AST-2012-013: Resolve ACL rules being ignored during calls by some IAX2 peers

When an IAX2 call is made using the credentials of a peer defined in a dynamic
Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are
not applied to the call attempt. This allows for a remote attacker who is aware
of a peer's credentials to bypass the ACL rules set for that peer.

This patch ensures that the ACLs are applied for all peers, regardless of their
storage mechanism.

(closes issue ASTERISK-20186)
Reported by: Alan Frisch
Tested by: mjordan, Alan Frisch
........

Merged revisions 372015 from http://svn.asterisk.org/svn/asterisk/branches/1.8

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10@372020 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 5793e961677cd498cb1b54c1b038d1f5b88ca78e..841eeb6c7fc753e238b38368355c873ed616a0b2 100644 (file)
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -7720,10 +7720,10 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies
        i = ao2_iterator_init(users, 0);
        while ((user = ao2_iterator_next(&i))) {
                if ((ast_strlen_zero(iaxs[callno]->username) ||                         /* No username specified */
-                       !strcmp(iaxs[callno]->username, user->name))    /* Or this username specified */
-                       && ast_apply_ha(user->ha, &addr)        /* Access is permitted from this IP */
+                       !strcmp(iaxs[callno]->username, user->name))                    /* Or this username specified */
+                       && ast_apply_ha(user->ha, &addr) == AST_SENSE_ALLOW             /* Access is permitted from this IP */
                        && (ast_strlen_zero(iaxs[callno]->context) ||                   /* No context specified */
-                            apply_context(user->contexts, iaxs[callno]->context))) {                   /* Context is permitted */
+                               apply_context(user->contexts, iaxs[callno]->context))) {                        /* Context is permitted */
                        if (!ast_strlen_zero(iaxs[callno]->username)) {
                                /* Exact match, stop right now. */
                                if (best)
@@ -7779,8 +7779,9 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies
        user = best;
        if (!user && !ast_strlen_zero(iaxs[callno]->username)) {
                user = realtime_user(iaxs[callno]->username, sin);
-               if (user && !ast_strlen_zero(iaxs[callno]->context) &&                  /* No context specified */
-                   !apply_context(user->contexts, iaxs[callno]->context)) {            /* Context is permitted */
+               if (user && (ast_apply_ha(user->ha, &addr) == AST_SENSE_DENY            /* Access is denied from this IP */
+                       || (!ast_strlen_zero(iaxs[callno]->context) &&                                  /* No context specified */
+                               !apply_context(user->contexts, iaxs[callno]->context)))) {      /* Context is permitted */
                        user = user_unref(user);
                }
        }