net/asterisk-16.x/patches/170-AST-2019-006-16.diff

   1 From 8cdaa93e658a46e7baf6b606468b5e2c88a0133b Mon Sep 17 00:00:00 2001
   2 From: Ben Ford <bford@digium.com>
   3 Date: Mon, 21 Oct 2019 14:55:06 -0500
   4 Subject: [PATCH] chan_sip.c: Prevent address change on unauthenticated SIP request.
   5
   6 If the name of a peer is known and a SIP request is sent using that
   7 peer's name, the address of the peer will change even if the request
   8 fails the authentication challenge. This means that an endpoint can
   9 be altered and even rendered unusuable, even if it was in a working
  10 state previously. This can only occur when the nat option is set to the
  11 default, or auto_force_rport.
  12
  13 This change checks the result of authentication first to ensure it is
  14 successful before setting the address and the nat option.
  15
  16 ASTERISK-28589 #close
  17
  18 Change-Id: I581c5ed1da60ca89f590bd70872de2b660de02df
  19 ---
  20
  21 diff --git a/channels/chan_sip.c b/channels/chan_sip.c
  22 index 6ac2e61..4d79a47 100644
  23 --- a/channels/chan_sip.c
  24 +++ b/channels/chan_sip.c
  25 @@ -19245,18 +19245,6 @@
  26                 bogus_peer = NULL;
  27         }
  28
  29 -       /*  build_peer, called through sip_find_peer, is not able to check the
  30 -        *  sip_pvt->natdetected flag in order to determine if the peer is behind
  31 -        *  NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
  32 -        *  are set on the peer.  So we check for that here and set the peer's
  33 -        *  address accordingly.
  34 -        */
  35 -       set_peer_nat(p, peer);
  36 -
  37 -       if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
  38 -               ast_sockaddr_copy(&peer->addr, &p->recv);
  39 -       }
  40 -
  41         if (!ast_apply_acl(peer->acl, addr, "SIP Peer ACL: ")) {
  42                 ast_debug(2, "Found peer '%s' for '%s', but fails host access\n", peer->name, of);
  43                 sip_unref_peer(peer, "sip_unref_peer: check_peer_ok: from sip_find_peer call, early return of AUTH_ACL_FAILED");
  44 @@ -19325,6 +19313,21 @@
  45                 ast_string_field_set(p, peermd5secret, NULL);
  46         }
  47         if (!(res = check_auth(p, req, peer->name, p->peersecret, p->peermd5secret, sipmethod, uri2, reliable))) {
  48 +
  49 +               /* build_peer, called through sip_find_peer, is not able to check the
  50 +                * sip_pvt->natdetected flag in order to determine if the peer is behind
  51 +                * NAT or not when SIP_PAGE3_NAT_AUTO_RPORT or SIP_PAGE3_NAT_AUTO_COMEDIA
  52 +                * are set on the peer. So we check for that here and set the peer's
  53 +                * address accordingly. The address should ONLY be set once we are sure
  54 +                * authentication was a success. If, for example, an INVITE was sent that
  55 +                * matched the peer name but failed the authentication check, the address
  56 +                * would be updated, which is bad.
  57 +                */
  58 +               set_peer_nat(p, peer);
  59 +               if (p->natdetected && ast_test_flag(&peer->flags[2], SIP_PAGE3_NAT_AUTO_RPORT)) {
  60 +                       ast_sockaddr_copy(&peer->addr, &p->recv);
  61 +               }
  62 +
  63                 /* If we have a call limit, set flag */
  64                 if (peer->call_limit)
  65                         ast_set_flag(&p->flags[0], SIP_CALL_LIMIT);
  66 @@ -19424,6 +19427,7 @@
  67                 }
  68         }
  69         sip_unref_peer(peer, "check_peer_ok: sip_unref_peer: tossing temp ptr to peer from sip_find_peer");
  70 +
  71         return res;
  72  }
  73