From 7c3ee0b76079dc291bdebee4ba46d0d7893052f8 Mon Sep 17 00:00:00 2001 From: Matthew Jordan Date: Thu, 30 Aug 2012 16:21:34 +0000 Subject: [PATCH] AST-2012-013: Resolve ACL rules being ignored during calls by some IAX2 peers When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer's credentials to bypass the ACL rules set for that peer. This patch ensures that the ACLs are applied for all peers, regardless of their storage mechanism. (closes issue ASTERISK-20186) Reported by: Alan Frisch Tested by: mjordan, Alan Frisch git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@372015 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- channels/chan_iax2.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index 2d9c291db2..1722411be7 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -7613,10 +7613,10 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies i = ao2_iterator_init(users, 0); while ((user = ao2_iterator_next(&i))) { if ((ast_strlen_zero(iaxs[callno]->username) || /* No username specified */ - !strcmp(iaxs[callno]->username, user->name)) /* Or this username specified */ - && ast_apply_ha(user->ha, &addr) /* Access is permitted from this IP */ + !strcmp(iaxs[callno]->username, user->name)) /* Or this username specified */ + && ast_apply_ha(user->ha, &addr) == AST_SENSE_ALLOW /* Access is permitted from this IP */ && (ast_strlen_zero(iaxs[callno]->context) || /* No context specified */ - apply_context(user->contexts, iaxs[callno]->context))) { /* Context is permitted */ + apply_context(user->contexts, iaxs[callno]->context))) { /* Context is permitted */ if (!ast_strlen_zero(iaxs[callno]->username)) { /* Exact match, stop right now. */ if (best) @@ -7672,8 +7672,9 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies user = best; if (!user && !ast_strlen_zero(iaxs[callno]->username)) { user = realtime_user(iaxs[callno]->username, sin); - if (user && !ast_strlen_zero(iaxs[callno]->context) && /* No context specified */ - !apply_context(user->contexts, iaxs[callno]->context)) { /* Context is permitted */ + if (user && (ast_apply_ha(user->ha, &addr) == AST_SENSE_DENY /* Access is denied from this IP */ + || (!ast_strlen_zero(iaxs[callno]->context) && /* No context specified */ + !apply_context(user->contexts, iaxs[callno]->context)))) { /* Context is permitted */ user = user_unref(user); } }