[asterisk-dev] Peer matching in trunk - matching on contact?
Olle E. Johansson
oej at edvina.net
Tue Sep 1 06:25:52 CDT 2009
While maintaining a new branch, I found this addition to the code
which surprised me a bit.
I think matching based on a header in the SIP message really needs a
configuration option to be set, since this is highly insecure.
Not saying that matching on ip and port numbers is secure, but relying
on the contact header for matching seems even more open for problems.
And if it's impossible to match on p->recv when there's a TCP session,
why do we do that on the line above? Shouldn't that be disabled?
We do need to start the campaign for "No more ugly patching, find a
new way of matching devices in chan_sip" - let's call it "Codename
Chestnut".
/Olle
--------------------------
/* If the peer is still not found, try the address and port from the
* contact header. If the transport type is TCP or
TLS it is not possible
* to find the peer using p->recv. Because of the way
TCP works, the received
* packet's destination port will not match the one
the peer table is
* built with. */
if (!peer && (p->socket.type != SIP_TRANSPORT_UDP)) {
struct sockaddr_in tmpsin;
char contact[SIPBUFSIZE];
char *tmp;
memcpy(&tmpsin, &p->recv, sizeof(tmpsin));
ast_copy_string(contact, get_header(req,
"Contact"), sizeof(contact));
tmp = get_in_brackets(contact);
__set_address_from_contact(tmp, &tmpsin, 1);
peer = find_peer(NULL, &tmpsin, TRUE,
FINDPEERS, FALSE);
}
More information about the asterisk-dev
mailing list