From 480f4128588f1797aeed722bbf52ee2d82ff22ae Mon Sep 17 00:00:00 2001 From: Terry Wilson <twilson@digium.com> Date: Tue, 15 Jun 2010 20:18:04 +0000 Subject: [PATCH] Make contactdeny apply to src ip when nat=yes chan_sip's "contactdeny" feature screens the "to be registered contact". In case of nat=yes it should not use the address information from the Contact header (which is not used at all for routing), but the source IP address of the request. Thus, if nat=yes and a client sends a request from a denied IP address (e.g. by spoofing the src-IP address) it can bypass the screening. This commit makes contactdeny apply to the src ip when nat=yes instead. (closes issue #17276) Reported by: klaus3000 Patches: patch-asterisk-trunk-contactdeny.txt uploaded by klaus3000 (license 65) Tested by: klaus3000 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@270658 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- channels/chan_sip.c | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/channels/chan_sip.c b/channels/chan_sip.c index 886425e443..588b63799e 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -12535,37 +12535,38 @@ static enum parse_register_result parse_register_contact(struct sip_pvt *pvt, st ao2_t_unlink(peers_by_ip, peer, "ao2_unlink of peer from peers_by_ip table"); } - /* Check that they're allowed to register at this IP */ - /* XXX This could block for a long time XXX */ - /*! \todo Check NAPTR/SRV if we have not got a port in the URI */ - hp = ast_gethostbyname(host, &ahp); - if (!hp) { - ast_log(LOG_WARNING, "Invalid host '%s'\n", host); - ast_string_field_set(peer, fullcontact, ""); - ast_string_field_set(pvt, our_contact, ""); - return PARSE_REGISTER_FAILED; - } - memcpy(&testsin.sin_addr, hp->h_addr, sizeof(testsin.sin_addr)); - if (ast_apply_ha(sip_cfg.contact_ha, &testsin) != AST_SENSE_ALLOW || - ast_apply_ha(peer->contactha, &testsin) != AST_SENSE_ALLOW) { - ast_log(LOG_WARNING, "Host '%s' disallowed by contact ACL (violating IP %s)\n", host, ast_inet_ntoa(testsin.sin_addr)); - ast_string_field_set(peer, fullcontact, ""); - ast_string_field_set(pvt, our_contact, ""); - return PARSE_REGISTER_DENIED; - } - - /*! \todo This could come before the checking of DNS earlier on, to avoid - DNS lookups where we don't need it... */ if (!ast_test_flag(&peer->flags[0], SIP_NAT_FORCE_RPORT) && !ast_test_flag(&peer->flags[0], SIP_NAT_RPORT_PRESENT)) { + /* use the data provided in the Contact header for call routing */ + ast_debug(1, "Store REGISTER's Contact header for call routing.\n"); + /* XXX This could block for a long time XXX */ + /*! \todo Check NAPTR/SRV if we have not got a port in the URI */ + hp = ast_gethostbyname(host, &ahp); + if (!hp) { + ast_log(LOG_WARNING, "Invalid host '%s'\n", host); + ast_string_field_set(peer, fullcontact, ""); + ast_string_field_set(pvt, our_contact, ""); + return PARSE_REGISTER_FAILED; + } peer->addr.sin_family = AF_INET; memcpy(&peer->addr.sin_addr, hp->h_addr, sizeof(peer->addr.sin_addr)); peer->addr.sin_port = htons(port); } else { /* Don't trust the contact field. Just use what they came to us with */ + ast_debug(1, "Store REGISTER's src-IP:port for call routing.\n"); peer->addr = pvt->recv; } + /* Check that they're allowed to register at this IP */ + memcpy(&testsin.sin_addr, &peer->addr.sin_addr, sizeof(testsin.sin_addr)); + if (ast_apply_ha(sip_cfg.contact_ha, &testsin) != AST_SENSE_ALLOW || + ast_apply_ha(peer->contactha, &testsin) != AST_SENSE_ALLOW) { + ast_log(LOG_WARNING, "Host '%s' disallowed by contact ACL (violating IP %s)\n", host, ast_inet_ntoa(testsin.sin_addr)); + ast_string_field_set(peer, fullcontact, ""); + ast_string_field_set(pvt, our_contact, ""); + return PARSE_REGISTER_DENIED; + } + /* if the Contact header information copied into peer->addr matches the * received address, and the transport types are the same, then copy socket * data into the peer struct */ -- GitLab