Skip to content
Snippets Groups Projects
Commit 987e10c7 authored by Benjamin Keith Ford's avatar Benjamin Keith Ford Committed by Gerrit Code Review
Browse files

Merge "chan_sip.c: Prevent address change on unauthenticated SIP request."

parents 7e3a6e15 4a1cadea
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 16 additions and 12 deletions
channels/chan_sip.c
+ 16
12
View file @ 987e10c7
...@@ -19245,18 +19245,6 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of, ...@@ -19245,18 +19245,6 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of,
bogus_peer = NULL; bogus_peer = NULL;
} }
   
/* build_peer, called through sip_find_peer, is not able to check the
* sip_pvt->natdetected flag in order to determine if the peer is behind
* NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
* are set on the peer. So we check for that here and set the peer's
* address accordingly.
*/
set_peer_nat(p, peer);
if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
ast_sockaddr_copy(&peer->addr, &p->recv);
}
if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) { if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) {
ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of); ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of);
sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED"); sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED");
...@@ -19325,6 +19313,21 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of, ...@@ -19325,6 +19313,21 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of,
ast_string_field_set(p, peermd5secret, NULL); ast_string_field_set(p, peermd5secret, NULL);
} }
if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) { if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) {
/* build_peer, called through sip_find_peer, is not able to check the
* sip_pvt->natdetected flag in order to determine if the peer is behind
* NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
* are set on the peer. So we check for that here and set the peer's
* address accordingly. The address should ONLY be set once we are sure
* authentication was a success. If, for example, an INVITE was sent that
* matched the peer name but failed the authentication check, the address
* would be updated, which is bad.
*/
set_peer_nat(p, peer);
if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
ast_sockaddr_copy(&peer->addr, &p->recv);
}
/* If we have a call limit, set flag */ /* If we have a call limit, set flag */
if (peer->call_limit) if (peer->call_limit)
ast_set_flag(&p->flags[0], SIP_CALL_LIMIT); ast_set_flag(&p->flags[0], SIP_CALL_LIMIT);
...@@ -19424,6 +19427,7 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of, ...@@ -19424,6 +19427,7 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of,
} }
} }
sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer"); sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer");
return res; return res;
} }
   
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment