<p>The topoh module uses its <code>mask_ip</code> parameter to tag and identify fields that have been encrypted with its header value. As of Kamailio 4.4.6 code has been added to make sure that <code>mask_ip</code> is properly used in the request URI, or <code>Via</code>, or any other appropriate SIP header variable before it attempts to perform decryption. Here is a code block that was added at line 738 in <code>modules/topoh/th_msg.c</code></p>
<pre><code> /* Do nothing if ruri is not encoded */
if ((REQ_LINE(msg).uri.len<th_uri_prefix.len) ||
(strncasecmp(REQ_LINE(msg).uri.s,th_uri_prefix.s,th_uri_prefix.len)!=0))
{
LM_DBG("ruri [%.*s] is not encoded",REQ_LINE(msg).uri.len,REQ_LINE(msg).uri.s);
return 0;
}
</code></pre>
<p>This effectively skips any Request URIs that don't properly match the expected <code>th_uri_prefix</code> which is created using the <code>mask_ip</code> value assigned to <code>topoh</code>.</p>
<p>So if I set topoh's <code>mask_ip</code> and assume I have set a <code>mask_key</code>:</p>
<pre><code>modparam("topoh", "mask_ip", "192.168.99.184")
</code></pre>
<p>Then an <code>ACK</code> message like this gets detected and decoded as expected:</p>
<pre><code>ACK sip:192.168.99.184;line=sr-1IFG6oxISo4wSekmUolOBKVwbolIboxd6JdwS7xiUekISKPm10NH18Rz1uBZtTpG SIP/2.0
</code></pre>
<p>However, if one of my incoming carriers decides to be extra special and append port <code>:5060</code> to the request URI like this:</p>
<pre><code>ACK sip:192.168.99.184:5060;line=sr-1IFG6oxISo4wSekmUolOBKVwbolIboxd6JdwS7xiUekISKPm10NH18Rz1uBZtTpG SIP/2.0
</code></pre>
<p>It gets skipped by topoh because it no longer detects this variation of the URI and I get a message like this:</p>
<pre><code>Aug 29 21:36:10 ip-172-31-4-69 /usr/sbin/kamailio[4629]: DEBUG: topoh [th_msg.c:742]: th_unmask_ruri(): ruri [sip:192.168.99.184:5060;line=sr-1IFG
6oxISo4wSekmUolOBKVwbolIboxd6JdwS7xiUekISKPm10NH18Rz1uBZtTpG] is not encoded
</code></pre>
<h3>Troubleshooting</h3>
<p>I thought I might be smart and tried to change the <code>mask_ip</code> to <code>192.168.99.184:5060</code> but this is additionally blocked by the code that validates <code>Via</code> headers in <code>/modules/topoh/th_msg.c</code> line 393:</p>
<pre><code> /* Skip if via is not encoded */
if (via->host.len!=th_ip.len
|| strncasecmp(via->host.s, th_ip.s, th_ip.len)!=0)
{
LM_DBG("via %d is not encoded",i);
continue;
}
</code></pre>
<p>It only compares the <code>host</code> part of the VIA with the <code>mask_ip</code> parameter which is <code>192.168.99.184:5060</code> (including the port) and therefore doesn't match and is skipped in decoding.</p>
<h4>Reproduction</h4>
<ol>
<li>Set <code>topoh</code> module <code>mask_ip</code> to any acceptable IP address</li>
<li>Attempt to handle any traffic from a carrier that adds <code>:5060</code> automatically to the end of its request URIs</li>
<li>The call will go through and then drop ~90 seconds due to incessant attempts of the Kamailio server attempting to reach the bogus <code>mask_ip</code> address</li>
</ol>
<h4>Debugging Data</h4>
<p>I believe the above information is fairly plain. I have included the pertinent debug logs, but it is fairly well describing why <code>topoh</code> is not decoding certain lines that it should be.</p>
<h4>Log Messages</h4>
<p>Example of a line that should be decoded which is not being decoded because the incoming carrier has added <code>:5060</code> to the <code>mask_ip</code> used in the Request URI.</p>
<pre><code>Aug 29 21:36:10 ip-172-31-4-69 /usr/sbin/kamailio[4629]: DEBUG: topoh [th_msg.c:742]: th_unmask_ruri(): ruri [sip:192.168.99.184:5060;line=sr-1IFG
6oxISo4wSekmUolOBKVwbolIboxd6JdwS7xiUekISKPm10NH18Rz1uBZtTpG] is not encoded
</code></pre>
<h4>SIP Traffic</h4>
<p><a href="https://user-images.githubusercontent.com/1807347/29846497-f65ed1e2-8ccb-11e7-9a16-b18cfb4365a9.png" target="_blank"><img src="https://user-images.githubusercontent.com/1807347/29846497-f65ed1e2-8ccb-11e7-9a16-b18cfb4365a9.png" alt="examplecall" style="max-width:100%;"></a></p>
<p>Example of a call that repeatedly attempts to access bogus <code>mask_ip</code> in its route because it is not detected by topoh for decoding after it is passed through a carrier which adds <code>:5060</code> to its Request URIs.</p>
<h3>Possible Solutions</h3>
<p>No workarounds :(</p>
<p>I also don't have the option of asking carriers to change their standing policy of appending the port ":5060" but the validation efforts in the <code>topoh</code> module could be expanded to accept an undesignated port number in the URI or <code>topoh</code> could include a <code>mask_port</code> parameter so that it builds its URI to expect one in the request URI and in <code>Via</code> header fields.</p>
<p>When I have more time to work on the validation C code I will include some suggestions, but others may have a more informed philosophical approach.</p>
<h3>Additional Information</h3>
<p>To see all changes to <code>th_msg.c</code>:</p>
<pre><code>git diff 4.4.5 4.4.6 -- modules/topoh/th_msg.c
</code></pre>
<pre><code>version: kamailio 4.4.6 (x86_64/linux) becbde
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: becbde
compiled on 10:23:24 Jun 16 2017 with gcc 4.4.7
</code></pre>
<ul>
<li><strong>Operating System</strong>:</li>
</ul>
<pre><code>CentOS release 6.8 (Final)
Linux ip-172-31-4-69.us-west-2.compute.internal 2.6.32-642.3.1.el6.x86_64 #1 SMP Tue Jul 12 18:30:56 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
</code></pre>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/kamailio/kamailio/issues/1222">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AF36ZQDq5iSUbdLIKRXdejAkpJ2kET8nks5sdJATgaJpZM4PGoWl">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/AF36ZVJxRzfM9p5nC00hH4o6wag4Zrhjks5sdJATgaJpZM4PGoWl.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
<link itemprop="url" href="https://github.com/kamailio/kamailio/issues/1222"></link>
<meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/kamailio/kamailio","title":"kamailio/kamailio","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/kamailio/kamailio"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"TOPOH module mask_ip errantly skips decoding encoded fields (#1222)"}],"action":{"name":"View Issue","url":"https://github.com/kamailio/kamailio/issues/1222"}}}</script>