From: Sean Bright Date: Mon, 20 Feb 2017 12:28:23 +0000 (-0500) Subject: app_voicemail: vm_authenticate accesses uninitialized memory X-Git-Tag: 14.4.0-rc1~78^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d1196fd39e0ae32b3d19b6b5aee4b4b6b5340c8d;p=thirdparty%2Fasterisk.git app_voicemail: vm_authenticate accesses uninitialized memory vm_authenticate doesn't always set the passed ast_vm_user argument, so we initialize to 0 before passing it in. ASTERISK-25893 #close Reported by: Filip Jenicek Change-Id: Ia3cc0128f93d352ed9add8d5c2f0f7232c2cbe4a --- diff --git a/apps/app_voicemail.c b/apps/app_voicemail.c index d58b6ea032..0121a296f6 100644 --- a/apps/app_voicemail.c +++ b/apps/app_voicemail.c @@ -11192,7 +11192,7 @@ static int vm_authenticate(struct ast_channel *chan, char *mailbox, int mailbox_ return -1; } if (vmu && !skipuser) { - memcpy(res_vmu, vmu, sizeof(struct ast_vm_user)); + *res_vmu = *vmu; } return 0; } @@ -11354,8 +11354,8 @@ static int vm_execmain(struct ast_channel *chan, const char *data) int box; int useadsi = 0; int skipuser = 0; - struct vm_state vms; - struct ast_vm_user *vmu = NULL, vmus; + struct vm_state vms = {{0}}; + struct ast_vm_user *vmu = NULL, vmus = {{0}}; char *context = NULL; int silentexit = 0; struct ast_flags flags = { 0 }; @@ -11368,12 +11368,8 @@ static int vm_execmain(struct ast_channel *chan, const char *data) #endif /* Add the vm_state to the active list and keep it active */ - memset(&vms, 0, sizeof(vms)); - vms.lastmsg = -1; - memset(&vmus, 0, sizeof(vmus)); - ast_test_suite_event_notify("START", "Message: vm_execmain started"); if (ast_channel_state(chan) != AST_STATE_UP) { ast_debug(1, "Before ast_answer\n"); @@ -12666,7 +12662,7 @@ static struct ast_custom_function vm_info_acf = { static int vmauthenticate(struct ast_channel *chan, const char *data) { char *s, *user = NULL, *context = NULL, mailbox[AST_MAX_EXTENSION] = ""; - struct ast_vm_user vmus; + struct ast_vm_user vmus = {{0}}; char *options = NULL; int silent = 0, skipuser = 0; int res = -1;