Commit 87a1f43e4c for asterisk.org

commit 87a1f43e4c465b885163665aa89172ed0f392663
Author: Mike Bradeen <mbradeen@sangoma.com>
Date:   Mon Mar 30 17:17:10 2026 -0600

    manager: Use remote address in user error logging

    To avoid a potential null dereference use the remote address
    in error logging when there is no user or the user acl fails.

    Resolves: #GHSA-3rhj-hhw7-m6fw

diff --git a/main/manager.c b/main/manager.c
index df326de7b6..b753c93186 100644
--- a/main/manager.c
+++ b/main/manager.c
@@ -8668,7 +8668,7 @@ static int auth_http_callback(struct ast_tcptls_session_instance *ser,
 	user = get_manager_by_name_locked(d.username);
 	if(!user) {
 		AST_RWLIST_UNLOCK(&users);
-		ast_log(LOG_NOTICE, "%s tried to authenticate with nonexistent user '%s'\n", ast_sockaddr_stringify_addr(&session->addr), d.username);
+		ast_log(LOG_NOTICE, "%s tried to authenticate with nonexistent user '%s'\n", ast_sockaddr_stringify_addr(remote_address), d.username);
 		nonce = 0;
 		goto out_401;
 	}
@@ -8676,7 +8676,7 @@ static int auth_http_callback(struct ast_tcptls_session_instance *ser,
 	/* --- We have User for this auth, now check ACL */
 	if (user->acl && !ast_apply_acl(user->acl, remote_address, "Manager User ACL:")) {
 		AST_RWLIST_UNLOCK(&users);
-		ast_log(LOG_NOTICE, "%s failed to pass IP ACL as '%s'\n", ast_sockaddr_stringify_addr(&session->addr), d.username);
+		ast_log(LOG_NOTICE, "%s failed to pass IP ACL as '%s'\n", ast_sockaddr_stringify_addr(remote_address), d.username);
 		ast_http_request_close_on_completion(ser);
 		ast_http_error(ser, 403, "Permission denied", "Permission denied");
 		return 0;