pjsip · trengginas · Jan 22, 2025 · Jan 22, 2025 · Jan 23, 2025 · Jan 28, 2025
diff --git a/pjmedia/include/pjmedia/config.h b/pjmedia/include/pjmedia/config.h
@@ -1100,6 +1100,16 @@
 #   define PJMEDIA_SRTP_DTLS_OSSL_CIPHERS           "DEFAULT"
 #endif
 
+ /**
+  * Enabled this to check the source address of ClientHello message coming
+  * from a valid address.
+  *
+  * Default value: 0
+  */
+#ifndef PJMEDIA_SRTP_DTLS_CHECK_HELLO_ADDR
+#   define PJMEDIA_SRTP_DTLS_CHECK_HELLO_ADDR       0
+#endif
+
 
 /**
  * Maximum number of SRTP cryptos.

diff --git a/pjmedia/src/pjmedia/transport_srtp_dtls.c b/pjmedia/src/pjmedia/transport_srtp_dtls.c
@@ -1361,6 +1361,52 @@ static pj_status_t dtls_on_recv(pjmedia_transport *tp, unsigned idx,
         (ds->setup == DTLS_SETUP_ACTPASS || ds->setup == DTLS_SETUP_PASSIVE))
     {
         pj_status_t status;
+
+#if defined(PJMEDIA_SRTP_DTLS_CHECK_HELLO_ADDR) && PJMEDIA_SRTP_DTLS_CHECK_HELLO_ADDR!=0
+        pjmedia_transport_info info;
+        pj_sockaddr src_addr, rem_addr;
+        pj_bool_t rem_addr_avail = PJ_TRUE;
+        pjmedia_transport_get_info(ds->srtp->member_tp, &info);
+        if (idx == RTP_CHANNEL) {
+            pj_sockaddr_cp(&src_addr, &info.src_rtp_name);
+            if (!pj_sockaddr_has_addr(&ds->rem_addr)) {
+                rem_addr_avail = PJ_FALSE;
+            } else {
+                pj_sockaddr_cp(&rem_addr, &ds->rem_addr);
+            }
+        } else {
+            pj_sockaddr_cp(&src_addr, &info.src_rtcp_name);
+            if (!pj_sockaddr_has_addr(&ds->rem_rtcp)) {
+                rem_addr_avail = PJ_FALSE;
+            } else {
+                pj_sockaddr_cp(&rem_addr, &ds->rem_rtcp);
+            }
+        }
+        if (!rem_addr_avail) {
+            char addr[PJ_INET6_ADDRSTRLEN];
+
+            PJ_LOG(2, (ds->base.name, "DTLS-SRTP %s ignoring %lu bytes "
+                "from [%s], remote address not available",
+                CHANNEL_TO_STRING(idx), (unsigned long)size,
+                pj_sockaddr_print(&src_addr, addr, sizeof(addr), 3)));
+
+            DTLS_UNLOCK(ds);
+            return PJ_SUCCESS;
+        }
+
+        if (pj_sockaddr_cmp(&src_addr, &rem_addr) != 0) {
+            char addr[PJ_INET6_ADDRSTRLEN], raddr[PJ_INET6_ADDRSTRLEN];
+
+            PJ_LOG(2, (ds->base.name, "DTLS-SRTP %s ignoring message from [%s],"
+                "expecting from [%s]", 
+                CHANNEL_TO_STRING(idx), 
+                pj_sockaddr_print(&src_addr, addr, sizeof(addr), 3),
+                pj_sockaddr_print(&rem_addr, raddr, sizeof(raddr), 3)));
+
+            DTLS_UNLOCK(ds);
+            return PJ_SUCCESS;
+        }
+#endif
         ds->setup = DTLS_SETUP_PASSIVE;
         status = ssl_handshake_channel(ds, idx);
         if (status != PJ_SUCCESS) {