manager: Use remote address in user error logging

To avoid a potential null dereference use the remote address
in error logging when there is no user or the user acl fails.

Resolves: #GHSA-3rhj-hhw7-m6fw
This commit is contained in:
Mike Bradeen
2026-03-30 17:17:10 -06:00
committed by George Joseph
parent 91d50c5423
commit ba0d3a32c4
+2 -2
View File
@@ -8645,7 +8645,7 @@ static int auth_http_callback(struct ast_tcptls_session_instance *ser,
user = get_manager_by_name_locked(d.username);
if(!user) {
AST_RWLIST_UNLOCK(&users);
ast_log(LOG_NOTICE, "%s tried to authenticate with nonexistent user '%s'\n", ast_sockaddr_stringify_addr(&session->addr), d.username);
ast_log(LOG_NOTICE, "%s tried to authenticate with nonexistent user '%s'\n", ast_sockaddr_stringify_addr(remote_address), d.username);
nonce = 0;
goto out_401;
}
@@ -8653,7 +8653,7 @@ static int auth_http_callback(struct ast_tcptls_session_instance *ser,
/* --- We have User for this auth, now check ACL */
if (user->acl && !ast_apply_acl(user->acl, remote_address, "Manager User ACL:")) {
AST_RWLIST_UNLOCK(&users);
ast_log(LOG_NOTICE, "%s failed to pass IP ACL as '%s'\n", ast_sockaddr_stringify_addr(&session->addr), d.username);
ast_log(LOG_NOTICE, "%s failed to pass IP ACL as '%s'\n", ast_sockaddr_stringify_addr(remote_address), d.username);
ast_http_request_close_on_completion(ser);
ast_http_error(ser, 403, "Permission denied", "Permission denied");
return 0;