From 01a719fa918dca4c49553b32778367f1fc4d49df Mon Sep 17 00:00:00 2001 From: zhangbinqin Date: Mon, 18 Aug 2025 10:01:27 +0000 Subject: [PATCH] fix CVE-2025-4877 CVE-2025-4878 CVE-2025-5351 CVE-2025-5987 CVE-2025-5372 (cherry picked from commit a8427c9c44f62886d28fbbcbd44624dfc1cfc125) --- ...t-integer-overflow-and-potential-OOB.patch | 56 + ...8-Initialize-pointers-where-posibble.patch | 2602 +++++++++++++++++ ...-check-ret-to-avoid-NULL-dereference.patch | 31 + ...double-free-on-low-memory-conditions.patch | 46 + ...ectly-detect-failures-of-chacha-init.patch | 34 + ...2-Simplify-error-checking-in-ssh_kdf.patch | 150 + libssh.spec | 14 +- 7 files changed, 2932 insertions(+), 1 deletion(-) create mode 100644 backport-0021-CVE-2025-4877-prevent-integer-overflow-and-potential-OOB.patch create mode 100644 backport-0022-CVE-2025-4878-Initialize-pointers-where-posibble.patch create mode 100644 backport-0023-CVE-2025-4878-Properly-check-ret-to-avoid-NULL-dereference.patch create mode 100644 backport-0024-CVE-2025-5351-avoid-double-free-on-low-memory-conditions.patch create mode 100644 backport-0025-CVE-2025-5987-correctly-detect-failures-of-chacha-init.patch create mode 100644 backport-0026-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch diff --git a/backport-0021-CVE-2025-4877-prevent-integer-overflow-and-potential-OOB.patch b/backport-0021-CVE-2025-4877-prevent-integer-overflow-and-potential-OOB.patch new file mode 100644 index 0000000..bfbda55 --- /dev/null +++ b/backport-0021-CVE-2025-4877-prevent-integer-overflow-and-potential-OOB.patch @@ -0,0 +1,56 @@ +From 00f09acbec55962839fc7837ef14c56fb8fbaf72 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 15 Apr 2025 11:41:24 +0200 +Subject: CVE-2025-4877 base64: Prevent integer overflow and potential +OOB + +Set maximum input to 256MB to have safe margin to the 1GB trigger point +for 32b arch. + +The OOB should not be reachable by any internal code paths as most of +the buffers and strings we use as input for this operation already have +similar limit and none really allows this much of data. + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:NA +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=00f09acbec55962839fc7837ef14c56fb8fbaf72 +--- + src/base64.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/base64.c b/src/base64.c +index 4148f49..f42e0e8 100644 +--- a/src/base64.c ++++ b/src/base64.c +@@ -29,6 +29,9 @@ + #include "libssh/priv.h" + #include "libssh/buffer.h" + ++/* Do not allow encoding more than 256MB of data */ ++#define BASE64_MAX_INPUT_LEN 256 * 1024 * 1024 ++ + static + const uint8_t alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz" +@@ -274,7 +277,15 @@ uint8_t *bin_to_base64(const uint8_t *source, size_t len) + { + uint8_t *base64 = NULL; + uint8_t *ptr = NULL; +- size_t flen = len + (3 - (len % 3)); /* round to upper 3 multiple */ ++ size_t flen = 0; ++ ++ /* Set the artificial upper limit for the input. Otherwise on 32b arch, the ++ * following line could overflow for sizes larger than SIZE_MAX / 4 */ ++ if (len > BASE64_MAX_INPUT_LEN) { ++ return NULL; ++ } ++ ++ flen = len + (3 - (len % 3)); /* round to upper 3 multiple */ + flen = (4 * flen) / 3 + 1; + + base64 = malloc(flen); +-- +2.33.0 + diff --git a/backport-0022-CVE-2025-4878-Initialize-pointers-where-posibble.patch b/backport-0022-CVE-2025-4878-Initialize-pointers-where-posibble.patch new file mode 100644 index 0000000..9742535 --- /dev/null +++ b/backport-0022-CVE-2025-4878-Initialize-pointers-where-posibble.patch @@ -0,0 +1,2602 @@ +From 2eb2af4426eb9d473eb131cecea2c81a99d1e2fc Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 23 Apr 2025 17:57:11 +0200 +Subject: CVE-2025-4878 Initialize pointers where possible + +This is mostly mechanical change initializing all the pointers I was +able to +find with some grep and manual review of sources and examples. + +Used the following greps (which yield some false positives though): + + git grep " \w* *\* *\w*;$" + git grep " ssh_session \w*;" + git grep " ssh_channel \w*;" + git grep " struct ssh_iterator \*\w*;" + git grep " ssh_bind \w*;" + git grep " ssh_key \w*;" + git grep " ssh_string \w*;" + git grep " ssh_buffer \w*;" + git grep " HMACCTX \w*;" + git grep " SHACTX \w*;" + grep -rinP '^(?!.*=)\s*(?:\w+\s+)*\w+\s*\*\s*\w+\s*;' + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:NA +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=2eb2af4426eb9d473eb131cecea2c81a99d1e2fc +--- + doc/authentication.dox | 10 +++---- + doc/command.dox | 2 +- + doc/forwarding.dox | 4 +-- + doc/guided_tour.dox | 14 ++++----- + doc/shell.dox | 2 +- + examples/authentication.c | 12 ++++---- + examples/connect_ssh.c | 2 +- + examples/exec.c | 4 +-- + examples/knownhosts.c | 2 +- + examples/libssh_scp.c | 11 +++---- + examples/proxy.c | 18 ++++++------ + examples/samplesshd-cb.c | 10 +++---- + examples/samplesshd-kbdint.c | 16 +++++----- + examples/scp_download.c | 4 +-- + examples/senddata.c | 4 +-- + examples/ssh_client.c | 8 ++--- + examples/sshd_direct-tcpip.c | 14 ++++----- + examples/sshnetcat.c | 6 ++-- + src/agent.c | 13 ++++---- + src/auth.c | 7 +++-- + src/bind.c | 11 +++---- + src/bind_config.c | 4 +-- + src/buffer.c | 9 +++--- + src/callbacks.c | 2 +- + src/chachapoly.c | 2 +- + src/channels.c | 57 ++++++++++++++++++------------------ + src/client.c | 2 +- + src/config.c | 4 +-- + src/config_parser.c | 12 ++++---- + src/connect.c | 4 +-- + src/connector.c | 5 ++-- + src/dh_crypto.c | 2 +- + src/ecdh_crypto.c | 8 ++--- + src/ecdh_gcrypt.c | 10 +++---- + src/gcrypt_missing.c | 2 +- + src/getpass.c | 4 +-- + src/gssapi.c | 28 ++++++++++-------- + src/kex.c | 4 +-- + src/known_hosts.c | 41 +++++++++++++------------- + src/knownhosts.c | 18 ++++++------ + src/legacy.c | 43 ++++++++++++++------------- + src/libmbedcrypto.c | 2 +- + src/log.c | 2 +- + src/messages.c | 22 +++++++------- + src/misc.c | 24 +++++++-------- + src/options.c | 22 +++++++------- + src/packet.c | 6 ++-- + src/packet_crypt.c | 2 +- + src/pki.c | 48 +++++++++++++++--------------- + src/pki_container_openssh.c | 16 +++++----- + src/pki_crypto.c | 8 ++--- + src/pki_ed25519.c | 6 ++-- + src/pki_ed25519_common.c | 2 +- + src/pki_gcrypt.c | 14 ++++----- + src/pki_mbedcrypto.c | 12 ++++---- + src/poll.c | 10 +++---- + src/server.c | 23 ++++++++------- + src/session.c | 14 ++++----- + src/sftpserver.c | 12 ++++---- + src/string.c | 4 +-- + src/threads/winlocks.c | 2 +- + src/wrapper.c | 2 +- + 62 files changed, 352 insertions(+), 336 deletions(-) + +diff --git a/doc/authentication.dox b/doc/authentication.dox +index 7d0ab81..a0b2df8 100644 +--- a/doc/authentication.dox ++++ b/doc/authentication.dox +@@ -105,7 +105,7 @@ Here is a small example of password authentication: + @code + int authenticate_password(ssh_session session) + { +- char *password; ++ char *password = NULL; + int rc; + + password = getpass("Enter your password: "); +@@ -218,7 +218,7 @@ int authenticate_kbdint(ssh_session session) + rc = ssh_userauth_kbdint(session, NULL, NULL); + while (rc == SSH_AUTH_INFO) + { +- const char *name, *instruction; ++ const char *name = NULL, *instruction = NULL; + int nprompts, iprompt; + + name = ssh_userauth_kbdint_getname(session); +@@ -231,7 +231,7 @@ int authenticate_kbdint(ssh_session session) + printf("%s\n", instruction); + for (iprompt = 0; iprompt < nprompts; iprompt++) + { +- const char *prompt; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, iprompt, &echo); +@@ -251,7 +251,7 @@ int authenticate_kbdint(ssh_session session) + } + else + { +- char *ptr; ++ char *ptr = NULL; + + ptr = getpass(prompt); + if (ssh_userauth_kbdint_setanswer(session, iprompt, ptr) < 0) +@@ -354,7 +354,7 @@ The following example shows how to retrieve and dispose the issue banner: + int display_banner(ssh_session session) + { + int rc; +- char *banner; ++ char *banner = NULL; + + /* + *** Does not work without calling ssh_userauth_none() first *** +diff --git a/doc/command.dox b/doc/command.dox +index 588151c..e82748c 