[asterisk-dev] Another IAX2 problem with the latest security fix ...

Russell Bryant russell at digium.com
Fri May 30 07:35:57 CDT 2008

Tim Panton wrote:
> I'm not comfortable with this.
> The RFC draft says ACKs are optional.
> (any subsequent fullframe can act as an ACK if it
> has the appropriate sequence number)
> So you can set up a call without using an ACK packet.
> Simplest case is
> a NEW
> - off you go.

That is a _very_ good reason why my idea was a bad one.  Thank you for pointing 
that out!

> It makes no sense to have a LAGRQ packet without a call set up .
> Arguably it makes no sense to have a PING without a call.
> For what it is worth, I think it would be better to
> implement the initial 'hack' i.e. don't send LAGRQ  or  PING
> untill the call is set up.
> Then add an additional hack where these two don't have their
> call numbers checked for backwards compatibility.

Agreed.  So, we'll go with my original hack, plus your proposed hack #2 which 
will maintain backwards compatibility, without introducing any unsafe behavior.

Thanks again for the feedback,

Russell Bryant
Senior Software Engineer
Open Source Team Lead
Digium, Inc.

More information about the asterisk-dev mailing list