STUN/netsock2: Fix some valgrind uninitialized memory findings.

* netsock2.c: Test the addr->len member first as it may be the only member
initialized in the struct.

* stun.c:ast_stun_handle_packet(): The combinded[] local array could get
used uninitialized by ast_stun_request().  The uninitialized string gets
copied to another location and could overflow the destination memory
buffer.

These valgrind findings were found for ASTERISK_27150 but are not
necessarily a fix for the issue.

Change-Id: I55f8687ba4ffc0f69578fd850af006a56cbc9a57

diff --git a/main/netsock2.c b/main/netsock2.c
index 59dddf1243306eb0017d64cc3c3dbe0e2032b2aa..dc126b6aa3affaead1cc6cfa5ecf76046ce5e9ab 100644 (file)
--- a/main/netsock2.c
+++ b/main/netsock2.c
@@ -477,8 +477,12 @@ uint32_t ast_sockaddr_ipv4(const struct ast_sockaddr *addr)
 
 int ast_sockaddr_is_ipv4(const struct ast_sockaddr *addr)
 {
-       return addr->ss.ss_family == AF_INET &&
-           addr->len == sizeof(struct sockaddr_in);
+       /*
+        * Test addr->len first to be tolerant of an ast_sockaddr_setnull()
+        * addr.  In that case addr->len might be the only value initialized.
+        */
+       return addr->len == sizeof(struct sockaddr_in)
+               && addr->ss.ss_family == AF_INET;
 }
 
 int ast_sockaddr_is_ipv4_mapped(const struct ast_sockaddr *addr)
@@ -500,8 +504,12 @@ int ast_sockaddr_is_ipv6_link_local(const struct ast_sockaddr *addr)
 
 int ast_sockaddr_is_ipv6(const struct ast_sockaddr *addr)
 {
-       return addr->ss.ss_family == AF_INET6 &&
-           addr->len == sizeof(struct sockaddr_in6);
+       /*
+        * Test addr->len first to be tolerant of an ast_sockaddr_setnull()
+        * addr.  In that case addr->len might be the only value initialized.
+        */
+       return addr->len == sizeof(struct sockaddr_in6)
+               && addr->ss.ss_family == AF_INET6;
 }
 
 int ast_sockaddr_is_any(const struct ast_sockaddr *addr)

diff --git a/main/stun.c b/main/stun.c
index d9f8c8751ab76f92e01ce70fb25b2b93e10185f6..6d524fbdf45c6598507cf5caf14f87a3089808b5 100644 (file)
--- a/main/stun.c
+++ b/main/stun.c
@@ -345,6 +345,8 @@ int ast_stun_handle_packet(int s, struct sockaddr_in *src, unsigned char *data,
                        if (st.username) {
                                append_attr_string(&attr, STUN_USERNAME, st.username, &resplen, &respleft);
                                snprintf(combined, sizeof(combined), "%16s%16s", st.username + 16, st.username);
+                       } else {
+                               combined[0] = '\0';
                        }
 
                        append_attr_address(&attr, STUN_MAPPED_ADDRESS, src, &resplen, &respleft);
@@ -400,8 +402,6 @@ int ast_stun_request(int s, struct sockaddr_in *dst,
        stun_req_id(req);
        reqlen = 0;
        reqleft = sizeof(req_buf) - sizeof(struct stun_header);
-       req->msgtype = 0;
-       req->msglen = 0;
        attr = (struct stun_attr *) req->ies;
        if (username) {
                append_attr_string(&attr, STUN_USERNAME, username, &reqlen, &reqleft);