[asterisk-commits] mjordan: branch 10 r372020 - in /branches/10: ./ channels/chan_iax2.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Aug 30 11:22:57 CDT 2012 

Author: mjordan
Date: Thu Aug 30 11:22:54 2012
New Revision: 372020

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=372020
Log:
AST-2012-013: Resolve ACL rules being ignored during calls by some IAX2 peers

When an IAX2 call is made using the credentials of a peer defined in a dynamic
Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are
not applied to the call attempt. This allows for a remote attacker who is aware
of a peer's credentials to bypass the ACL rules set for that peer.

This patch ensures that the ACLs are applied for all peers, regardless of their
storage mechanism.

(closes issue ASTERISK-20186)
Reported by: Alan Frisch
Tested by: mjordan, Alan Frisch
........

Merged revisions 372015 from http://svn.asterisk.org/svn/asterisk/branches/1.8

Modified:
    branches/10/   (props changed)
    branches/10/channels/chan_iax2.c

Propchange: branches/10/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.

Modified: branches/10/channels/chan_iax2.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/channels/chan_iax2.c?view=diff&rev=372020&r1=372019&r2=372020
==============================================================================
--- branches/10/channels/chan_iax2.c (original)
+++ branches/10/channels/chan_iax2.c Thu Aug 30 11:22:54 2012
@@ -7720,10 +7720,10 @@
 	i = ao2_iterator_init(users, 0);
 	while ((user = ao2_iterator_next(&i))) {
 		if ((ast_strlen_zero(iaxs[callno]->username) ||				/* No username specified */
-			!strcmp(iaxs[callno]->username, user->name))	/* Or this username specified */
-			&& ast_apply_ha(user->ha, &addr) 	/* Access is permitted from this IP */
+			!strcmp(iaxs[callno]->username, user->name))			/* Or this username specified */
+			&& ast_apply_ha(user->ha, &addr) == AST_SENSE_ALLOW		/* Access is permitted from this IP */
 			&& (ast_strlen_zero(iaxs[callno]->context) ||			/* No context specified */
-			     apply_context(user->contexts, iaxs[callno]->context))) {			/* Context is permitted */
+				apply_context(user->contexts, iaxs[callno]->context))) {			/* Context is permitted */
 			if (!ast_strlen_zero(iaxs[callno]->username)) {
 				/* Exact match, stop right now. */
 				if (best)
@@ -7779,8 +7779,9 @@
 	user = best;
 	if (!user && !ast_strlen_zero(iaxs[callno]->username)) {
 		user = realtime_user(iaxs[callno]->username, sin);
-		if (user && !ast_strlen_zero(iaxs[callno]->context) &&			/* No context specified */
-		    !apply_context(user->contexts, iaxs[callno]->context)) {		/* Context is permitted */
+		if (user && (ast_apply_ha(user->ha, &addr) == AST_SENSE_DENY		/* Access is denied from this IP */
+			|| (!ast_strlen_zero(iaxs[callno]->context) &&					/* No context specified */
+				!apply_context(user->contexts, iaxs[callno]->context)))) {	/* Context is permitted */
 			user = user_unref(user);
 		}
 	}

More information about the asterisk-commits mailing list