Re: [openssl.org #3428] bug report : crypto/des/ofb64enc.c: Uninitialized variable: d

Fri, 04 Jul 2014 03:10:24 -0700 

On Fri, Jul 04, 2014 at 08:38:23AM +0200, Kurt Roeckx wrote:

> On Fri, Jul 04, 2014 at 08:21:15AM +0200, Otto Moerbeek wrote:
> > On Thu, Jul 03, 2014 at 11:35:15PM +0200, Kurt Roeckx wrote:
> > 
> > > On Thu, Jul 03, 2014 at 09:28:47PM +0100, Ben Laurie wrote:
> > > > On 3 July 2014 20:06, Kurt Roeckx via RT <r...@openssl.org> wrote:
> > > > > On Thu, Jul 03, 2014 at 07:51:28PM +0200, Toralf F?rster via RT wrote:
> > > > >> I think cppcheck is right here in void DES_ofb64_encrypt(), line 84, 
> > > > >> 85
> > > > >> and 96, or ?:
> > > > >>
> > > > > The line before that:
> > > > >
> > > > >         dp=d;
> > > > >>         l2c(v0,dp);<--- Uninitialized variable: d
> > > > >>         l2c(v1,dp);<--- Uninitialized variable: d
> > > > >>         while (l--)
> > > > >>                 {
> > > > >>                 if (n == 0)
> > > > >>                         {
> > > > >>                         DES_encrypt1(ti,schedule,DES_ENCRYPT);
> > > > >>                         dp=d;
> > > > >>                         t=ti[0]; l2c(t,dp);
> > > > >>                         t=ti[1]; l2c(t,dp);
> > > > >>                         save++;
> > > > >>                         }
> > > > >>                 *(out++)= *(in++)^d[n];<--- Uninitialized variable: d
> > > > >>                 n=(n+1)&0x07;
> > > > >>                 }
> > > > >
> > > > > d is uninitialized, but it's being written to, not read from,
> > > > > so I don't see a problem with this.
> > > > 
> > > > What?
> > > 
> > > So l2c is:
> > > #define l2c(l,c)        (*((c)++)=(unsigned char)(((l))&0xff), \
> > >                          *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
> > >                          *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
> > >                          *((c)++)=(unsigned char)(((l)>>24L)&0xff))
> > > 
> > > It reads v0 and v1 and writes to d (dp).  d being uninitialized
> > > shouldn't be an issue.  Or am I missing something?
> > 
> > Yes, c (which is d) is both incremented and dereferenced. 
> 
> So we have:
> DES_cblock d;
> which as far as I know really is:
> unsigned char d[8];
> 
> and:
> register unsigned char *dp=d;
> *((dp)++) = foo;
> 
> d is a valid pointer, but the content it points to is
> uninitialized.  We end up writing to d[0], d[1], ..., d[7].  I
> don't see us reading it, nor do I see a problem with it.
> 
> 
> Kurt

OK, but then d *is* initialized. It would cause less confusion if
you'd make a difference between d and *d in your comments.

        -Otto
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to