CVE-2021-40540

An attacker sends a malformed HTTP request to a server running an affected version of Ulfius. Because `con_info` is not zero-initialized and `con_info->request` is not checked for NULL before being passed to `ulfius_init_request`, the framework may dereference an uninitialized or NULL pointer, causing a denial of service (crash). The attack requires only network access to send a crafted HTTP request.

The vulnerability is in the `ulfius_uri_logger` function in Ulfius HTTP Framework before version 2.7.4. The function omitted initialization of the `con_info` structure via `memset` and lacked a NULL check for `con_info->request` before using it, leading to a crash when malformed HTTP requests are processed.

The patch adds `memset(con_info, 0, sizeof(struct connection_info_struct))` to ensure the structure is zero-initialized before use, and removes the `NULL == con_info->request` check, instead directly calling `ulfius_init_request` and checking its return value. This prevents undefined behavior from uninitialized memory and ensures proper error handling when the request object is missing or invalid.