--- /tmp/jabberd-2.1.24.1/s2s/in.c 2008-04-27 02:57:31.000000000 -0700 +++ ./jabberd2/s2s/in.c 2009-05-26 14:27:07.000000000 -0700 @@ -156,6 +156,8 @@ static int _in_sx_callback(sx_t s, sx_ev sx_error_t *sxe; nad_t nad; char ipport[INET6_ADDRSTRLEN + 17]; + jid_t from; + int attr; switch(e) { case event_WANT_READ: @@ -266,7 +268,9 @@ static int _in_sx_callback(sx_t s, sx_ev in->last_packet = time(NULL); /* dialback packets */ - if(NAD_NURI_L(nad, NAD_ENS(nad, 0)) == strlen(uri_DIALBACK) && strncmp(uri_DIALBACK, NAD_NURI(nad, NAD_ENS(nad, 0)), strlen(uri_DIALBACK)) == 0) { + if(NAD_NURI_L(nad, NAD_ENS(nad, 0)) == strlen(uri_DIALBACK) && strncmp(uri_DIALBACK, NAD_NURI(nad, NAD_ENS(nad, 0)), strlen(uri_DIALBACK)) == 0 && + (in->s2s->require_tls == 0 || s->ssf > 0)) { + /* only result and verify mean anything */ if(NAD_ENAME_L(nad, 0) == 6) { if(strncmp("result", NAD_ENAME(nad, 0), 6) == 0) { @@ -313,6 +317,22 @@ static int _in_sx_callback(sx_t s, sx_ev return 0; } + /* perform check against whitelist */ + attr = nad_find_attr(nad, 0, -1, "from", NULL); + if(attr < 0 || (from = jid_new(in->s2s->pc, NAD_AVAL(nad, attr), NAD_AVAL_L(nad, attr))) == NULL) { + log_debug(ZONE, "missing or invalid from on incoming packet, attr is %d", attr); + nad_free(nad); + return 0; + } + + if (in->s2s->enable_whitelist > 0 && (s2s_domain_in_whitelist(in->s2s, from->domain) == 0)) { + log_write(in->s2s->log, LOG_NOTICE, "received a packet not from a whitelisted domain, dropping it"); + jid_free(from); + nad_free(nad); + return 0; + } + + jid_free(from); _in_packet(in, nad); return 0;