100644 +--- a/doc/command.dox ++++ b/doc/command.dox +@@ -22,7 +22,7 @@ a SSH session that uses this channel: + @code + int show_remote_files(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/doc/forwarding.dox b/doc/forwarding.dox +index 2b202b4..3ca3aa8 100644 +--- a/doc/forwarding.dox ++++ b/doc/forwarding.dox +@@ -100,7 +100,7 @@ used to retrieve google's home page from the remote SSH server. + @code + int direct_forwarding(ssh_session session) + { +- ssh_channel forwarding_channel; ++ ssh_channel forwarding_channel = NULL; + int rc = SSH_ERROR; + char *http_get = "GET / HTTP/1.1\nHost: www.google.com\n\n"; + int nbytes, nwritten; +@@ -161,7 +161,7 @@ local libssh application, which handles them: + int web_server(ssh_session session) + { + int rc; +- ssh_channel channel; ++ ssh_channel channel = NULL; + char buffer[256]; + int nbytes, nwritten; + int port = 0; +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox +index 69576f1..60f4087 100644 +--- a/doc/guided_tour.dox ++++ b/doc/guided_tour.dox +@@ -79,7 +79,7 @@ Here is a small example of how to use it: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int verbosity = SSH_LOG_PROTOCOL; + int port = 22; + +@@ -126,7 +126,7 @@ Here's an example: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; + + my_ssh_session = ssh_new(); +@@ -190,8 +190,8 @@ int verify_knownhost(ssh_session session) + ssh_key srv_pubkey = NULL; + size_t hlen; + char buf[10]; +- char *hexa; +- char *p; ++ char *hexa = NULL; ++ char *p = NULL; + int cmp; + int rc; + +@@ -317,9 +317,9 @@ The example below shows an authentication with password: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; +- char *password; ++ char *password = NULL; + + // Open session and set options + my_ssh_session = ssh_new(); +@@ -380,7 +380,7 @@ The example below shows how to execute a remote command: + @code + int show_remote_processes(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + char buffer[256]; + int nbytes; +diff --git a/doc/shell.dox b/doc/shell.dox +index d770f27..54d9788 100644 +--- a/doc/shell.dox ++++ b/doc/shell.dox +@@ -26,7 +26,7 @@ The code sample below achieves these tasks: + @code + int shell_session(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/examples/authentication.c b/examples/authentication.c +index 7c47c8b..31de7cf 100644 +--- a/examples/authentication.c ++++ b/examples/authentication.c +@@ -30,8 +30,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + + err = ssh_userauth_kbdint(session, NULL, NULL); + while (err == SSH_AUTH_INFO) { +- const char *instruction; +- const char *name; ++ const char *instruction = NULL; ++ const char *name = NULL; + char buffer[128]; + int i, n; + +@@ -48,8 +48,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + for (i = 0; i < n; i++) { +- const char *answer; +- const char *prompt; ++ const char *answer = NULL; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, i, &echo); +@@ -58,7 +58,7 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + if (echo) { +- char *p; ++ char *p = NULL; + + printf("%s", prompt); + +@@ -143,7 +143,7 @@ int authenticate_console(ssh_session session) + int rc; + int method; + char password[128] = {0}; +- char *banner; ++ char *banner = NULL; + + // Try to authenticate + rc = ssh_userauth_none(session, NULL); +diff --git a/examples/connect_ssh.c b/examples/connect_ssh.c +index c9e4ef6..0609427 100644 +--- a/examples/connect_ssh.c ++++ b/examples/connect_ssh.c +@@ -22,7 +22,7 @@ clients must be made or how a client should react. + #include + + ssh_session connect_ssh(const char *host, const char *user,int verbosity){ +- ssh_session session; ++ ssh_session session = NULL; + int auth=0; + + session=ssh_new(); +diff --git a/examples/exec.c b/examples/exec.c +index 77d3be4..f90df36 100644 +--- a/examples/exec.c ++++ b/examples/exec.c +@@ -5,8 +5,8 @@ + #include "examples_common.h" + + int main(void) { +- ssh_session session; +- ssh_channel channel; ++ ssh_session session = NULL; ++ ssh_channel channel = NULL; + char buffer[256]; + int rbytes, wbytes, total = 0; + int rc; +diff --git a/examples/knownhosts.c b/examples/knownhosts.c +index 0726bfa..2857a08 100644 +--- a/examples/knownhosts.c ++++ b/examples/knownhosts.c +@@ -38,7 +38,7 @@ int verify_knownhost(ssh_session session) + char buf[10]; + unsigned char *hash = NULL; + size_t hlen; +- ssh_key srv_pubkey; ++ ssh_key srv_pubkey = NULL; + int rc; + + rc = ssh_get_server_publickey(session, &srv_pubkey); +diff --git a/examples/libssh_scp.c b/examples/libssh_scp.c +index 6fdf8a4..a332e0d 100644 +--- a/examples/libssh_scp.c ++++ b/examples/libssh_scp.c +@@ -26,9 +26,9 @@ program. + #define BUF_SIZE 16384 + #endif + +-static char **sources; ++static char **sources = NULL; + static int nsources; +-static char *destination; ++static char *destination = NULL; + static int verbosity = 0; + + struct location { +@@ -114,9 +114,10 @@ static void location_free(struct location *loc) + } + } + +-static struct location *parse_location(char *loc) { +- struct location *location; +- char *ptr; ++static struct location *parse_location(char *loc) ++{ ++ struct location *location = NULL; ++ char *ptr = NULL; + + location = malloc(sizeof(struct location)); + if (location == NULL) { +diff --git a/examples/proxy.c b/examples/proxy.c +index 159a37e..2545178 100644 +--- a/examples/proxy.c ++++ b/examples/proxy.c +@@ -35,8 +35,8 @@ clients must be made or how a client should react. + static int authenticated=0; + static int tries = 0; + static int error = 0; +-static ssh_channel chan=NULL; +-static char *username; ++static ssh_channel chan = NULL; ++static char *username = NULL; + static ssh_gssapi_creds client_creds = NULL; + + static int auth_password(ssh_session session, const char *user, +@@ -216,11 +216,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; +- ssh_session client_session; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; ++ ssh_session client_session = NULL; + + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, +@@ -231,7 +232,7 @@ int main(int argc, char **argv){ + + char buf[BUF_SIZE]; + char host[128]=""; +- char *ptr; ++ char *ptr = NULL; + int i,r, rc; + + sshbind=ssh_bind_new(); +@@ -348,4 +349,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-cb.c b/examples/samplesshd-cb.c +index e5b4899..693b040 100644 +--- a/examples/samplesshd-cb.c ++++ b/examples/samplesshd-cb.c +@@ -257,10 +257,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_none_function = auth_none, +@@ -353,4 +354,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-kbdint.c b/examples/samplesshd-kbdint.c +index 6608306..141088c 100644 +--- a/examples/samplesshd-kbdint.c ++++ b/examples/samplesshd-kbdint.c +@@ -187,8 +187,8 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-static const char *name; +-static const char *instruction; ++static const char *name = NULL; ++static const char *instruction = NULL; + static const char *prompts[2]; + static char echo[] = { 1, 0 }; + +@@ -292,11 +292,12 @@ static int authenticate(ssh_session session) { + return 0; + } + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_message message; +- ssh_channel chan=0; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_message message = NULL; ++ ssh_channel chan = NULL; + char buf[BUF_SIZE]; + int auth=0; + int shell=0; +@@ -426,4 +427,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/scp_download.c b/examples/scp_download.c +index e6c1e79..dcaa2cb 100644 +--- a/examples/scp_download.c ++++ b/examples/scp_download.c +@@ -108,7 +108,7 @@ static int fetch_files(ssh_session session){ + int size; + char buffer[BUF_SIZE]; + int mode; +- char *filename; ++ char *filename = NULL; + int r; + ssh_scp scp=ssh_scp_new(session, SSH_SCP_READ | SSH_SCP_RECURSIVE, "/tmp/libssh_tests/*"); + if(ssh_scp_init(scp) != SSH_OK){ +@@ -167,7 +167,7 @@ static int fetch_files(ssh_session session){ + } + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + if(opts(argc,argv)<0) + return EXIT_FAILURE; + session=connect_ssh(host,NULL,verbosity); +diff --git a/examples/senddata.c b/examples/senddata.c +index 21181fb..6dc8bbb 100644 +--- a/examples/senddata.c ++++ b/examples/senddata.c +@@ -6,8 +6,8 @@ + #define LIMIT 0x100000000UL + + int main(void) { +- ssh_session session; +- ssh_channel channel; ++ ssh_session session = NULL; ++ ssh_channel channel = NULL; + char buffer[1024*1024]; + int rc; + uint64_t total=0; +diff --git a/examples/ssh_client.c b/examples/ssh_client.c +index aaf0cb5..896890c 100644 +--- a/examples/ssh_client.c ++++ b/examples/ssh_client.c +@@ -53,7 +53,7 @@ static struct termios terminal; + + static char *pcap_file = NULL; + +-static char *proxycommand; ++static char *proxycommand = NULL; + + static int auth_callback(const char *prompt, + char *buf, +@@ -252,7 +252,7 @@ static void select_loop(ssh_session session,ssh_channel channel) + + static void shell(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + struct termios terminal_local; + int interactive=isatty(0); + +@@ -324,7 +324,7 @@ static void batch_shell(ssh_session session) + static int client(ssh_session session) + { + int auth = 0; +- char *banner; ++ char *banner = NULL; + int state; + + if (user) { +@@ -408,7 +408,7 @@ static void cleanup_pcap(void) + + int main(int argc, char **argv) + { +- ssh_session session; ++ ssh_session session = NULL; + + ssh_init(); + session = ssh_new(); +diff --git a/examples/sshd_direct-tcpip.c b/examples/sshd_direct-tcpip.c +index b0e2979..152377e 100644 +--- a/examples/sshd_direct-tcpip.c ++++ b/examples/sshd_direct-tcpip.c +@@ -358,7 +358,7 @@ my_fd_data_function(UNUSED_PARAM(socket_t fd), + { + struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata; + ssh_channel channel = event_fd_data->channel; +- ssh_session session; ++ ssh_session session = NULL; + int len, i, wr; + char buf[BUF_SIZE]; + int blocking; +@@ -452,8 +452,8 @@ open_tcp_socket(ssh_message msg) + { + struct sockaddr_in sin; + int forwardsock = -1; +- struct hostent *host; +- const char *dest_hostname; ++ struct hostent *host = NULL; ++ const char *dest_hostname = NULL; + int dest_port; + + forwardsock = socket(AF_INET, SOCK_STREAM, 0); +@@ -496,8 +496,8 @@ message_callback(UNUSED_PARAM(ssh_session session), + UNUSED_PARAM(void *userdata)) + { + ssh_channel channel; +- int socket_fd, *pFd; +- struct ssh_channel_callbacks_struct *cb_chan; ++ int socket_fd, *pFd = NULL; ++ struct ssh_channel_callbacks_struct *cb_chan = NULL; + struct event_fd_data_struct *event_fd_data; + + _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message type: %d", +@@ -665,8 +665,8 @@ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + int + main(int argc, char **argv) + { +- ssh_session session; +- ssh_bind sshbind; ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_password_function = auth_password, +diff --git a/examples/sshnetcat.c b/examples/sshnetcat.c +index 59b0a28..8a1153a 100644 +--- a/examples/sshnetcat.c ++++ b/examples/sshnetcat.c +@@ -39,7 +39,7 @@ clients must be made or how a client should react. + #define BUF_SIZE 4096 + #endif + +-char *host; ++char *host = NULL; + const char *desthost="localhost"; + const char *port="22"; + +@@ -193,7 +193,7 @@ static void forwarding(ssh_session session){ + + static int client(ssh_session session){ + int auth=0; +- char *banner; ++ char *banner = NULL; + int state; + + if (ssh_options_set(session, SSH_OPTIONS_HOST ,host) < 0) +@@ -246,7 +246,7 @@ void cleanup_pcap(void) + #endif + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + + session = ssh_new(); + +diff --git a/src/agent.c b/src/agent.c +index 6e3d7d7..c81b080 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -424,8 +424,9 @@ ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session, + + /* caller has to free comment */ + ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session, +- char **comment) { +- struct ssh_key_struct *key; ++ char **comment) ++{ ++ struct ssh_key_struct *key = NULL; + struct ssh_string_struct *blob = NULL; + struct ssh_string_struct *tmp = NULL; + int rc; +@@ -494,10 +495,10 @@ ssh_string ssh_agent_sign_data(ssh_session session, + const ssh_key pubkey, + struct ssh_buffer_struct *data) + { +- ssh_buffer request; +- ssh_buffer reply; +- ssh_string key_blob; +- ssh_string sig_blob; ++ ssh_buffer request = NULL; ++ ssh_buffer reply = NULL; ++ ssh_string key_blob = NULL; ++ ssh_string sig_blob = NULL; + unsigned int type = 0; + unsigned int flags = 0; + uint32_t dlen; +diff --git a/src/auth.c b/src/auth.c +index 4feb655..9802231 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -195,8 +195,9 @@ static int ssh_userauth_get_response(ssh_session session) + * + * This banner should be shown to user prior to authentication + */ +-SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) { +- ssh_string banner; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) ++{ ++ ssh_string banner = NULL; + (void)type; + (void)user; + +@@ -1398,7 +1399,7 @@ int ssh_userauth_agent_pubkey(ssh_session session, + const char *username, + ssh_public_key publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + key = ssh_key_new(); +diff --git a/src/bind.c b/src/bind.c +index a91e674..c331006 100644 +--- a/src/bind.c ++++ b/src/bind.c +@@ -74,7 +74,7 @@ + static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + int port) { + char port_c[6]; +- struct addrinfo *ai; ++ struct addrinfo *ai = NULL; + struct addrinfo hints; + int opt = 1; + socket_t s; +@@ -132,8 +132,9 @@ static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + return s; + } + +-ssh_bind ssh_bind_new(void) { +- ssh_bind ptr; ++ssh_bind ssh_bind_new(void) ++{ ++ ssh_bind ptr = NULL; + + ptr = calloc(1, sizeof(struct ssh_bind_struct)); + if (ptr == NULL) { +@@ -251,7 +252,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) { + } + + int ssh_bind_listen(ssh_bind sshbind) { +- const char *host; ++ const char *host = NULL; + socket_t fd; + int rc; + +@@ -475,7 +476,7 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd) + return SSH_ERROR; + } + } else { +- char *p; ++ char *p = NULL; + /* If something was set to the session prior to calling this + * function, keep only what is allowed by the options set in + * sshbind */ +diff --git a/src/bind_config.c b/src/bind_config.c +index 27c42c9..ed42cbe 100644 +--- a/src/bind_config.c ++++ b/src/bind_config.c +@@ -200,7 +200,7 @@ local_parse_file(ssh_bind bind, + uint8_t *seen, + unsigned int depth) + { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + int rv; +@@ -626,7 +626,7 @@ int ssh_bind_config_parse_file(ssh_bind bind, const char *filename) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + uint32_t parser_flags; + int rv; + +diff --git a/src/buffer.c b/src/buffer.c +index 8991e00..62fda33 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -371,7 +371,8 @@ int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer, + */ + void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len) + { +- void *ptr; ++ void *ptr = NULL; ++ + buffer_verify(buffer); + + if (buffer->used + len < len) { +@@ -925,7 +926,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p; ++ const char *p = NULL; + union { + uint8_t byte; + uint16_t word; +@@ -934,7 +935,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + ssh_string string; + void *data; + } o; +- char *cstring; ++ char *cstring = NULL; + bignum b; + size_t len; + size_t count; +@@ -1093,7 +1094,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p = format, *last; ++ const char *p = format, *last = NULL; + union { + uint8_t *byte; + uint16_t *word; +diff --git a/src/callbacks.c b/src/callbacks.c +index 3ed2f11..6bfed62 100644 +--- a/src/callbacks.c ++++ b/src/callbacks.c +@@ -113,7 +113,7 @@ int ssh_add_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + + int ssh_remove_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (channel == NULL || channel->callbacks == NULL){ + return SSH_ERROR; +diff --git a/src/chachapoly.c b/src/chachapoly.c +index 2cd2385..354a0d2 100644 +--- a/src/chachapoly.c ++++ b/src/chachapoly.c +@@ -42,7 +42,7 @@ static int chacha20_set_encrypt_key(struct ssh_cipher_struct *cipher, + void *key, + void *IV) + { +- struct chacha20_poly1305_keysched *sched; ++ struct chacha20_poly1305_keysched *sched = NULL; + uint8_t *u8key = key; + (void)IV; + +diff --git a/src/channels.c b/src/channels.c +index f2fe39a..459246b 100644 +--- a/src/channels.c ++++ b/src/channels.c +@@ -165,7 +165,7 @@ uint32_t ssh_channel_new_id(ssh_session session) + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){ + uint32_t channelid=0; +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + (void)type; + (void)user; +@@ -226,7 +226,7 @@ error: + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ + +- ssh_channel channel; ++ ssh_channel channel = NULL; + char *error = NULL; + uint32_t code; + int rc; +@@ -386,7 +386,7 @@ end: + /* return channel with corresponding local id, or NULL if not found */ + ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id) { + struct ssh_iterator *it; +- ssh_channel channel; ++ ssh_channel channel = NULL; + + for (it = ssh_list_get_iterator(session->channels); it != NULL ; it=it->next) { + channel = ssh_iterator_value(ssh_channel, it); +@@ -471,7 +471,7 @@ error: + */ + static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t chan; + int rc; + +@@ -493,7 +493,7 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) + } + + SSH_PACKET_CALLBACK(channel_rcv_change_window) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t bytes; + int rc; + (void)user; +@@ -632,7 +632,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){ + } + + SSH_PACKET_CALLBACK(channel_rcv_eof) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -676,8 +676,9 @@ static bool ssh_channel_has_unread_data(ssh_channel channel) + return false; + } + +-SSH_PACKET_CALLBACK(channel_rcv_close) { +- ssh_channel channel; ++SSH_PACKET_CALLBACK(channel_rcv_close) ++{ ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -902,7 +903,7 @@ int channel_default_bufferize(ssh_channel channel, + void *data, uint32_t len, + bool is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + + if(channel == NULL) { + return -1; +@@ -1041,7 +1042,7 @@ int ssh_channel_open_auth_agent(ssh_channel channel) + int ssh_channel_open_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + ssh_string str = NULL; + int rc = SSH_ERROR; +@@ -1179,7 +1180,7 @@ error: + */ + void ssh_channel_free(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + + if (channel == NULL) { + return; +@@ -1280,7 +1281,7 @@ void ssh_channel_do_free(ssh_channel channel) + */ + int ssh_channel_send_eof(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = SSH_ERROR; + int err; + +@@ -1341,7 +1342,7 @@ error: + */ + int ssh_channel_close(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = 0; + + if(channel == NULL) { +@@ -1437,7 +1438,7 @@ static int channel_write_common(ssh_channel channel, + const void *data, + uint32_t len, int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t origlen = len; + size_t effectivelen; + size_t maxpacketlen; +@@ -1694,7 +1695,7 @@ void ssh_channel_set_blocking(ssh_channel channel, int blocking) + * @brief handle a SSH_CHANNEL_SUCCESS packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_success){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1724,7 +1725,7 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_success){ + * @brief Handle a SSH_CHANNEL_FAILURE packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_failure){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1863,7 +1864,7 @@ error: + int ssh_channel_request_pty_size(ssh_channel channel, const char *terminal, + int col, int row) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer buffer = NULL; + int rc = SSH_ERROR; + +@@ -2174,7 +2175,7 @@ static ssh_channel ssh_channel_accept(ssh_session session, int channeltype, + #endif + ssh_message msg = NULL; + ssh_channel channel = NULL; +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + int t; + + /* +@@ -2838,7 +2839,7 @@ error: + int channel_read_buffer(ssh_channel channel, ssh_buffer buffer, uint32_t count, + int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + char *buffer_tmp = NULL; + int r; + uint32_t total=0; +@@ -2979,8 +2980,8 @@ int ssh_channel_read_timeout(ssh_channel channel, + int is_stderr, + int timeout_ms) + { +- ssh_session session; +- ssh_buffer stdbuf; ++ ssh_session session = NULL; ++ ssh_buffer stdbuf = NULL; + uint32_t len; + struct ssh_channel_read_termination_struct ctx; + int rc; +@@ -3103,7 +3104,7 @@ int ssh_channel_read_nonblocking(ssh_channel channel, + uint32_t count, + int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t to_read; + int rc; + int blocking; +@@ -3213,8 +3214,8 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr) + */ + int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr) + { +- ssh_session session; +- ssh_buffer stdbuf; ++ ssh_session session = NULL; ++ ssh_buffer stdbuf = NULL; + struct ssh_channel_read_termination_struct ctx; + size_t len; + int rc; +@@ -3341,7 +3342,7 @@ channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans, + ssh_channel *echans, ssh_channel *rout, + ssh_channel *wout, ssh_channel *eout) + { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int i; + int j = 0; + +@@ -3422,7 +3423,7 @@ static size_t count_ptrs(ssh_channel *ptrs) + int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans, + ssh_channel *exceptchans, struct timeval * timeout) + { +- ssh_channel *rchans, *wchans, *echans; ++ ssh_channel *rchans = NULL, *wchans = NULL, *echans = NULL; + ssh_channel dummy = NULL; + ssh_event event = NULL; + int rc; +@@ -3609,7 +3610,7 @@ int ssh_channel_write_stderr(ssh_channel channel, const void *data, uint32_t len + int ssh_channel_open_reverse_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +@@ -3673,7 +3674,7 @@ error: + int ssh_channel_open_x11(ssh_channel channel, + const char *orig_addr, int orig_port) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +diff --git a/src/client.c b/src/client.c +index e912090..0cfca1c 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -748,7 +748,7 @@ ssh_session_set_disconnect_message(ssh_session session, const char *message) + void + ssh_disconnect(ssh_session session) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + int rc; + + if (session == NULL) { +diff --git a/src/config.c b/src/config.c +index 273db7c..7447d64 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -203,7 +203,7 @@ local_parse_file(ssh_session session, + unsigned int depth, + bool global) + { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + int rv; +@@ -1201,7 +1201,7 @@ int ssh_config_parse_file(ssh_session session, const char *filename) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + int parsing, rv; + bool global = 0; + +diff --git a/src/config_parser.c b/src/config_parser.c +index d4b2d2c..56374d9 100644 +--- a/src/config_parser.c ++++ b/src/config_parser.c +@@ -39,8 +39,8 @@ + */ + char *ssh_config_get_cmd(char **str) + { +- register char *c; +- char *r; ++ register char *c = NULL; ++ char *r = NULL; + + /* Ignore leading spaces */ + for (c = *str; *c; c++) { +@@ -67,7 +67,7 @@ out: + */ + char *ssh_config_get_token(char **str) + { +- register char *c; ++ register char *c = NULL; + bool had_equal = false; + char *r = NULL; + +@@ -116,7 +116,7 @@ out: + + long ssh_config_get_long(char **str, long notfound) + { +- char *p, *endp; ++ char *p = NULL, *endp = NULL; + long i; + + p = ssh_config_get_token(str); +@@ -133,7 +133,7 @@ long ssh_config_get_long(char **str, long notfound) + + const char *ssh_config_get_str_tok(char **str, const char *def) + { +- char *p; ++ char *p = NULL; + + p = ssh_config_get_token(str); + if (p && *p) { +@@ -145,7 +145,7 @@ const char *ssh_config_get_str_tok(char **str, const char *def) + + int ssh_config_get_yesno(char **str, int notfound) + { +- const char *p; ++ const char *p = NULL; + + p = ssh_config_get_str_tok(str, NULL); + if (p == NULL) { +diff --git a/src/connect.c b/src/connect.c +index 15cae64..2d09af5 100644 +--- a/src/connect.c ++++ b/src/connect.c +@@ -194,8 +194,8 @@ socket_t ssh_connect_host_nonblocking(ssh_session session, const char *host, + } + + if (bind_addr) { +- struct addrinfo *bind_ai; +- struct addrinfo *bind_itr; ++ struct addrinfo *bind_ai = NULL; ++ struct addrinfo *bind_itr = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Resolving %s", bind_addr); + +diff --git a/src/connector.c b/src/connector.c +index 5671674..6632cca 100644 +--- a/src/connector.c ++++ b/src/connector.c +@@ -637,8 +637,9 @@ error: + return rc; + } + +-int ssh_connector_remove_event(ssh_connector connector) { +- ssh_session session; ++int ssh_connector_remove_event(ssh_connector connector) ++{ ++ ssh_session session = NULL; + + if (connector->in_poll != NULL) { + ssh_event_remove_poll(connector->event, connector->in_poll); +diff --git a/src/dh_crypto.c b/src/dh_crypto.c +index 9ff7ad3..4dd9b50 100644 +--- a/src/dh_crypto.c ++++ b/src/dh_crypto.c +@@ -404,7 +404,7 @@ done: + */ + int ssh_dh_init_common(struct ssh_crypto_struct *crypto) + { +- struct dh_ctx *ctx; ++ struct dh_ctx *ctx = NULL; + int rc; + + ctx = calloc(1, sizeof(*ctx)); +diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c +index 069b137..b674b2e 100644 +--- a/src/ecdh_crypto.c ++++ b/src/ecdh_crypto.c +@@ -415,14 +415,14 @@ int ecdh_build_k(ssh_session session) { + */ + SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){ + /* ECDH keys */ +- ssh_string q_c_string; +- ssh_string q_s_string; ++ ssh_string q_c_string = NULL; ++ ssh_string q_s_string = NULL; + /* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys + * https://github.com/openssl/openssl/pull/16624 + * #if OPENSSL_VERSION_NUMBER < 0x30000000L + */ + #if 1 +- EC_KEY *ecdh_key; ++ EC_KEY *ecdh_key = NULL; + const EC_GROUP *group; + const EC_POINT *ecdh_pubkey; + bignum_CTX ctx; +@@ -437,7 +437,7 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){ + const char *curve = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + /* SSH host keys (rsa,dsa,ecdsa) */ +- ssh_key privkey; ++ ssh_key privkey = NULL; + enum ssh_digest_e digest = SSH_DIGEST_AUTO; + ssh_string sig_blob = NULL; + ssh_string pubkey_blob = NULL; +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index 3d9d426..a8a8c37 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -132,9 +132,9 @@ int ecdh_build_k(ssh_session session) + #else + size_t k_len = 0; + enum ssh_key_exchange_e kex_type = session->next_crypto->kex_type; +- ssh_string s; ++ ssh_string s = NULL; + #endif +- ssh_string pubkey_raw; ++ ssh_string pubkey_raw = NULL; + gcry_sexp_t pubkey = NULL; + ssh_string privkey = NULL; + int rc = SSH_ERROR; +@@ -267,12 +267,12 @@ int ecdh_build_k(ssh_session session) + SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){ + gpg_error_t err; + /* ECDH keys */ +- ssh_string q_c_string; +- ssh_string q_s_string; ++ ssh_string q_c_string = NULL; ++ ssh_string q_s_string = NULL; + gcry_sexp_t param = NULL; + gcry_sexp_t key = NULL; + /* SSH host keys (rsa,dsa,ecdsa) */ +- ssh_key privkey; ++ ssh_key privkey = NULL; + enum ssh_digest_e digest = SSH_DIGEST_AUTO; + ssh_string sig_blob = NULL; + ssh_string pubkey_blob = NULL; +diff --git a/src/gcrypt_missing.c b/src/gcrypt_missing.c +index e931ec5..56dcfb6 100644 +--- a/src/gcrypt_missing.c ++++ b/src/gcrypt_missing.c +@@ -47,7 +47,7 @@ int ssh_gcry_dec2bn(bignum *bn, const char *data) { + + char *ssh_gcry_bn2dec(bignum bn) { + bignum bndup, num, ten; +- char *ret; ++ char *ret = NULL; + int count, count2; + int size, rsize; + char decnum; +diff --git a/src/getpass.c b/src/getpass.c +index 6be33c7..c19c4bc 100644 +--- a/src/getpass.c ++++ b/src/getpass.c +@@ -46,7 +46,7 @@ + */ + static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) + { +- char *tmp; ++ char *tmp = NULL; + char *ptr = NULL; + int ok = 0; + +@@ -78,7 +78,7 @@ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) + } + + if (verify) { +- char *key_string; ++ char *key_string = NULL; + + key_string = calloc(1, len); + if (key_string == NULL) { +diff --git a/src/gssapi.c b/src/gssapi.c +index 5325ac7..fd7b25a 100644 +--- a/src/gssapi.c ++++ b/src/gssapi.c +@@ -196,7 +196,7 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user, + gss_name_t server_name; /* local server fqdn */ + OM_uint32 maj_stat, min_stat; + size_t i; +- char *ptr; ++ char *ptr = NULL; + gss_OID_set supported; /* oids supported by server */ + gss_OID_set both_supported; /* oids supported by both client and server */ + gss_OID_set selected; /* oid selected for authentication */ +@@ -341,7 +341,7 @@ static char *ssh_gssapi_name_to_char(gss_name_t name) + { + gss_buffer_desc buffer; + OM_uint32 maj_stat, min_stat; +- char *ptr; ++ char *ptr = NULL; + maj_stat = gss_display_name(&min_stat, name, &buffer, NULL); + ssh_gssapi_log_error(SSH_LOG_WARNING, + "converting name", +@@ -359,9 +359,10 @@ static char *ssh_gssapi_name_to_char(gss_name_t name) + + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ +- ssh_string token; +- char *hexa; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server) ++{ ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + gss_name_t client_name = GSS_C_NO_NAME; +@@ -385,7 +386,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ + } + + if (ssh_callbacks_exists(session->server_callbacks, gssapi_accept_sec_ctx_function)){ +- ssh_string out_token=NULL; ++ ssh_string out_token = NULL; + rc = session->server_callbacks->gssapi_accept_sec_ctx_function(session, + token, &out_token, session->server_callbacks->userdata); + if (rc == SSH_ERROR){ +@@ -507,7 +508,7 @@ static ssh_buffer ssh_gssapi_build_mic(ssh_session session) + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_mic) + { +- ssh_string mic_token; ++ ssh_string mic_token = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER; + gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER; +@@ -670,7 +671,7 @@ static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids) + gss_name_t client_id = GSS_C_NO_NAME; + gss_OID oid; + unsigned int i; +- char *ptr; ++ char *ptr = NULL; + int ret; + + if (session->gssapi->client.client_deleg_creds == NULL) { +@@ -866,11 +867,11 @@ static gss_OID ssh_gssapi_oid_from_string(ssh_string oid_s) + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){ + int rc; +- ssh_string oid_s; ++ ssh_string oid_s = NULL; + gss_uint32 maj_stat, min_stat; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; +- char *hexa; ++ char *hexa = NULL; + (void)type; + (void)user; + +@@ -987,10 +988,11 @@ static int ssh_gssapi_send_mic(ssh_session session) + return ssh_packet_send(session); + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){ ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client) ++{ + int rc; +- ssh_string token; +- char *hexa; ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + (void)user; +diff --git a/src/kex.c b/src/kex.c +index fbc70cf..ecfc012 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -330,7 +330,7 @@ static int cmp_first_kex_algo(const char *client_str, + size_t client_kex_len; + size_t server_kex_len; + +- char *colon; ++ char *colon = NULL; + + int is_wrong = 1; + +@@ -762,7 +762,7 @@ char *ssh_client_select_hostkeys(ssh_session session) + int ssh_set_client_kex(ssh_session session) + { + struct ssh_kex_struct *client = &session->next_crypto->client_kex; +- const char *wanted; ++ const char *wanted = NULL; + int ok; + int i; + +diff --git a/src/known_hosts.c b/src/known_hosts.c +index 84e1557..f660a6f 100644 +--- a/src/known_hosts.c ++++ b/src/known_hosts.c +@@ -79,8 +79,8 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + const char **found_type) + { + char buffer[MAX_LINE_SIZE] = {0}; +- char *ptr; +- struct ssh_tokens_st *tokens; ++ char *ptr = NULL; ++ struct ssh_tokens_st *tokens = NULL; + + if (*file == NULL) { + *file = fopen(filename,"r"); +@@ -149,7 +149,7 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + static int check_public_key(ssh_session session, char **tokens) { + ssh_string pubkey_blob = NULL; + ssh_buffer