git:master:d309e27b: secfilter: in check sql injection function initialize str variables to NULL. In get values from headers it is checked if From or To name is empty to avoid false positives - sr-dev

2 Jan 2019

Module: kamailio
Branch: master
Commit: d309e27b1aa35176e17e24542ffc2507cd17eb3e
URL: https://github.com/kamailio/kamailio/commit/d309e27b1aa35176e17e24542ffc2507...
Author: Jose Luis Verdeguer pepeluxx@gmail.com
Committer: Jose Luis Verdeguer pepeluxx@gmail.com
Date: 2019-01-02T18:51:01+01:00
secfilter: in check sql injection function initialize str variables to NULL. In get values from headers it is checked if From or To name is empty to avoid false positives
---
Modified: src/modules/secfilter/secfilter.c
Modified: src/modules/secfilter/secfilter_hdr.c
---
Diff:  https://github.com/kamailio/kamailio/commit/d309e27b1aa35176e17e24542ffc2507...
Patch: https://github.com/kamailio/kamailio/commit/d309e27b1aa35176e17e24542ffc2507...
---

diff --git a/src/modules/secfilter/secfilter.c b/src/modules/secfilter/secfilter.c
index 5ec680d1b1..4816c4ad9d 100644
--- a/src/modules/secfilter/secfilter.c
+++ b/src/modules/secfilter/secfilter.c
@@ -131,10 +131,10 @@ PREVENT SQL INJECTION
 /* External function to search for illegal characters in several headers */
 static int w_check_sqli_all(struct sip_msg *msg)
 {
-	str ua;
-	str name;
-	str user;
-	str domain;
+	str ua = STR_NULL;
+	str name = STR_NULL;
+	str user = STR_NULL;
+	str domain = STR_NULL;
    int res;
    int retval = 1;
diff --git a/src/modules/secfilter/secfilter_hdr.c b/src/modules/secfilter/secfilter_hdr.c
index 5375d6ffff..1bb9ba1974 100644
--- a/src/modules/secfilter/secfilter_hdr.c
+++ b/src/modules/secfilter/secfilter_hdr.c
@@ -74,7 +74,7 @@ int secf_get_from(struct sip_msg *msg, str *name, str *user, str *domain)
    }
hdr = get_from(msg);
-	if(hdr->display.s != NULL) {
+	if(hdr->display.s != NULL && hdr->display.len > 0) {
    	name->s = hdr->display.s;
    	name->len = hdr->display.len;
@@ -128,7 +128,7 @@ int secf_get_to(struct sip_msg *msg, str *name, str *user, str *domain)
    }
hdr = get_to(msg);
-	if(hdr->display.s != NULL) {
+	if(hdr->display.s != NULL && hdr->display.len > 0) {
    	name->s = hdr->display.s;
    	name->len = hdr->display.len;

    