]> git.ipfire.org Git - thirdparty/asterisk.git/commitdiff
projects / thirdparty / asterisk.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 245b61a)
res_rtp_asterisk.c: Fix DTLS packet drop when TURN loopback re-injection occurs befor...
authorRobert Wilson <rwilson@ddisoftware.co.uk>
Tue, 3 Mar 2026 13:30:15 +0000 (13:30 +0000)
committerRobert Wilson <rwilson@ddisoftware.co.uk>
Wed, 4 Mar 2026 14:23:23 +0000 (14:23 +0000)
When TURN is configured in rtp.conf, pjproject re-injects TURN packets
via 127.0.0.1 (the loopback address). The DTLS packet handler checks the
source address against the ICE active candidate list before the loopback
address substitution runs, causing the packet to be silently dropped as
the source 127.0.0.1 is not in the candidate list.

Fix by performing the loopback address substitution before the ICE
candidate source check in the DTLS path, mirroring the logic already
present in the non-DTLS RTP path.

Fixes: #1795
UserNote: WebRTC calls using TURN configured in rtp.conf (turnaddr,
turnusername, turnpassword) will now correctly complete DTLS/SRTP
negotiation. Previously all DTLS packets were silently dropped due to
the loopback re-injection address not being in the ICE active candidate
list.

res/res_rtp_asterisk.c patch | blob | blame | history

diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
index 5f63eb073708d8a839d73cc2148dfe170e75506f..c99bab405b077299007e052322f4fa061f0d41ef 100644 (file)
--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
@@ -3267,6 +3267,18 @@ static int __rtp_recvfrom(struct ast_rtp_instance *instance, void *buf, size_t s
 
                ast_debug_dtls(3, "(%p) DTLS - __rtp_recvfrom rtp=%p - Got SSL packet '%d'\n", instance, rtp, *in);
 
+#ifdef HAVE_PJPROJECT
+               /* If this packet arrived via TURN/ICE loopback re-injection,
+                * substitute the real remote address before the candidate check
+                * otherwise the DTLS check will see 127.0.0.1 and drop the packet.
+                */
+               if (!ast_sockaddr_isnull(&rtp->rtp_loop) && !ast_sockaddr_cmp(&rtp->rtp_loop, sa)) {
+                       ast_rtp_instance_get_remote_address(instance, sa);
+               } else if (rtcp && !ast_sockaddr_isnull(&rtp->rtcp_loop) && !ast_sockaddr_cmp(&rtp->rtcp_loop, sa)) {
+                       ast_sockaddr_copy(sa, &rtp->rtcp->them);
+               }
+#endif
+
                /*
                 * If ICE is in use, we can prevent a possible DOS attack
                 * by allowing DTLS protocol messages (client hello, etc)
Mirror of https://github.com/asterisk/asterisk.git