pubkey_buffer; +- char *pubkey_64; ++ char *pubkey_64 = NULL; + int rc; + + /* ssh-dss or ssh-rsa */ +@@ -205,11 +205,11 @@ static int match_hashed_host(const char *host, const char *sourcehash) + * hash := HMAC_SHA1(key=salt,data=host) + */ + unsigned char buffer[256] = {0}; +- ssh_buffer salt; +- ssh_buffer hash; +- HMACCTX mac; +- char *source; +- char *b64hash; ++ ssh_buffer salt = NULL; ++ ssh_buffer hash = NULL; ++ HMACCTX mac = NULL; ++ char *source = NULL; ++ char *b64hash = NULL; + int match, rc; + size_t size; + +@@ -304,14 +304,14 @@ static int match_hashed_host(const char *host, const char *sourcehash) + int ssh_is_server_known(ssh_session session) + { + FILE *file = NULL; +- char *host; +- char *hostport; +- const char *type; ++ char *host = NULL; ++ char *hostport = NULL; ++ const char *type = NULL; + int match; + int i = 0; +- char *files[3]; ++ char *files[3] = {0}; + +- struct ssh_tokens_st *tokens; ++ struct ssh_tokens_st *tokens = NULL; + + int ret = SSH_SERVER_NOT_KNOWN; + +@@ -443,12 +443,13 @@ int ssh_is_server_known(ssh_session session) + * @deprecated Please use ssh_session_export_known_hosts_entry() + * @brief This function is deprecated. + */ +-char * ssh_dump_knownhost(ssh_session session) { ++char *ssh_dump_knownhost(ssh_session session) ++{ + ssh_key server_pubkey = NULL; +- char *host; +- char *hostport; +- char *buffer; +- char *b64_key; ++ char *host = NULL; ++ char *hostport = NULL; ++ char *buffer = NULL; ++ char *b64_key = NULL; + int rc; + + if (session->opts.host == NULL) { +@@ -513,9 +514,9 @@ char * ssh_dump_knownhost(ssh_session session) { + */ + int ssh_write_knownhost(ssh_session session) + { +- FILE *file; ++ FILE *file = NULL; + char *buffer = NULL; +- char *dir; ++ char *dir = NULL; + int rc; + + if (session->opts.knownhosts == NULL) { +diff --git a/src/knownhosts.c b/src/knownhosts.c +index 9f97809..109b4f0 100644 +--- a/src/knownhosts.c ++++ b/src/knownhosts.c +@@ -61,7 +61,7 @@ static int hash_hostname(const char *name, + size_t *hash_size) + { + int rc; +- HMACCTX mac_ctx; ++ HMACCTX mac_ctx = NULL; + + mac_ctx = hmac_init(salt, salt_size, SSH_HMAC_SHA1); + if (mac_ctx == NULL) { +@@ -81,8 +81,8 @@ static int hash_hostname(const char *name, + + static int match_hashed_hostname(const char *host, const char *hashed_host) + { +- char *hashed; +- char *b64_hash; ++ char *hashed = NULL; ++ char *b64_hash = NULL; + ssh_buffer salt = NULL; + ssh_buffer hash = NULL; + unsigned char hashed_buf[256] = {0}; +@@ -229,7 +229,7 @@ static int ssh_known_hosts_read_entries(const char *match, + char line[MAX_LINE_SIZE]; + size_t lineno = 0; + size_t len = 0; +- FILE *fp; ++ FILE *fp = NULL; + int rc; + + fp = fopen(filename, "r"); +@@ -288,7 +288,7 @@ static int ssh_known_hosts_read_entries(const char *match, + for (it = ssh_list_get_iterator(*entries); + it != NULL; + it = it->next) { +- struct ssh_knownhosts_entry *entry2; ++ struct ssh_knownhosts_entry *entry2 = NULL; + int cmp; + entry2 = ssh_iterator_value(struct ssh_knownhosts_entry *, it); + cmp = ssh_known_hosts_entries_compare(entry, entry2); +@@ -312,8 +312,8 @@ error: + + static char *ssh_session_get_host_port(ssh_session session) + { +- char *host_port; +- char *host; ++ char *host_port = NULL; ++ char *host = NULL; + + if (session->opts.host == NULL) { + ssh_set_error(session, +@@ -537,7 +537,7 @@ char *ssh_known_hosts_get_algorithms_names(ssh_session session) + char *host_port = NULL; + size_t count; + bool needcomma = false; +- char *names; ++ char *names = NULL; + + int rc; + +@@ -645,7 +645,7 @@ int ssh_known_hosts_parse_line(const char *hostname, + { + struct ssh_knownhosts_entry *e = NULL; + char *known_host = NULL; +- char *p; ++ char *p = NULL; + char *save_tok = NULL; + enum ssh_keytypes_e key_type; + int match = 0; +diff --git a/src/legacy.c b/src/legacy.c +index 7b165db..7359040 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -48,7 +48,7 @@ int ssh_auth_list(ssh_session session) { + int ssh_userauth_offer_pubkey(ssh_session session, const char *username, + int type, ssh_string publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -70,7 +70,7 @@ int ssh_userauth_pubkey(ssh_session session, + ssh_string publickey, + ssh_private_key privatekey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) publickey; /* unused */ +@@ -389,10 +389,11 @@ void publickey_free(ssh_public_key key) { + SAFE_FREE(key); + } + +-ssh_public_key publickey_from_privatekey(ssh_private_key prv) { +- struct ssh_public_key_struct *p; +- ssh_key privkey; +- ssh_key pubkey; ++ssh_public_key publickey_from_privatekey(ssh_private_key prv) ++{ ++ struct ssh_public_key_struct *p = NULL; ++ ssh_key privkey = NULL; ++ ssh_key pubkey = NULL; + int rc; + + privkey = ssh_key_new(); +@@ -434,8 +435,8 @@ ssh_private_key privatekey_from_file(ssh_session session, + const char *passphrase) { + ssh_auth_callback auth_fn = NULL; + void *auth_data = NULL; +- ssh_private_key privkey; +- ssh_key key; ++ ssh_private_key privkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -510,7 +511,7 @@ void privatekey_free(ssh_private_key prv) { + + ssh_string publickey_from_file(ssh_session session, const char *filename, + int *type) { +- ssh_key key; ++ ssh_key key = NULL; + ssh_string key_str = NULL; + int rc; + +@@ -543,9 +544,10 @@ int ssh_type_from_name(const char *name) { + return ssh_key_type_from_name(name); + } + +-ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { +- struct ssh_public_key_struct *pubkey; +- ssh_key key; ++ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) ++{ ++ struct ssh_public_key_struct *pubkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) session; /* unused */ +@@ -579,9 +581,10 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { + return pubkey; + } + +-ssh_string publickey_to_string(ssh_public_key pubkey) { +- ssh_key key; +- ssh_string key_blob; ++ssh_string publickey_to_string(ssh_public_key pubkey) ++{ ++ ssh_key key = NULL; ++ ssh_string key_blob = NULL; + int rc; + + if (pubkey == NULL) { +@@ -624,11 +627,11 @@ int ssh_publickey_to_file(ssh_session session, + ssh_string pubkey, + int type) + { +- FILE *fp; +- char *user; ++ FILE *fp = NULL; ++ char *user = NULL; + char buffer[1024]; + char host[256]; +- unsigned char *pubkey_64; ++ unsigned char *pubkey_64 = NULL; + size_t len; + int rc; + if(session==NULL) +@@ -695,9 +698,9 @@ int ssh_try_publickey_from_file(ssh_session session, + const char *keyfile, + ssh_string *publickey, + int *type) { +- char *pubkey_file; ++ char *pubkey_file = NULL; + size_t len; +- ssh_string pubkey_string; ++ ssh_string pubkey_string = NULL; + int pubkey_type; + + if (session == NULL || keyfile == NULL || publickey == NULL || type == NULL) { +diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c +index caa3b6e..422d5ae 100644 +--- a/src/libmbedcrypto.c ++++ b/src/libmbedcrypto.c +@@ -133,7 +133,7 @@ cipher_init(struct ssh_cipher_struct *cipher, + void *IV) + { + const mbedtls_cipher_info_t *cipher_info = NULL; +- mbedtls_cipher_context_t *ctx; ++ mbedtls_cipher_context_t *ctx = NULL; + size_t key_bitlen = 0; + size_t iv_size = 0; + int rc; +diff --git a/src/log.c b/src/log.c +index 5bae18b..fabbe94 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -44,7 +44,7 @@ + + static LIBSSH_THREAD int ssh_log_level; + static LIBSSH_THREAD ssh_logging_callback ssh_log_cb; +-static LIBSSH_THREAD void *ssh_log_userdata; ++static LIBSSH_THREAD void *ssh_log_userdata = NULL; + + /** + * @defgroup libssh_log The SSH logging functions +diff --git a/src/messages.c b/src/messages.c +index 3f96953..54497fa 100644 +--- a/src/messages.c ++++ b/src/messages.c +@@ -478,8 +478,8 @@ static void ssh_message_queue(ssh_session session, ssh_message message) + * @returns The head message or NULL if it doesn't exist. + */ + ssh_message ssh_message_pop_head(ssh_session session){ +- ssh_message msg=NULL; +- struct ssh_iterator *i; ++ ssh_message msg = NULL; ++ struct ssh_iterator *i = NULL; + if(session->ssh_message_list == NULL) + return