diff options
| author | Richard Mudgett <rmudgett@digium.com> | 2017-08-10 14:18:01 -0500 |
|---|---|---|
| committer | Richard Mudgett <rmudgett@digium.com> | 2017-08-10 14:37:48 -0500 |
| commit | b787245b5b9a36e6dcafbfd6fe4c6d9fc27956a2 (patch) | |
| tree | d28e77d84717e74db4c4d841eb18c7a01744c7d4 /main | |
| parent | ca4b84f783307a31bc4854708e9bc85c914b56c2 (diff) | |
STUN/netsock2: Fix some valgrind uninitialized memory findings.
* netsock2.c: Test the addr->len member first as it may be the only member
initialized in the struct.
* stun.c:ast_stun_handle_packet(): The combinded[] local array could get
used uninitialized by ast_stun_request(). The uninitialized string gets
copied to another location and could overflow the destination memory
buffer.
These valgrind findings were found for ASTERISK_27150 but are not
necessarily a fix for the issue.
Change-Id: I55f8687ba4ffc0f69578fd850af006a56cbc9a57
Diffstat (limited to 'main')
| -rw-r--r-- | main/netsock2.c | 16 | ||||
| -rw-r--r-- | main/stun.c | 4 |
2 files changed, 14 insertions, 6 deletions
diff --git a/main/netsock2.c b/main/netsock2.c index 59dddf124..dc126b6aa 100644 --- a/main/netsock2.c +++ b/main/netsock2.c @@ -477,8 +477,12 @@ uint32_t ast_sockaddr_ipv4(const struct ast_sockaddr *addr) int ast_sockaddr_is_ipv4(const struct ast_sockaddr *addr) { - return addr->ss.ss_family == AF_INET && - addr->len == sizeof(struct sockaddr_in); + /* + * Test addr->len first to be tolerant of an ast_sockaddr_setnull() + * addr. In that case addr->len might be the only value initialized. + */ + return addr->len == sizeof(struct sockaddr_in) + && addr->ss.ss_family == AF_INET; } int ast_sockaddr_is_ipv4_mapped(const struct ast_sockaddr *addr) @@ -500,8 +504,12 @@ int ast_sockaddr_is_ipv6_link_local(const struct ast_sockaddr *addr) int ast_sockaddr_is_ipv6(const struct ast_sockaddr *addr) { - return addr->ss.ss_family == AF_INET6 && - addr->len == sizeof(struct sockaddr_in6); + /* + * Test addr->len first to be tolerant of an ast_sockaddr_setnull() + * addr. In that case addr->len might be the only value initialized. + */ + return addr->len == sizeof(struct sockaddr_in6) + && addr->ss.ss_family == AF_INET6; } int ast_sockaddr_is_any(const struct ast_sockaddr *addr) diff --git a/main/stun.c b/main/stun.c index d9f8c8751..6d524fbdf 100644 --- a/main/stun.c +++ b/main/stun.c @@ -345,6 +345,8 @@ int ast_stun_handle_packet(int s, struct sockaddr_in *src, unsigned char *data, if (st.username) { append_attr_string(&attr, STUN_USERNAME, st.username, &resplen, &respleft); snprintf(combined, sizeof(combined), "%16s%16s", st.username + 16, st.username); + } else { + combined[0] = '\0'; } append_attr_address(&attr, STUN_MAPPED_ADDRESS, src, &resplen, &respleft); @@ -400,8 +402,6 @@ int ast_stun_request(int s, struct sockaddr_in *dst, stun_req_id(req); reqlen = 0; reqleft = sizeof(req_buf) - sizeof(struct stun_header); - req->msgtype = 0; - req->msglen = 0; attr = (struct stun_attr *) req->ies; if (username) { append_attr_string(&attr, STUN_USERNAME, username, &reqlen, &reqleft); |