commit 0a8352b4c2b653e1fcafd18a0df91878034a29a5
author Gilles Peskine <Gilles.Peskine@arm.com> Wed Jun 13 18:16:41 2018 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Wed Jun 13 18:21:25 2018 +0200
tree 76cdd31618c8df03d1f722eb2de6f4810a45de63
parent 725f1cb6bd5c6fe0efc9cb2b80ea1632290ef6a5

Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms

In ssl_parse_encrypted_pms, some operational failures from
ssl_decrypt_encrypted_pms lead to diff being set to a value that
depended on some uninitialized unsigned char and size_t values. This didn't
affect the behavior of the program (assuming an implementation with no
trap values for size_t) because all that matters is whether diff is 0,
but Valgrind rightfully complained about the use of uninitialized
memory. Behave nicely and initialize the offending memory.

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 2b25e09..b49b9e1 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -3513,6 +3513,15 @@
     size_t i, peer_pmslen;
     unsigned int diff;
 
+    /* In case of a failure in decryption, the decryption may write less than
+     * 2 bytes of output, but we always read the first two bytes. It doesn't
+     * matter in the end because diff will be nonzero in that case due to
+     * peer_pmslen being less than 48, and we only care whether diff is 0.
+     * But do initialize peer_pms for robustness anyway. This also makes
+     * memory analyzers happy (don't access uninitialized memory, even
+     * if it's an unsigned char). */
+    peer_pms[0] = peer_pms[1] = ~0;
+
     ret = ssl_decrypt_encrypted_pms( ssl, p, end,
                                      peer_pms,
                                      &peer_pmslen,