commit 5e4f26b510b04624386c54816bf26aacea0fe4a1 Author: Veronika Hanulíková Date: Thu Jul 11 14:58:25 2024 +0200 cac: Fix uninitialized values Thanks Matteo Marini for report https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 fuzz_card/1,fuzz_pkcs11/6 Index: opensc-0.24.0/src/libopensc/card-cac.c =================================================================== --- opensc-0.24.0.orig/src/libopensc/card-cac.c +++ opensc-0.24.0/src/libopensc/card-cac.c @@ -252,7 +252,7 @@ static int cac_apdu_io(sc_card_t *card, size_t * recvbuflen) { int r; - sc_apdu_t apdu; + sc_apdu_t apdu = {0}; u8 rbufinitbuf[CAC_MAX_SIZE]; u8 *rbuf; size_t rbuflen; @@ -389,13 +389,13 @@ fail: static int cac_read_file(sc_card_t *card, int file_type, u8 **out_buf, size_t *out_len) { u8 params[2]; - u8 count[2]; + u8 count[2] = {0}; u8 *out = NULL; - u8 *out_ptr; + u8 *out_ptr = NULL; size_t offset = 0; size_t size = 0; size_t left = 0; - size_t len; + size_t len = 0; int r; params[0] = file_type; @@ -458,7 +458,7 @@ static int cac_read_binary(sc_card_t *ca const u8 *tl_ptr, *val_ptr, *tl_start; u8 *tlv_ptr; const u8 *cert_ptr; - size_t tl_len, val_len, tlv_len; + size_t tl_len = 0, val_len = 0, tlv_len; size_t len, tl_head_len, cert_len; u8 cert_type, tag; @@ -1518,7 +1518,7 @@ static int cac_parse_CCC(sc_card_t *card static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int depth) { u8 *tl = NULL, *val = NULL; - size_t tl_len, val_len; + size_t tl_len = 0, val_len = 0; int r; if (depth > CAC_MAX_CCC_DEPTH) { Index: opensc-0.24.0/src/libopensc/card-piv.c =================================================================== --- opensc-0.24.0.orig/src/libopensc/card-piv.c +++ opensc-0.24.0/src/libopensc/card-piv.c @@ -4423,7 +4423,7 @@ static int piv_get_challenge(sc_card_t * const u8 *p; size_t out_len = 0; int r; - unsigned int tag_out, cla_out; + unsigned int tag_out = 0, cla_out = 0; piv_private_data_t * priv = PIV_DATA(card); LOG_FUNC_CALLED(card->ctx); Index: opensc-0.24.0/src/libopensc/pkcs15-cert.c =================================================================== --- opensc-0.24.0.orig/src/libopensc/pkcs15-cert.c +++ opensc-0.24.0/src/libopensc/pkcs15-cert.c @@ -169,7 +169,7 @@ sc_pkcs15_get_name_from_dn(struct sc_con for (next_ava = rdn, next_ava_len = rdn_len; next_ava_len; ) { const u8 *ava, *dummy, *oidp; struct sc_object_id oid; - size_t ava_len, dummy_len, oid_len; + size_t ava_len = 0, dummy_len, oid_len = 0; /* unwrap the set and point to the next ava */ ava = sc_asn1_skip_tag(ctx, &next_ava, &next_ava_len, SC_ASN1_TAG_SET | SC_ASN1_CONS, &ava_len); Index: opensc-0.24.0/src/libopensc/pkcs15-sc-hsm.c =================================================================== --- opensc-0.24.0.orig/src/libopensc/pkcs15-sc-hsm.c +++ opensc-0.24.0/src/libopensc/pkcs15-sc-hsm.c @@ -386,7 +386,7 @@ int sc_pkcs15emu_sc_hsm_decode_cvc(sc_pk struct sc_asn1_entry asn1_cvcert[C_ASN1_CVCERT_SIZE]; struct sc_asn1_entry asn1_cvc_body[C_ASN1_CVC_BODY_SIZE]; struct sc_asn1_entry asn1_cvc_pubkey[C_ASN1_CVC_PUBKEY_SIZE]; - unsigned int cla,tag; + unsigned int cla = 0, tag = 0; size_t taglen; const u8 *tbuf; int r; Index: opensc-0.24.0/src/pkcs15init/profile.c =================================================================== --- opensc-0.24.0.orig/src/pkcs15init/profile.c +++ opensc-0.24.0/src/pkcs15init/profile.c @@ -1809,7 +1809,7 @@ do_pin_storedlength(struct state *cur, i static int do_pin_flags(struct state *cur, int argc, char **argv) { - unsigned int flags; + unsigned int flags = 0; int i, r; if (cur->pin->pin.auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN)