[feed/telephony.git] / net / asterisk-15.x / patches / 120-AST-2018-008-15.diff

From f597032e833a4d3e8e710e5b1416ba780f002b8b Mon Sep 17 00:00:00 2001
From: Richard Mudgett <rmudgett@digium.com>
Date: Mon, 30 Apr 2018 17:38:58 -0500
Subject: [PATCH] AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

When endpoint specific ACL rules block a SIP request they respond with a
403 forbidden.  However, if an endpoint is not identified then a 401
unauthorized response is sent.  This vulnerability just discloses which
requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
access to the disclosed endpoints.

* Made endpoint specific ACL rules now respond with a 401 unauthorized
which is the same as if an endpoint were not identified.  The fix is
accomplished by replacing the found endpoint with the artificial endpoint
which always fails authentication.

ASTERISK-27818

Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32
---

--- a/res/res_pjsip/pjsip_distributor.c
+++ b/res/res_pjsip/pjsip_distributor.c
@@ -676,6 +676,26 @@ static void check_endpoint(pjsip_rx_data
        ao2_unlock(unid);
 }
 
+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
+
+static void apply_acls(pjsip_rx_data *rdata)
+{
+       struct ast_sip_endpoint *endpoint;
+
+       /* Is the endpoint allowed with the source or contact address? */
+       endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];
+       if (endpoint != artificial_endpoint
+               && (apply_endpoint_acl(rdata, endpoint)
+                       || apply_endpoint_contact_acl(rdata, endpoint))) {
+               ast_debug(1, "Endpoint '%s' not allowed by ACL\n",
+                       ast_sorcery_object_get_id(endpoint));
+
+               /* Replace the rdata endpoint with the artificial endpoint. */
+               ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);
+       }
+}
+
 static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
 {
        struct ast_sip_endpoint *endpoint;
@@ -694,6 +714,7 @@ static pj_bool_t endpoint_lookup(pjsip_r
                        ao2_unlink(unidentified_requests, unid);
                        ao2_ref(unid, -1);
                }
+               apply_acls(rdata);
                return PJ_FALSE;
        }
 
@@ -753,6 +774,8 @@ static pj_bool_t endpoint_lookup(pjsip_r
                        ast_sip_report_invalid_endpoint(name, rdata);
                }
        }
+
+       apply_acls(rdata);
        return PJ_FALSE;
 }
 
@@ -836,16 +859,11 @@ static pj_bool_t authenticate(pjsip_rx_d
 
        ast_assert(endpoint != NULL);
 
-       if (endpoint!=artificial_endpoint) {
-               if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {
-                       if (!is_ack) {
-                               pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
-                       }
-                       return PJ_TRUE;
-               }
+       if (is_ack) {
+               return PJ_FALSE;
        }
 
-       if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {
+       if (ast_sip_requires_authentication(endpoint, rdata)) {
                pjsip_tx_data *tdata;
                struct unidentified_request *unid;
 
@@ -881,6 +899,10 @@ static pj_bool_t authenticate(pjsip_rx_d
                        return PJ_TRUE;
                }
                pjsip_tx_data_dec_ref(tdata);
+       } else if (endpoint == artificial_endpoint) {
+               /* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */
+               pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
+               return PJ_TRUE;
        }
 
        return PJ_FALSE;