</span><br><span>index 6ac2e61..4d79a47 100644</span><br><span>--- a/channels/chan_sip.c</span><br><span>+++ b/channels/chan_sip.c</span><br><span>@@ -19245,18 +19245,6 @@</span><br><span> bogus_peer = NULL;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- /* build_peer, called through sip_find_peer, is not able to check the</span><br><span style="color: hsl(0, 100%, 40%);">- * sip_pvt->natdetected flag in order to determine if the peer is behind</span><br><span style="color: hsl(0, 100%, 40%);">- * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA</span><br><span style="color: hsl(0, 100%, 40%);">- * are set on the peer. So we check for that here and set the peer's</span><br><span style="color: hsl(0, 100%, 40%);">- * address accordingly.</span><br><span style="color: hsl(0, 100%, 40%);">- */</span><br><span style="color: hsl(0, 100%, 40%);">- set_peer_nat(p, peer);</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {</span><br><span style="color: hsl(0, 100%, 40%);">- ast_sockaddr_copy(&peer->addr, &p->recv);</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span> if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) {</span><br><span> ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of);</span><br><span> sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED");</span><br><span>@@ -19325,6 +19313,21 @@</span><br><span> ast_string_field_set(p, peermd5secret, NULL);</span><br><span> }</span><br><span> if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) {</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* build_peer, called through sip_find_peer, is not able to check the</span><br><span style="color: hsl(120, 100%, 40%);">+ * sip_pvt->natdetected flag in order to determine if the peer is behind</span><br><span style="color: hsl(120, 100%, 40%);">+ * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA</span><br><span style="color: hsl(120, 100%, 40%);">+ * are set on the peer. So we check for that here and set the peer's</span><br><span style="color: hsl(120, 100%, 40%);">+ * address accordingly. The address should ONLY be set once we are sure</span><br><span style="color: hsl(120, 100%, 40%);">+ * authentication was a success. If, for example, an INVITE was sent that</span><br><span style="color: hsl(120, 100%, 40%);">+ * matched the peer name but failed the authentication check, the address</span><br><span style="color: hsl(120, 100%, 40%);">+ * would be updated, which is bad.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+ set_peer_nat(p, peer);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_sockaddr_copy(&peer->addr, &p->recv);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> /* If we have a call limit, set flag */</span><br><span> if (peer->call_limit)</span><br><span> ast_set_flag(&p->flags[0], SIP_CALL_LIMIT);</span><br><span>@@ -19424,6 +19427,7 @@</span><br><span> }</span><br><span> }</span><br><span> sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer");</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> return res;</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/13237">change 13237</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/13237"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 16 </div>
<div style="display:none"> Gerrit-Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df </div>
<div style="display:none"> Gerrit-Change-Number: 13237 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-MessageType: merged </div>