From 9fa657a73ecfe6618c7f50d53b0afe4a25c710c9 Mon Sep 17 00:00:00 2001
From: Meng Yuan <quic_menyua@quicinc.com>
Date: Wed, 16 Apr 2025 14:51:21 +0800
Subject: [PATCH] OpenSSL: Avoid use of an uninitialized array

Initialize the skip_buf[] array before using it with EVP_CipherUpdate()
to skip the initial segment of RC4 output. This does not change actual
behavior since the output of that call is not used and it is only there
for changing the internal state of the RC4 cipher. However, this avoids
uninitialized element issues reported in MISRA.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---
 src/crypto/crypto_openssl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index c84ccb466..2efe3ed94 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -431,7 +431,7 @@ int rc4_skip(const u8 *key, size_t keylen, size_t skip,
 	EVP_CIPHER_CTX *ctx;
 	int outl;
 	int res = -1;
-	unsigned char skip_buf[16];
+	unsigned char skip_buf[16] = { 0 };
 
 	openssl_load_legacy_provider();
 
-- 
2.47.2