[asterisk-commits] mjordan: trunk r372029 - in /trunk: ./ channels/chan_iax2.c
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Thu Aug 30 11:25:37 CDT 2012
Author: mjordan
Date: Thu Aug 30 11:25:34 2012
New Revision: 372029
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=372029
Log:
AST-2012-013: Resolve ACL rules being ignored during calls by some IAX2 peers
When an IAX2 call is made using the credentials of a peer defined in a dynamic
Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are
not applied to the call attempt. This allows for a remote attacker who is aware
of a peer's credentials to bypass the ACL rules set for that peer.
This patch ensures that the ACLs are applied for all peers, regardless of their
storage mechanism.
(closes issue ASTERISK-20186)
Reported by: Alan Frisch
Tested by: mjordan, Alan Frisch
........
Merged revisions 372028 from http://svn.asterisk.org/svn/asterisk/branches/11
Modified:
trunk/ (props changed)
trunk/channels/chan_iax2.c
Propchange: trunk/
------------------------------------------------------------------------------
Binary property 'branch-11-merged' - no diff available.
Modified: trunk/channels/chan_iax2.c
URL: http://svnview.digium.com/svn/asterisk/trunk/channels/chan_iax2.c?view=diff&rev=372029&r1=372028&r2=372029
==============================================================================
--- trunk/channels/chan_iax2.c (original)
+++ trunk/channels/chan_iax2.c Thu Aug 30 11:25:34 2012
@@ -7699,7 +7699,7 @@
while ((user = ao2_iterator_next(&i))) {
if ((ast_strlen_zero(iaxs[callno]->username) || /* No username specified */
!strcmp(iaxs[callno]->username, user->name)) /* Or this username specified */
- && ast_apply_acl(user->acl, &addr, "IAX2 user ACL: ") /* Access is permitted from this IP */
+ && (ast_apply_acl(user->acl, &addr, "IAX2 user ACL: ") == AST_SENSE_ALLOW) /* Access is permitted from this IP */
&& (ast_strlen_zero(iaxs[callno]->context) || /* No context specified */
apply_context(user->contexts, iaxs[callno]->context))) { /* Context is permitted */
if (!ast_strlen_zero(iaxs[callno]->username)) {
@@ -7757,8 +7757,9 @@
user = best;
if (!user && !ast_strlen_zero(iaxs[callno]->username)) {
user = realtime_user(iaxs[callno]->username, sin);
- if (user && !ast_strlen_zero(iaxs[callno]->context) && /* No context specified */
- !apply_context(user->contexts, iaxs[callno]->context)) { /* Context is permitted */
+ if (user && (ast_apply_acl(user->acl, &addr, "IAX2 user ACL: ") == AST_SENSE_DENY /* Access is denied from this IP */
+ || (!ast_strlen_zero(iaxs[callno]->context) && /* No context specified */
+ !apply_context(user->contexts, iaxs[callno]->context)))) { /* Context is permitted */
user = user_unref(user);
}
}
More information about the asterisk-commits
mailing list