[asterisk-commits] twilson: branch 1.4 r270724 - /branches/1.4/channels/chan_sip.c
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Tue Jun 15 17:34:34 CDT 2010
Author: twilson
Date: Tue Jun 15 17:34:30 2010
New Revision: 270724
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=270724
Log:
Merged revisions 270658 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
........
r270658 | twilson | 2010-06-15 15:18:04 -0500 (Tue, 15 Jun 2010) | 20 lines
Make contactdeny apply to src ip when nat=yes
chan_sip's "contactdeny" feature screens the "to be registered contact".
In case of nat=yes it should not use the address information from the
Contact header (which is not used at all for routing), but the source
IP address of the request.
Thus, if nat=yes and a client sends a request from a denied IP address
(e.g. by spoofing the src-IP address) it can bypass the screening.
This commit makes contactdeny apply to the src ip when nat=yes instead.
(closes issue #17276)
Reported by: klaus3000
Patches:
patch-asterisk-trunk-contactdeny.txt uploaded by klaus3000 (license 65)
Tested by: klaus3000
Review: [full review board URL with trailing slash]
........
Modified:
branches/1.4/channels/chan_sip.c
Modified: branches/1.4/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.4/channels/chan_sip.c?view=diff&rev=270724&r1=270723&r2=270724
==============================================================================
--- branches/1.4/channels/chan_sip.c (original)
+++ branches/1.4/channels/chan_sip.c Tue Jun 15 17:34:30 2010
@@ -8743,25 +8743,17 @@
}
oldsin = peer->addr;
- /* Check that they're allowed to register at this IP */
- /* XXX This could block for a long time XXX */
- hp = ast_gethostbyname(n, &ahp);
- if (!hp) {
- ast_log(LOG_WARNING, "Invalid host '%s'\n", n);
- *peer->fullcontact = '\0';
- ast_string_field_set(pvt, our_contact, "");
- return PARSE_REGISTER_FAILED;
- }
- memcpy(&testsin.sin_addr, hp->h_addr, sizeof(testsin.sin_addr));
- if ( ast_apply_ha(global_contact_ha, &testsin) != AST_SENSE_ALLOW ||
- ast_apply_ha(peer->contactha, &testsin) != AST_SENSE_ALLOW) {
- ast_log(LOG_WARNING, "Host '%s' disallowed by contact ACL (violating IP %s)\n", n, ast_inet_ntoa(testsin.sin_addr));
- *peer->fullcontact = '\0';
- ast_string_field_set(pvt, our_contact, "");
- return PARSE_REGISTER_DENIED;
- }
-
if (!ast_test_flag(&peer->flags[0], SIP_NAT_ROUTE)) {
+ /* use the data provided in the Contact header for call routing */
+ /* XXX This could block for a long time XXX */
+ hp = ast_gethostbyname(n, &ahp);
+ if (!hp) {
+ ast_log(LOG_WARNING, "Invalid host '%s'\n", n);
+ *peer->fullcontact = '\0';
+ ast_string_field_set(pvt, our_contact, "");
+ return PARSE_REGISTER_FAILED;
+ }
+
peer->addr.sin_family = AF_INET;
memcpy(&peer->addr.sin_addr, hp->h_addr, sizeof(peer->addr.sin_addr));
peer->addr.sin_port = htons(port);
@@ -8769,6 +8761,16 @@
/* Don't trust the contact field. Just use what they came to us
with */
peer->addr = pvt->recv;
+ }
+
+ /* Check that they're allowed to register at this IP */
+ memcpy(&testsin.sin_addr, &peer->addr.sin_addr, sizeof(testsin.sin_addr));
+ if (ast_apply_ha(global_contact_ha, &testsin) != AST_SENSE_ALLOW ||
+ ast_apply_ha(peer->contactha, &testsin) != AST_SENSE_ALLOW) {
+ ast_log(LOG_WARNING, "Host '%s' disallowed by contact ACL (violating IP %s)\n", n, ast_inet_ntoa(testsin.sin_addr));
+ *peer->fullcontact = '\0';
+ ast_string_field_set(pvt, our_contact, "");
+ return PARSE_REGISTER_DENIED;
}
/* Save SIP options profile */
More information about the asterisk-commits
mailing list