Merged revisions 270658 via svnmerge from

https://origsvn.digium.com/svn/asterisk/trunk

........
  r270658 | twilson | 2010-06-15 15:18:04 -0500 (Tue, 15 Jun 2010) | 20 lines

  Make contactdeny apply to src ip when nat=yes

  chan_sip's "contactdeny" feature screens the "to be registered contact".
  In case of nat=yes it should not use the address information from the
  Contact header (which is not used at all for routing), but the source
  IP address of the request.

  Thus, if nat=yes and a client sends a request from a denied IP address
  (e.g. by spoofing the src-IP address) it can bypass the screening.

  This commit makes contactdeny apply to the src ip when nat=yes instead.

  (closes issue #17276)
  Reported by: klaus3000
  Patches:
        patch-asterisk-trunk-contactdeny.txt uploaded by klaus3000 (license 65)
  Tested by: klaus3000

  Review: [full review board URL with trailing slash]
........

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@270724 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index d678f7bd43c9d3405051de51b4b924a86978dd8c..ef4a435dc8f4fd94c93203a1905d6cd6cbf8e32b 100644 (file)
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -8743,25 +8743,17 @@ static enum parse_register_result parse_register_contact(struct sip_pvt *pvt, st
        }
        oldsin = peer->addr;
 
-       /* Check that they're allowed to register at this IP */
-       /* XXX This could block for a long time XXX */
-       hp = ast_gethostbyname(n, &ahp);
-       if (!hp)  {
-               ast_log(LOG_WARNING, "Invalid host '%s'\n", n);
-               *peer->fullcontact = '\0';
-               ast_string_field_set(pvt, our_contact, "");
-               return PARSE_REGISTER_FAILED;
-       }
-       memcpy(&testsin.sin_addr, hp->h_addr, sizeof(testsin.sin_addr));
-       if (    ast_apply_ha(global_contact_ha, &testsin) != AST_SENSE_ALLOW ||
-                       ast_apply_ha(peer->contactha, &testsin) != AST_SENSE_ALLOW) {
-               ast_log(LOG_WARNING, "Host '%s' disallowed by contact ACL (violating IP %s)\n", n, ast_inet_ntoa(testsin.sin_addr));
-               *peer->fullcontact = '\0';
-               ast_string_field_set(pvt, our_contact, "");
-               return PARSE_REGISTER_DENIED;
-       }
-
        if (!ast_test_flag(&peer->flags[0], SIP_NAT_ROUTE)) {
+               /* use the data provided in the Contact header for call routing */
+               /* XXX This could block for a long time XXX */
+               hp = ast_gethostbyname(n, &ahp);
+               if (!hp)  {
+                       ast_log(LOG_WARNING, "Invalid host '%s'\n", n);
+                       *peer->fullcontact = '\0';
+                       ast_string_field_set(pvt, our_contact, "");
+                       return PARSE_REGISTER_FAILED;
+               }
+
                peer->addr.sin_family = AF_INET;
                memcpy(&peer->addr.sin_addr, hp->h_addr, sizeof(peer->addr.sin_addr));
                peer->addr.sin_port = htons(port);
@@ -8771,6 +8763,16 @@ static enum parse_register_result parse_register_contact(struct sip_pvt *pvt, st
                peer->addr = pvt->recv;
        }
 
+       /* Check that they're allowed to register at this IP */
+       memcpy(&testsin.sin_addr, &peer->addr.sin_addr, sizeof(testsin.sin_addr));
+       if (ast_apply_ha(global_contact_ha, &testsin) != AST_SENSE_ALLOW ||
+                       ast_apply_ha(peer->contactha, &testsin) != AST_SENSE_ALLOW) {
+               ast_log(LOG_WARNING, "Host '%s' disallowed by contact ACL (violating IP %s)\n", n, ast_inet_ntoa(testsin.sin_addr));
+               *peer->fullcontact = '\0';
+               ast_string_field_set(pvt, our_contact, "");
+               return PARSE_REGISTER_DENIED;
+       }
+
        /* Save SIP options profile */
        peer->sipoptions = pvt->sipoptions;