Then, it will be initialized by sofi_glue_get_addr()
867 sofia_glue_get_addr(de->data->e_msg, network_ip, sizeof(network_ip), NULL);
868 for (x = 0; x < profile->acl_count; x++) {
869 last_acl = profile->acl[x];
870 if (!(acl_ok = switch_check_network_list_ip(network_ip, last_acl))) {
871 break;
However, sofi_glue_get_addr() may return earlier, leading network_ip in an uninitliazed state.
Then network_ip will be used in switch_check_network_list_ip(). It may bypass (ACL) security checks due to the uninitialized value of network_ip, leading to privilege escalation.
sofi_glue_get_addr() may return earlier, leading network_ip in an uninitialized state. Then network_ip will be used in
function switch_log_printf(). This function may print out sensitive data that network_ip contained from previous stack.
Fix: set network_ip[80] = " ", preventing from uninitlized value use.
Thank you for the review, I also report this bug to CVE.
The text was updated successfully, but these errors were encountered:
There are a few uninitialized value use bugs in src/mode/endpoints/mod_sofia/sofia.c
In function sofia_handle_sip_i_notify():
Array network_ip will be allocated in line 859
Then, it will be initialized by sofi_glue_get_addr()
867 sofia_glue_get_addr(de->data->e_msg, network_ip, sizeof(network_ip), NULL);
868 for (x = 0; x < profile->acl_count; x++) {
869 last_acl = profile->acl[x];
870 if (!(acl_ok = switch_check_network_list_ip(network_ip, last_acl))) {
871 break;
However, sofi_glue_get_addr() may return earlier, leading network_ip in an uninitliazed state.
Then network_ip will be used in switch_check_network_list_ip(). It may bypass (ACL) security checks due to the uninitialized value of network_ip, leading to privilege escalation.
Same in:
and in function sofia_handle_sip_i_reinvite()
and in function sofia_handle_sip_i_invite()
sofi_glue_get_addr() may return earlier, leading network_ip in an uninitialized state. Then network_ip will be used in
function switch_log_printf(). This function may print out sensitive data that network_ip contained from previous stack.
Fix: set network_ip[80] = " ", preventing from uninitlized value use.
Thank you for the review, I also report this bug to CVE.
The text was updated successfully, but these errors were encountered: