Summary: | ASTERISK-11184: Wrong matching of "type=friend" (but username mismatches!!) | ||
Reporter: | Iñaki Baz Castillo (ibc) | Labels: | |
Date Opened: | 2008-01-09 07:46:51.000-0600 | Date Closed: | 2011-06-07 14:02:43 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_sip/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) friend_peer_sip.conf ( 1) friend_peer_sip-show-peers.txt ( 2) friend_peer.log ( 3) peer_friend_sip.conf ( 4) peer_friend_sip-show-peers.txt ( 5) peer_friend.log ( 6) README.txt | |
Description: | When there are both SIP "friend" and "peer" defined with same "host" parameter the "friend" is matched in cases it shouldn't (incorrect From username). It depends on the order "friend" and "peer" and defined in "sip.conf". This occurs as well using RealTime. ****** STEPS TO REPRODUCE ****** In sip.conf (the order is important!!): ------------------------------------- [iam_friend] type = friend username = iam_friend host = _IP_ context = test insecure = port [iam_peer] type = peer username = iam_peer host = _IP_ context = test insecure = port ------------------------------------- In extensions.conf: ------------------------------------- [test] exten => test,1,PlayBack(demo-thanks) ------------------------------------- Now use a softphone in _IP_ and call "test" with this "From": sip:lalalalalalalalaal@asterisk_ip And you'll see: Executing [test@test:1] Playback("SIP/iam_peer-0820b270", "demo-thanks") (note that "peer" has been matched --> OK) Now use this "From": sip:iam_friend@asterisk_ip You'll see: Executing [test@test:1] Playback("SIP/iam_friend-0820b271", "demo-thanks") (note that "friend" has been matched --> OK). This is OK, the expected behaviour: a "friend" is matched by its From username (a requisite) and if "host" is set then it must match too the source IP. Instead, a "peer" should just be mathed by its source IP. Ok, but now swap the users order: ------------------------------------- [iam_peer] type = peer username = iam_peer host = _IP_ context = test insecure = port [iam_friend] type = friend username = iam_friend host = _IP_ context = test insecure = port ------------------------------------- Now do a call with **any** From username (try "aim_friend", "bob", "alice", "iam_peer"...), you will **always** see: Executing [test@test:1] Playback("SIP/iam_friend-0820b272", "demo-thanks") Note that a "friend" is matched, how is it possible??? the username mismatches so?? The same occurs if "friends" are defined in RealTime (all of them with "host=_IP_" since it's a OpenSer subscriber table view) and there is a "peer" defined in sip.conf with same "host" used for calls from OpenSer but for users not subscribers to that OpenSer (anonymous calls). ****** ADDITIONAL INFORMATION ****** I'm not sure and haven't tryed, but I think this bug could become a vulnerability in some way. | ||
Comments: | By: Joshua C. Colp (jcolp) 2008-01-09 09:04:18.000-0600 Please provide a sip.conf that exhibits this with a sip debug and sip show peer for each. By: Iñaki Baz Castillo (ibc) 2008-01-09 10:09:36.000-0600 Ok, I've uploaded some files. Please read first the file "README.txt". By: Joshua C. Colp (jcolp) 2008-01-09 10:12:56.000-0600 It does make sense why this is happening the way it is. A friend entry essentially creates both a user and peer entry, and in your case you are making it create a peer entry that is almost (just different name) the same as your own peer entry. When it goes to find an entry based on IP address it grabs the peer listed last. By: Iñaki Baz Castillo (ibc) 2008-01-09 10:26:18.000-0600 The main question here is: how is matched a "friend"? AFAIK it requires "From" username to match the "friend" name but it doesn't occur and causes the issue I comment. To demostrate it: I delete the "peer" and leave just the "friend": [iam_friend] type = friend username = iam_friend host = 222.111.235.18 context = test insecure = port nat=yes Now I call with "From" username = "anonimo" and the peer is matched, why? I thougth it is a requisite that the "From" username matches "iam_friend", isn't it? Of course, if "host=dynamic" for a "friend" then the INVITE above will not match "iam_friend", so this seems no logical to me: It seems that matching "From" username with "friend" name is a need except if "host" is specific and matched. ¿?¿? PD: Please Olle, "kill the user"!! XD By: Joshua C. Colp (jcolp) 2008-01-09 10:29:29.000-0600 So here it goes: A friend creates both a user and a peer. A user is matched based on the username in the From header. In your case because you are using insecure the peer entry can be matched by the IP address. Most individuals don't use the insecure option with a friend entry, they just create a peer on their own. There is no "friend" type really... it just creates a user entry and a peer entry with the options given. By: Iñaki Baz Castillo (ibc) 2008-01-10 06:29:29.000-0600 > In your case because you are using insecure the peer entry can be matched > by the IP address. In fact, in other scenario it occurs the same to me (with RealTime users) I don't use "insecure" for peers but use an empty "secret". Maybe because that the peer can be matched by IP ignoring the username? By: Joshua C. Colp (jcolp) 2008-01-10 09:30:07.000-0600 I can not speak about realtime matching, I don't know about it. By: Joshua C. Colp (jcolp) 2008-01-14 15:50:05.000-0600 I'm confident that I've answered and described things enough to show that this is a configuration issue with how you have it configured. |