Asterisk
/
asterisk
mirror of https://github.com/asterisk/asterisk
1
0
Fork 0
Code Issues Releases Wiki Activity

AST-2012-013: Resolve ACL rules being ignored during calls by some IAX2 peers

Browse Source 
When an IAX2 call is made using the credentials of a peer defined in a dynamic
Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are
not applied to the call attempt. This allows for a remote attacker who is aware
of a peer's credentials to bypass the ACL rules set for that peer.

This patch ensures that the ACLs are applied for all peers, regardless of their
storage mechanism.

(closes issue ASTERISK-20186)
Reported by: Alan Frisch
Tested by: mjordan, Alan Frisch
........

Merged revisions 372028 from http://svn.asterisk.org/svn/asterisk/branches/11


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@372029 65c4cc65-6c06-0410-ace0-fbb531ad65f3
changes/78/78/1
Matthew Jordan 13 years ago
parent d624f2c550
commit acbe1f90e7
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File

7
channels/chan_iax2.c
Unescape View File

@ -7699,7 +7699,7 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies
while ((user = ao2_iterator_next(&i))) { while ((user = ao2_iterator_next(&i))) {
if ((ast_strlen_zero(iaxs[callno]->username) || /* No username specified */ if ((ast_strlen_zero(iaxs[callno]->username) || /* No username specified */
!strcmp(iaxs[callno]->username, user->name)) /* Or this username specified */ !strcmp(iaxs[callno]->username, user->name)) /* Or this username specified */
&& ast_apply_acl(user->acl, &addr, "IAX2 user ACL: ") /* Access is permitted from this IP */ && (ast_apply_acl(user->acl, &addr, "IAX2 user ACL: ") == AST_SENSE_ALLOW) /* Access is permitted from this IP */
&& (ast_strlen_zero(iaxs[callno]->context) || /* No context specified */ && (ast_strlen_zero(iaxs[callno]->context) || /* No context specified */
apply_context(user->contexts, iaxs[callno]->context))) { /* Context is permitted */ apply_context(user->contexts, iaxs[callno]->context))) { /* Context is permitted */
if (!ast_strlen_zero(iaxs[callno]->username)) { if (!ast_strlen_zero(iaxs[callno]->username)) {
@ -7757,8 +7757,9 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies
user = best; user = best;
if (!user && !ast_strlen_zero(iaxs[callno]->username)) { if (!user && !ast_strlen_zero(iaxs[callno]->username)) {
user = realtime_user(iaxs[callno]->username, sin); user = realtime_user(iaxs[callno]->username, sin);
if (user && !ast_strlen_zero(iaxs[callno]->context) && /* No context specified */ if (user && (ast_apply_acl(user->acl, &addr, "IAX2 user ACL: ") == AST_SENSE_DENY /* Access is denied from this IP */
!apply_context(user->contexts, iaxs[callno]->context)) { /* Context is permitted */ || (!ast_strlen_zero(iaxs[callno]->context) && /* No context specified */
!apply_context(user->contexts, iaxs[callno]->context)))) { /* Context is permitted */
user = user_unref(user); user = user_unref(user);
} }
} }

Write Preview
Loading…
Cancel
Save