From 6ea8c96c3db9944d0542a4a7b04fc54712334da2 Mon Sep 17 00:00:00 2001
From: Jakub Karolczyk <jakub.karolczyk@signalwire.com>
Date: Fri, 29 Sep 2023 15:25:53 +0000
Subject: [PATCH] [Core] Reject DTLS packets coming from a source different
 than the current ICE negotiated path.

---
 src/switch_rtp.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/switch_rtp.c b/src/switch_rtp.c
index 5d58e07aad..1125e2f59b 100644
--- a/src/switch_rtp.c
+++ b/src/switch_rtp.c
@@ -3374,7 +3374,20 @@ static int do_dtls(switch_rtp_t *rtp_session, switch_dtls_t *dtls)
 		return 0;
 	}
 
-	if (is_ice && !rtp_session->ice.cand_responsive) {
+	if (is_ice && !(rtp_session->ice.type & ICE_LITE) && !rtp_session->ice.cand_responsive) {
+		switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_DEBUG6, "Got DTLS packet but candidate is not responsive\n");
+
+		return 0;
+	}
+
+	if (is_ice && !switch_cmp_addr(rtp_session->from_addr, rtp_session->ice.addr, SWITCH_TRUE)) {
+		char tmp_buf1[80] = "";
+		char tmp_buf2[80] = "";
+		const char *host_from = switch_get_addr(tmp_buf1, sizeof(tmp_buf1), rtp_session->from_addr);
+		const char *host_ice_cur_addr = switch_get_addr(tmp_buf2, sizeof(tmp_buf2), rtp_session->ice.addr);
+
+		switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(rtp_session->session), SWITCH_LOG_DEBUG5, "Got DTLS packet from [%s] whilst current ICE negotiated address is [%s]. Ignored.\n", host_from, host_ice_cur_addr);
+
 		return 0;
 	}