From 2cb4b0c78121e041e9ffeef60cfbfef027d178c6 Mon Sep 17 00:00:00 2001
From: slontis <shane.lontis@oracle.com>
Date: Fri, 17 Jan 2025 14:58:14 +1100
Subject: [PATCH] ML_DSA: Fix partially uninitialised hint buffer. The encoded
 hint data consists of omega + k bytes. The bytes at the end of omega section
 of the buffer may be 0, so the buffer must be cleared initially.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26451)
---
 crypto/ml_dsa/ml_dsa_encoders.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/crypto/ml_dsa/ml_dsa_encoders.c b/crypto/ml_dsa/ml_dsa_encoders.c
index 41383c97399..e669c511a7a 100644
--- a/crypto/ml_dsa/ml_dsa_encoders.c
+++ b/crypto/ml_dsa/ml_dsa_encoders.c
@@ -821,6 +821,7 @@ static int hint_bits_encode(const VECTOR *hint, WPACKET *pkt, uint32_t omega)
 
     if (!WPACKET_allocate_bytes(pkt, omega + k, &data))
         return 0;
+    memset(data, 0, omega + k);
 
     for (i = 0; i < k; i++, p++) {
         for (j = 0; j < ML_DSA_NUM_POLY_COEFFICIENTS; j++)
-- 
2.47.3