Add a workaround for invalid IP masks in SIP.

livekit · Jan 27, 2025 · 3e2f598 · 3e2f598
1 parent 2e0a35e
commit 3e2f598
Show file tree

Hide file tree

Showing 3 changed files with 132 additions and 10 deletions.
diff --git a/.changeset/big-snails-type.md b/.changeset/big-snails-type.md
@@ -0,0 +1,5 @@
+---
+"github.com/livekit/protocol": patch
+---
+
+Add a workaround for invalid IP masks in SIP.
diff --git a/sip/sip.go b/sip/sip.go
@@ -334,6 +334,34 @@ func ValidateTrunksIter(it iters.Iter[*livekit.SIPInboundTrunkInfo]) error {
 	return nil
 }
 
+func isValidMask(mask string) bool {
+	if !strings.Contains(mask, "/") {
+		expIP, err := netip.ParseAddr(mask)
+		if err != nil {
+			return false
+		}
+		return expIP.IsValid()
+	}
+	pref, err := netip.ParsePrefix(mask)
+	if err != nil {
+		return false
+	}
+	return pref.IsValid()
+}
+
+func filterInvalidAddrMasks(masks []string) []string {
+	if len(masks) == 0 {
+		return nil
+	}
+	out := make([]string, 0, len(masks))
+	for _, m := range masks {
+		if isValidMask(m) {
+			out = append(out, m)
+		}
+	}
+	return out
+}
+
 func matchAddrMask(ip netip.Addr, mask string) bool {
 	if !strings.Contains(mask, "/") {
 		expIP, err := netip.ParseAddr(mask)
@@ -350,7 +378,11 @@ func matchAddrMask(ip netip.Addr, mask string) bool {
 }
 
 func matchAddrMasks(addr netip.Addr, masks []string) bool {
-	if !addr.IsValid() || len(masks) == 0 {
+	if !addr.IsValid() {
+		return true
+	}
+	masks = filterInvalidAddrMasks(masks)
+	if len(masks) == 0 {
 		return true
 	}
 	for _, mask := range masks {

diff --git a/sip/sip_test.go b/sip/sip_test.go
@@ -652,21 +652,106 @@ func TestEvaluateDispatchRule(t *testing.T) {
 
 func TestMatchIP(t *testing.T) {
 	cases := []struct {
-		addr string
-		mask string
-		exp  bool
+		addr  string
+		mask  string
+		valid bool
+		exp   bool
 	}{
-		{addr: "192.168.0.10", mask: "192.168.0.10", exp: true},
-		{addr: "192.168.0.10", mask: "192.168.0.11", exp: false},
-		{addr: "192.168.0.10", mask: "192.168.0.0/24", exp: true},
-		{addr: "192.168.0.10", mask: "192.168.0.10/0", exp: true},
-		{addr: "192.168.0.10", mask: "192.170.0.0/24", exp: false},
+		{addr: "192.168.0.10", mask: "192.168.0.10", valid: true, exp: true},
+		{addr: "192.168.0.10", mask: "192.168.0.11", valid: true, exp: false},
+		{addr: "192.168.0.10", mask: "192.168.0.0/24", valid: true, exp: true},
+		{addr: "192.168.0.10", mask: "192.168.0.10/0", valid: true, exp: true},
+		{addr: "192.168.0.10", mask: "192.170.0.0/24", valid: true, exp: false},
 	}
 	for _, c := range cases {
 		t.Run(c.mask, func(t *testing.T) {
 			ip, err := netip.ParseAddr(c.addr)
 			require.NoError(t, err)
-			got := matchAddrMask(ip, c.mask)
+			got := isValidMask(c.mask)
+			require.Equal(t, c.valid, got)
+			got = matchAddrMask(ip, c.mask)
+			require.Equal(t, c.exp, got)
+		})
+	}
+}
+
+func TestMatchMasks(t *testing.T) {
+	cases := []struct {
+		name  string
+		addr  string
+		masks []string
+		exp   bool
+	}{
+		{
+			name:  "no masks",
+			addr:  "192.168.0.10",
+			masks: nil,
+			exp:   true,
+		},
+		{
+			name: "single ip",
+			addr: "192.168.0.10",
+			masks: []string{
+				"192.168.0.10",
+			},
+			exp: true,
+		},
+		{
+			name: "wrong ip",
+			addr: "192.168.0.10",
+			masks: []string{
+				"192.168.0.11",
+			},
+			exp: false,
+		},
+		{
+			name: "ip mask",
+			addr: "192.168.0.10",
+			masks: []string{
+				"192.168.0.0/24",
+			},
+			exp: true,
+		},
+		{
+			name: "wrong mask",
+			addr: "192.168.0.10",
+			masks: []string{
+				"192.168.1.0/24",
+			},
+			exp: false,
+		},
+		{
+			name: "invalid range",
+			addr: "192.168.0.10",
+			masks: []string{
+				"some.domain",
+			},
+			exp: true,
+		},
+		{
+			name: "invalid and valid range",
+			addr: "192.168.0.10",
+			masks: []string{
+				"some.domain",
+				"192.168.0.0/24",
+			},
+			exp: true,
+		},
+		{
+			name: "invalid and wrong range",
+			addr: "192.168.0.10",
+			masks: []string{
+				"some.domain",
+				"192.168.1.0/24",
+			},
+			exp: false,
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			ip, err := netip.ParseAddr(c.addr)
+			require.NoError(t, err)
+			got := matchAddrMasks(ip, c.masks)
 			require.Equal(t, c.exp, got)
 		})
 	}