From: Meng Yuan <quic_menyua@quicinc.com>
Date: Wed, 16 Apr 2025 06:51:21 +0000 (+0800)
Subject: OpenSSL: Avoid use of an uninitialized array
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fa657a73ecfe6618c7f50d53b0afe4a25c710c9;p=thirdparty%2Fhostap.git

OpenSSL: Avoid use of an uninitialized array

Initialize the skip_buf[] array before using it with EVP_CipherUpdate()
to skip the initial segment of RC4 output. This does not change actual
behavior since the output of that call is not used and it is only there
for changing the internal state of the RC4 cipher. However, this avoids
uninitialized element issues reported in MISRA.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index c84ccb466..2efe3ed94 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -431,7 +431,7 @@ int rc4_skip(const u8 *key, size_t keylen, size_t skip,
 	EVP_CIPHER_CTX *ctx;
 	int outl;
 	int res = -1;
-	unsigned char skip_buf[16];
+	unsigned char skip_buf[16] = { 0 };
 
 	openssl_load_legacy_provider();