From fbaabcaaa285f62ec84006b8f70a4bfdbcedaf44 Mon Sep 17 00:00:00 2001 From: Mike Bradeen Date: Mon, 30 Mar 2026 17:17:10 -0600 Subject: [PATCH] manager: Use remote address in user error logging To avoid a potential null dereference use the remote address in error logging when there is no user or the user acl fails. Resolves: #GHSA-3rhj-hhw7-m6fw --- main/manager.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main/manager.c b/main/manager.c index f5d2c1f500..be968534a5 100644 --- a/main/manager.c +++ b/main/manager.c @@ -8672,7 +8672,7 @@ static int auth_http_callback(struct ast_tcptls_session_instance *ser, user = get_manager_by_name_locked(d.username); if(!user) { AST_RWLIST_UNLOCK(&users); - ast_log(LOG_NOTICE, "%s tried to authenticate with nonexistent user '%s'\n", ast_sockaddr_stringify_addr(&session->addr), d.username); + ast_log(LOG_NOTICE, "%s tried to authenticate with nonexistent user '%s'\n", ast_sockaddr_stringify_addr(remote_address), d.username); nonce = 0; goto out_401; } @@ -8680,7 +8680,7 @@ static int auth_http_callback(struct ast_tcptls_session_instance *ser, /* --- We have User for this auth, now check ACL */ if (user->acl && !ast_apply_acl(user->acl, remote_address, "Manager User ACL:")) { AST_RWLIST_UNLOCK(&users); - ast_log(LOG_NOTICE, "%s failed to pass IP ACL as '%s'\n", ast_sockaddr_stringify_addr(&session->addr), d.username); + ast_log(LOG_NOTICE, "%s failed to pass IP ACL as '%s'\n", ast_sockaddr_stringify_addr(remote_address), d.username); ast_http_request_close_on_completion(ser); ast_http_error(ser, 403, "Permission denied", "Permission denied"); return 0;