From: slontis <shane.lontis@oracle.com>
Date: Fri, 17 Jan 2025 03:58:14 +0000 (+1100)
Subject: ML_DSA: Fix partially uninitialised hint buffer.
X-Git-Tag: openssl-3.5.0-alpha1~602
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2cb4b0c78121e041e9ffeef60cfbfef027d178c6;p=thirdparty%2Fopenssl.git

ML_DSA: Fix partially uninitialised hint buffer.
The encoded hint data consists of omega + k bytes.
The bytes at the end of omega section of the buffer may be 0,
so the buffer must be cleared initially.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26451)
---

diff --git a/crypto/ml_dsa/ml_dsa_encoders.c b/crypto/ml_dsa/ml_dsa_encoders.c
index 41383c97399..e669c511a7a 100644
--- a/crypto/ml_dsa/ml_dsa_encoders.c
+++ b/crypto/ml_dsa/ml_dsa_encoders.c
@@ -821,6 +821,7 @@ static int hint_bits_encode(const VECTOR *hint, WPACKET *pkt, uint32_t omega)
 
     if (!WPACKET_allocate_bytes(pkt, omega + k, &data))
         return 0;
+    memset(data, 0, omega + k);
 
     for (i = 0; i < k; i++, p++) {
         for (j = 0; j < ML_DSA_NUM_POLY_COEFFICIENTS; j++)