[OpenSIPS-Users] [OpenSIPS Security Alerts] [FIX] [Severity Low] Advertise Address ignored

Fri, 24 Aug 2012 10:26:49 -0700 

This message was generated by the Security Alerts service ( Free Trial 14th of 
August - 14th of September )
http://www.opensips.org/Resources/AlertsMain
*
SVN commit*:
http://opensips.svn.sourceforge.net/viewvc/opensips?view=revision&revision=9165
http://opensips.svn.sourceforge.net/viewvc/opensips?view=revision&revision=9192

*Severity*: Low

*Version*  : all

*Affected modules*  : B2B_entities, pua and presence modules

*Effect*  : Advertising the wrong IP:port in the contact hdr

*Affected scenarios*: While using the presence or B2B related modules, when 
OpenSIPS has to build the contact header for
generating new requests (acting as UAC!), it will ignore the eventual "advertised 
address / port" options configured for
the interfaces.

*Description:*  Instead of checking if some "advertise" options are set for the 
interface, the contact header was all the
time built based on the real IP and PORT of the interface. Shortly, the 
"advertising" functionality (for interfaces) was
not working for these modules.

*Risks*  : generate wrong Contact header (with wrong IP info, but valid as 
syntax).

*Update*  :
- if you have an SVN checkout, 1.8 and trunk were fixed; so update to a 
revision later than 9192 (trunk) or
  9193 (1.8 branch).
- if you have OpenSIPS from sources see the attached patch;
- if using tarballs, they were already regenerated (and include the fix). 
Available only for 1.8.
- If using the official Debian package (apt.opensips.org), they are also 
re-generated including the fix
  (available for 1.8 and trunk).


--
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com


Index: modules/presence/utils_func.h
===================================================================
--- modules/presence/utils_func.h	(revision 9164)
+++ modules/presence/utils_func.h	(revision 9192)
@@ -100,8 +100,16 @@
 	/* write "sip:ip" */
 	memcpy(contact->s+contact->len, "sip:", 4);
 	contact->len+= 4;
-	memcpy(contact->s+contact->len, sock->address_str.s, sock->address_str.len);
-	contact->len += sock->address_str.len;
+
+	/* if advertised address is set for this interface, use this one */
+	if (sock->adv_name_str.s) {
+		memcpy(contact->s+contact->len, sock->adv_name_str.s, sock->adv_name_str.len);
+		contact->len += sock->adv_name_str.len;
+	}
+	else {
+		memcpy(contact->s+contact->len, sock->address_str.s, sock->address_str.len);
+		contact->len += sock->address_str.len;
+	}
 	if(contact->len> LCONTACT_BUF_SIZE - 21)
 	{
 		LM_ERR("buffer overflow\n");
@@ -109,6 +117,14 @@
 	}
 
 	/* write ":port" if port defined */
+	if (sock->adv_name_str.s) {
+		if(sock->adv_port_str.s) {
+			*(contact->s+(contact->len++)) = ':';
+			memcpy(contact->s+contact->len, sock->adv_port_str.s, sock->adv_port_str.len);
+			contact->len += sock->adv_port_str.len;
+		}
+	}
+	else
 	if (sock->port_no_str.len) {
 		*(contact->s+(contact->len++)) = ':';
 		memcpy(contact->s+contact->len, sock->port_no_str.s, sock->port_no_str.len);

_______________________________________________
Alerts mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/alerts

_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Reply via email to