kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-10-12 15:45:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Restrict functionality when ACLs are misconfigured.

Browse Source 
This patch has two main purposes:

1) Improve warning messages when ACLs are configured improperly.
2) Prevent misconfigured ACLs from allowing potentially unwanted
traffic.

To acomplish point (2) in most cases, whatever configuration object that
the ACL belonged to was not allowed to load.

The one exception is res_pjsip_acl. In that case, ACLs are their own
configuration object. Furthermore, the module loading code has no
indication that a ACL configuration had a failure. So the tactic taken
here is to create an ACL that just blocks everything.

ASTERISK-24969
Reported by Corey Farrell

Change-Id: I2ebcb6959cefad03cea4d81401be946203fcacae
This commit is contained in:
Mark Michelson
2015-04-28 17:00:37 -05:00
parent 57cbb4bc8d
commit 11ffcf662f
8 changed files with 146 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
res/res_pjsip_acl.c
View File

@@ -238,8 +238,21 @@ static int acl_handler(const struct aco_option *opt, struct ast_variable *var, v
if (!strncmp(var->name, "contact_", 8)) {
ast_append_acl(var->name + 8, var->value, &sip_acl->contact_acl, &error, &ignore);
if (error) {
ast_log(LOG_ERROR, "Bad contact ACL '%s' at line '%d' of pjsip.conf\n",
var->value, var->lineno);
}
} else {
ast_append_acl(var->name, var->value, &sip_acl->acl, &error, &ignore);
if (error) {
ast_log(LOG_ERROR, "Bad ACL '%s' at line '%d' of pjsip.conf\n",
var->value, var->lineno);
}
}
if (error) {
ast_log(LOG_ERROR, "There is an error in ACL configuration. Blocking ALL SIP traffic.\n");
ast_append_acl("deny", "0.0.0.0/0.0.0.0", &sip_acl->acl, NULL, &ignore);
}
return error;