kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-02 19:16:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge "chan_sip.c: Prevent address change on unauthenticated SIP request."

Browse Source
This commit is contained in:
Benjamin Keith Ford
2019-11-21 13:55:03 -06:00
committed by Gerrit Code Review
parent 7e3a6e158f 4a1cadeadb
commit 987e10c75f
1 changed files with 16 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
channels/chan_sip.c
View File

@@ -19245,18 +19245,6 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of,
bogus_peer = NULL; bogus_peer = NULL;
} }
/* build_peer, called through sip_find_peer, is not able to check the
* sip_pvt->natdetected flag in order to determine if the peer is behind
* NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
* are set on the peer. So we check for that here and set the peer's
* address accordingly.
*/
set_peer_nat(p, peer);
if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
ast_sockaddr_copy(&peer->addr, &p->recv);
}
if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) { if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) {
ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of); ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of);
sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED"); sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED");
@@ -19325,6 +19313,21 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of,
ast_string_field_set(p, peermd5secret, NULL); ast_string_field_set(p, peermd5secret, NULL);
} }
if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) { if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) {
/* build_peer, called through sip_find_peer, is not able to check the
* sip_pvt->natdetected flag in order to determine if the peer is behind
* NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
* are set on the peer. So we check for that here and set the peer's
* address accordingly. The address should ONLY be set once we are sure
* authentication was a success. If, for example, an INVITE was sent that
* matched the peer name but failed the authentication check, the address
* would be updated, which is bad.
*/
set_peer_nat(p, peer);
if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
ast_sockaddr_copy(&peer->addr, &p->recv);
}
/* If we have a call limit, set flag */ /* If we have a call limit, set flag */
if (peer->call_limit) if (peer->call_limit)
ast_set_flag(&p->flags[0], SIP_CALL_LIMIT); ast_set_flag(&p->flags[0], SIP_CALL_LIMIT);
@@ -19424,6 +19427,7 @@ static enum check_auth_result check_peer_ok(struct sip_pvt *p, char *of,
} }
} }
sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer"); sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer");
return res; return res;
} }