From a6eaa67c5582155e5d5149b0ff33d11b166ee41a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 7 Nov 2025 10:39:26 +0100 Subject: [PATCH] mbedtls: fix potential use of uninitialized `nread` When Curl_conn_cf_recv() returns error, the variable might not be assigned and the tracing output may (harmlessly) use it uninitialized. Also add a comment about the typecast from size_t to int being fine. Pointed out by ZeroPath Closes #19393 --- lib/vtls/mbedtls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 4e8a0c3cf7..36200de6fa 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -200,7 +200,7 @@ static int mbedtls_bio_cf_read(void *bio, unsigned char *buf, size_t blen) { struct Curl_cfilter *cf = bio; struct Curl_easy *data = CF_DATA_CURRENT(cf); - size_t nread; + size_t nread = 0; CURLcode result; DEBUGASSERT(data); @@ -215,6 +215,7 @@ static int mbedtls_bio_cf_read(void *bio, unsigned char *buf, size_t blen) blen, result, nread); if(CURLE_AGAIN == result) return MBEDTLS_ERR_SSL_WANT_READ; + /* nread is never larger than int here */ return result ? -1 : (int)nread; } -- 2.47.3