CVE-2026-31427

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfconntracksip: fix use of uninitialized rtpaddr in processsdp

processsdp() declares union nfinetaddr rtpaddr on the stack and passes it to the nfnatsip sdpsession hook after walking the SDP media descriptions. However rtpaddr is only initialized inside the media loop when a recognized media type with a non-zero port is found.

If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only unrecognized media types, rtpaddr is never assigned. Despite that, the function still calls hooks->sdpsession() with &rtpaddr, causing nfnatsdpsession() to format the stale stack value as an IP address and rewrite the SDP session owner and connection lines with it.

With CONFIGINITSTACKALLZERO (default on most distributions) this results in the session-level o= and c= addresses being rewritten to 0.0.0.0 for inactive SDP sessions. Without stack auto-init the rewritten address is whatever happened to be on the stack.

Fix this by pre-initializing rtpaddr from the session-level connection address (caddr) when available, and tracking via a havertpaddr flag whether any valid address was established. Skip the sdpsession hook entirely when no valid address exists.