From acbe1f90e704680c0ae56c0303123fde696adad3 Mon Sep 17 00:00:00 2001 From: Matthew Jordan Date: Thu, 30 Aug 2012 16:25:34 +0000 Subject: AST-2012-013: Resolve ACL rules being ignored during calls by some IAX2 peers When an IAX2 call is made using the credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are not applied to the call attempt. This allows for a remote attacker who is aware of a peer's credentials to bypass the ACL rules set for that peer. This patch ensures that the ACLs are applied for all peers, regardless of their storage mechanism. (closes issue ASTERISK-20186) Reported by: Alan Frisch Tested by: mjordan, Alan Frisch ........ Merged revisions 372028 from http://svn.asterisk.org/svn/asterisk/branches/11 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@372029 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- channels/chan_iax2.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c index 377496288..1b71aa131 100644 --- a/channels/chan_iax2.c +++ b/channels/chan_iax2.c @@ -7699,7 +7699,7 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies while ((user = ao2_iterator_next(&i))) { if ((ast_strlen_zero(iaxs[callno]->username) || /* No username specified */ !strcmp(iaxs[callno]->username, user->name)) /* Or this username specified */ - && ast_apply_acl(user->acl, &addr, "IAX2 user ACL: ") /* Access is permitted from this IP */ + && (ast_apply_acl(user->acl, &addr, "IAX2 user ACL: ") == AST_SENSE_ALLOW) /* Access is permitted from this IP */ && (ast_strlen_zero(iaxs[callno]->context) || /* No context specified */ apply_context(user->contexts, iaxs[callno]->context))) { /* Context is permitted */ if (!ast_strlen_zero(iaxs[callno]->username)) { @@ -7757,8 +7757,9 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies user = best; if (!user && !ast_strlen_zero(iaxs[callno]->username)) { user = realtime_user(iaxs[callno]->username, sin); - if (user && !ast_strlen_zero(iaxs[callno]->context) && /* No context specified */ - !apply_context(user->contexts, iaxs[callno]->context)) { /* Context is permitted */ + if (user && (ast_apply_acl(user->acl, &addr, "IAX2 user ACL: ") == AST_SENSE_DENY /* Access is denied from this IP */ + || (!ast_strlen_zero(iaxs[callno]->context) && /* No context specified */ + !apply_context(user->contexts, iaxs[callno]->context)))) { /* Context is permitted */ user = user_unref(user); } } -- cgit v1.2.3