NULL; + i=ssh_list_get_iterator(session->ssh_message_list); +@@ -493,7 +493,7 @@ ssh_message ssh_message_pop_head(ssh_session session){ + /* Returns 1 if there is a message available */ + static int ssh_message_termination(void *s){ + ssh_session session = s; +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + if(session->session_state == SSH_SESSION_STATE_ERROR) + return 1; + it = ssh_list_get_iterator(session->ssh_message_list); +@@ -694,8 +694,8 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, + ssh_string algo) + { + struct ssh_crypto_struct *crypto = NULL; +- ssh_buffer buffer; +- ssh_string str=NULL; ++ ssh_buffer buffer = NULL; ++ ssh_string str = NULL; + int rc; + + crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_IN); +@@ -933,9 +933,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ + #ifdef WITH_GSSAPI + if (strcmp(method, "gssapi-with-mic") == 0) { + uint32_t n_oid; +- ssh_string *oids; +- ssh_string oid; +- char *hexa; ++ ssh_string *oids = NULL; ++ ssh_string oid = NULL; ++ char *hexa = NULL; + int i; + ssh_buffer_get_u32(packet, &n_oid); + n_oid=ntohl(n_oid); +@@ -1019,7 +1019,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + uint32_t nanswers; + uint32_t i; +- ssh_string tmp; ++ ssh_string tmp = NULL; + int rc; + + ssh_message msg = NULL; +@@ -1251,7 +1251,7 @@ end: + * @returns SSH_OK on success, SSH_ERROR if an error occurred. + */ + int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan) { +- ssh_session session; ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1302,7 +1302,7 @@ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_c + * @returns NULL in case of error + */ + ssh_channel ssh_message_channel_request_open_reply_accept(ssh_message msg) { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int rc; + + if (msg == NULL) { +diff --git a/src/misc.c b/src/misc.c +index 7081f12..f371f33 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -393,7 +393,7 @@ int ssh_is_ipaddr(const char *str) + + char *ssh_lowercase(const char* str) + { +- char *new, *p; ++ char *new = NULL, *p = NULL; + + if (str == NULL) { + return NULL; +@@ -447,7 +447,7 @@ char *ssh_hostport(const char *host, int port) + char *ssh_get_hexa(const unsigned char *what, size_t len) + { + const char h[] = "0123456789abcdef"; +- char *hexa; ++ char *hexa = NULL; + size_t i; + size_t hlen = len * 3; + +@@ -716,7 +716,7 @@ struct ssh_list *ssh_list_new(void) + + void ssh_list_free(struct ssh_list *list) + { +- struct ssh_iterator *ptr, *next; ++ struct ssh_iterator *ptr = NULL, *next = NULL; + if (!list) + return; + ptr = list->root; +@@ -737,7 +737,7 @@ struct ssh_iterator *ssh_list_get_iterator(const struct ssh_list *list) + + struct ssh_iterator *ssh_list_find(const struct ssh_list *list, void *value) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + for (it = ssh_list_get_iterator(list); it != NULL ; it = it->next) + if (it->data == value) +@@ -826,7 +826,7 @@ int ssh_list_prepend(struct ssh_list *list, const void *data) + + void ssh_list_remove(struct ssh_list *list, struct ssh_iterator *iterator) + { +- struct ssh_iterator *ptr, *prev; ++ struct ssh_iterator *ptr = NULL, *prev = NULL; + + if (list == NULL) { + return; +@@ -967,7 +967,7 @@ char *ssh_dirname (const char *path) + char *ssh_basename (const char *path) + { + char *new = NULL; +- const char *s; ++ const char *s = NULL; + size_t len; + + if (path == NULL || *path == '\0') { +@@ -1105,8 +1105,8 @@ int ssh_mkdirs(const char *pathname, mode_t mode) + */ + char *ssh_path_expand_tilde(const char *d) + { +- char *h = NULL, *r; +- const char *p; ++ char *h = NULL, *r = NULL; ++ const char *p = NULL; + size_t ld; + size_t lh = 0; + +@@ -1121,7 +1121,7 @@ char *ssh_path_expand_tilde(const char *d) + #ifdef _WIN32 + return strdup(d); + #else +- struct passwd *pw; ++ struct passwd *pw = NULL; + size_t s = p - d; + char u[128]; + +@@ -1182,7 +1182,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) + char *buf = NULL; + char *r = NULL; + char *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -1335,8 +1335,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) + */ + int ssh_analyze_banner(ssh_session session, int server) + { +- const char *banner; +- const char *openssh; ++ const char *banner = NULL; ++ const char *openssh = NULL; + + if (server) { + banner = session->clientbanner; +diff --git a/src/options.c b/src/options.c +index b3ecffe..9ff0436 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -67,7 +67,7 @@ + */ + int ssh_options_copy(ssh_session src, ssh_session *dest) + { +- ssh_session new; ++ ssh_session new = NULL; + struct ssh_iterator *it = NULL; + struct ssh_list *list = NULL; + char *id = NULL; +@@ -499,8 +499,8 @@ int ssh_options_set_algo(ssh_session session, + int ssh_options_set(ssh_session session, enum ssh_options_e type, + const void *value) + { +- const char *v; +- char *p, *q; ++ const char *v = NULL; ++ char *p = NULL, *q = NULL; + long int i; + unsigned int u; + int rc; +@@ -1164,7 +1164,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) { + */ + int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + { +- char* src = NULL; ++ char *src = NULL; + + if (session == NULL) { + return SSH_ERROR; +@@ -1186,7 +1186,7 @@ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + break; + } + case SSH_OPTIONS_IDENTITY: { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + it = ssh_list_get_iterator(session->opts.identity); + if (it == NULL) { + it = ssh_list_get_iterator(session->opts.identity_non_exp); +@@ -1439,7 +1439,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv) + */ + int ssh_options_parse_config(ssh_session session, const char *filename) + { +- char *expanded_filename; ++ char *expanded_filename = NULL; + int r; + + if (session == NULL) { +@@ -1485,7 +1485,7 @@ out: + + int ssh_options_apply(ssh_session session) + { +- char *tmp; ++ char *tmp = NULL; + int rc; + + if (session->opts.sshdir == NULL) { +@@ -1795,8 +1795,8 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type, + const void *value) + { + bool allowed; +- char *p, *q; +- const char *v; ++ char *p = NULL, *q = NULL; ++ const char *v = NULL; + int i, rc; + + if (sshbind == NULL) { +@@ -2198,7 +2198,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) + char *buf = NULL; + char *r = NULL; + char *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -2304,7 +2304,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) + int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename) + { + int rc = 0; +- char *expanded_filename; ++ char *expanded_filename = NULL; + + if (sshbind == NULL) { + return -1; +diff --git a/src/packet.c b/src/packet.c +index ea73f9a..4b4d0dc 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -1430,8 +1430,8 @@ error: + static void ssh_packet_socket_controlflow_callback(int code, void *userdata) + { + ssh_session session = userdata; +- struct ssh_iterator *it; +- ssh_channel channel; ++ struct ssh_iterator *it = NULL; ++ ssh_channel channel = NULL; + + if (code == SSH_SOCKET_FLOW_WRITEWONTBLOCK) { + SSH_LOG(SSH_LOG_TRACE, "sending channel_write_wontblock callback"); +@@ -1894,7 +1894,7 @@ int ssh_packet_send(ssh_session session) + + /* We finished the key exchange so we can try to send our queue now */ + if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) { + /* reset packet sequence number when running in strict kex mode */ +diff --git a/src/packet_crypt.c b/src/packet_crypt.c +index fe3f489..96e9586 100644 +--- a/src/packet_crypt.c ++++ b/src/packet_crypt.c +@@ -262,7 +262,7 @@ int ssh_packet_hmac_verify(ssh_session session, + { + struct ssh_crypto_struct *crypto = NULL; + unsigned char hmacbuf[DIGEST_MAX_LEN] = {0}; +- HMACCTX ctx; ++ HMACCTX ctx = NULL; + size_t hmaclen = DIGEST_MAX_LEN; + uint32_t seq; + int cmp; +diff --git a/src/pki.c b/src/pki.c +index a7c84c5..33fc508 100644 +--- a/src/pki.c ++++ b/src/pki.c +@@ -369,7 +369,7 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name) + */ + int ssh_key_algorithm_allowed(ssh_session session, const char *type) + { +- const char *allowed_list; ++ const char *allowed_list = NULL; + + if (session->client) { + allowed_list = session->opts.pubkey_accepted_types; +@@ -729,7 +729,7 @@ int ssh_key_cmp(const ssh_key k1, + + ssh_signature ssh_signature_new(void) + { +- struct ssh_signature_struct *sig; ++ struct ssh_signature_struct *sig = NULL; + + sig = malloc(sizeof(struct ssh_signature_struct)); + if (sig == NULL) { +@@ -821,7 +821,7 @@ int ssh_pki_import_privkey_base64(const char *b64_key, + void *auth_data, + ssh_key *pkey) + { +- ssh_key key; ++ ssh_key key = NULL; + char *openssh_header = NULL; + + if (b64_key == NULL || pkey == NULL) { +@@ -944,8 +944,8 @@ int ssh_pki_import_privkey_file(const char *filename, + void *auth_data, + ssh_key *pkey) { + struct stat sb; +- char *key_buf; +- FILE *file; ++ char *key_buf = NULL; ++ FILE *file = NULL; + off_t size; + int rc; + char err_msg[SSH_ERRNO_MSG_MAX] = {0}; +@@ -1093,8 +1093,8 @@ int ssh_pki_export_privkey_file(const ssh_key privkey, + /* temporary function to migrate seamlessly to ssh_key */ + ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) + { +- ssh_public_key pub; +- ssh_key tmp; ++ ssh_public_key pub = NULL; ++ ssh_key tmp = NULL; + + if (key == NULL) { + return NULL; +@@ -1131,7 +1131,7 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) + + ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key) + { +- ssh_private_key privkey; ++ ssh_private_key privkey = NULL; + + privkey = calloc(1, sizeof(struct ssh_private_key_struct)); + if (privkey == NULL) { +@@ -1521,9 +1521,9 @@ static int pki_import_cert_buffer(ssh_buffer buffer, + enum ssh_keytypes_e type, + ssh_key *pkey) + { +- ssh_buffer cert; +- ssh_string tmp_s; +- const char *type_c; ++ ssh_buffer cert = NULL; ++ ssh_string tmp_s = NULL; ++ const char *type_c = NULL; + ssh_key key = NULL; + int rc; + +@@ -2067,7 +2067,7 @@ error: + int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + ssh_key *pkey) + { +- ssh_key pubkey; ++ ssh_key pubkey = NULL; + + if (privkey == NULL || !ssh_key_is_private(privkey)) { + return SSH_ERROR; +@@ -2105,7 +2105,7 @@ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + int ssh_pki_export_pubkey_blob(const ssh_key key, + ssh_string *pblob) + { +- ssh_string blob; ++ ssh_string blob = NULL; + + if (key == NULL) { + return SSH_OK; +@@ -2135,8 +2135,8 @@ int ssh_pki_export_pubkey_blob(const ssh_key key, + int ssh_pki_export_pubkey_base64(const ssh_key key, + char **b64_key) + { +- ssh_string key_blob; +- unsigned char *b64; ++ ssh_string key_blob = NULL; ++ unsigned char *b64 = NULL; + + if (key == NULL || b64_key == NULL) { + return SSH_ERROR; +@@ -2175,9 +2175,9 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + { + char key_buf[MAX_LINE_SIZE]; + char host[256]; +- char *b64_key; +- char *user; +- FILE *fp; ++ char *b64_key = NULL; ++ char *user = NULL; ++ FILE *fp = NULL; + int rc; + + if (key == NULL || filename == NULL || *filename == '\0') { +@@ -2238,7 +2238,7 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + * @returns SSH_OK on success, SSH_ERROR otherwise. + **/ + int ssh_pki_copy_cert_to_privkey(const ssh_key certkey, ssh_key privkey) { +- ssh_buffer cert_buffer; ++ ssh_buffer cert_buffer = NULL; + int rc; + + if (certkey == NULL || privkey == NULL) { +@@ -2273,7 +2273,7 @@ int ssh_pki_export_signature_blob(const ssh_signature sig, + ssh_string *sig_blob) + { + ssh_buffer buf = NULL; +- ssh_string str; ++ ssh_string str = NULL; + int rc; + + if (sig == NULL || sig_blob == NULL) { +@@ -2337,7 +2337,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, + enum ssh_keytypes_e type; + enum ssh_digest_e hash_type; + ssh_string algorithm = NULL, blob = NULL; +- ssh_buffer buf; ++ ssh_buffer buf = NULL; + const char *alg = NULL; + uint8_t flags = 0; + uint32_t counter = 0; +@@ -2697,9 +2697,9 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session, + const ssh_key pubkey) + { + struct ssh_crypto_struct *crypto = NULL; +- ssh_string session_id; +- ssh_string sig_blob; +- ssh_buffer sig_buf; ++ ssh_string session_id = NULL; ++ ssh_string sig_blob = NULL; ++ ssh_buffer sig_buf = NULL; + int rc; + + crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_BOTH); +diff --git a/src/pki_container_openssh.c b/src/pki_container_openssh.c +index 4314c5b..e32326b 100644 +--- a/src/pki_container_openssh.c ++++ b/src/pki_container_openssh.c +@@ -234,12 +234,12 @@ ssh_pki_openssh_import(const char *text_key, + bool private) + { + const char *ptr = text_key; +- const char *end; +- char *base64; ++ const char *end = NULL; ++ char *base64 = NULL; + int cmp; + int rc; + int i; +- ssh_buffer buffer = NULL, privkey_buffer=NULL; ++ ssh_buffer buffer = NULL, privkey_buffer = NULL; + char *magic = NULL, *ciphername = NULL, *kdfname = NULL; + uint32_t nkeys = 0, checkint1 = 0, checkint2 = 0xFFFF; + ssh_string kdfoptions = NULL; +@@ -536,16 +536,16 @@ ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey, + ssh_auth_callback auth_fn, + void *auth_data) + { +- ssh_buffer buffer; ++ ssh_buffer buffer= NULL; + ssh_string str = NULL; +- ssh_string pubkey_s=NULL; ++ ssh_string pubkey_s = NULL; + ssh_buffer privkey_buffer = NULL; + uint32_t rnd; + uint32_t rounds = 16; +- ssh_string salt=NULL; +- ssh_string kdf_options=NULL; ++ ssh_string salt = NULL; ++ ssh_string kdf_options = NULL; + int to_encrypt=0; +- unsigned char *b64; ++ unsigned char *b64 = NULL; + uint32_t str_len, len; + uint8_t padding = 1; + int ok; +diff --git a/src/pki_crypto.c b/src/pki_crypto.c +index 5b0d7de..6050993 100644 +--- a/src/pki_crypto.c ++++ b/src/pki_crypto.c +@@ -382,7 +382,7 @@ int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e) + #else + int rc; + const char *group_name = OSSL_EC_curve_nid2name(nid); +- OSSL_PARAM_BLD *param_bld; ++ OSSL_PARAM_BLD *param_bld = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + + key->ecdsa_nid = nid; +@@ -2297,7 +2297,7 @@ static ssh_string pki_ecdsa_signature_to_blob(const ssh_signature sig) + const unsigned char *raw_sig_data = NULL; + size_t raw_sig_len; + +- ECDSA_SIG *ecdsa_sig; ++ ECDSA_SIG *ecdsa_sig = NULL; + + int rc; + +@@ -2614,8 +2614,8 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey), + ECDSA_SIG *ecdsa_sig = NULL; + BIGNUM *pr = NULL, *ps = NULL; + +- ssh_string r; +- ssh_string s; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + + ssh_buffer buf = NULL; + uint32_t rlen; +diff --git a/src/pki_ed25519.c b/src/pki_ed25519.c +index 6a5a4a8..0674fb6 100644 +--- a/src/pki_ed25519.c ++++ b/src/pki_ed25519.c +@@ -62,7 +62,7 @@ int pki_ed25519_sign(const ssh_key privkey, + size_t hlen) + { + int rc; +- uint8_t *buffer; ++ uint8_t *buffer = NULL; + uint64_t dlen = 0; + + buffer = malloc(hlen + ED25519_SIG_LEN); +@@ -104,8 +104,8 @@ int pki_ed25519_verify(const ssh_key pubkey, + size_t hlen) + { + uint64_t mlen = 0; +- uint8_t *buffer; +- uint8_t *buffer2; ++ uint8_t *buffer = NULL; ++ uint8_t *buffer2 = NULL; + int rc; + + if (pubkey == NULL || sig == NULL || +diff --git a/src/pki_ed25519_common.c b/src/pki_ed25519_common.c +index bdc6f6b..59a3b03 100644 +--- a/src/pki_ed25519_common.c ++++ b/src/pki_ed25519_common.c +@@ -213,7 +213,7 @@ int pki_ed25519_public_key_to_blob(ssh_buffer buffer, ssh_key key) + */ + ssh_string pki_ed25519_signature_to_blob(ssh_signature sig) + { +- ssh_string sig_blob; ++ ssh_string sig_blob = NULL; + int rc; + + #ifdef HAVE_OPENSSL_ED25519 +diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c +index 418a46b..9fa3ab5 100644 +--- a/src/pki_gcrypt.c ++++ b/src/pki_gcrypt.c +@@ -121,7 +121,7 @@ static uint32_t asn1_get_len(ssh_buffer buffer) { + } + + static ssh_string asn1_get(ssh_buffer buffer, unsigned char want) { +- ssh_string str; ++ ssh_string str = NULLh; + unsigned char type; + uint32_t size; + +@@ -152,7 +152,7 @@ static ssh_string asn1_get_int(ssh_buffer buffer) { + + static ssh_string asn1_get_bit_string(ssh_buffer buffer) + { +- ssh_string str; ++ ssh_string str = NULL; + unsigned char type; + uint32_t size; + unsigned char unused, last, *p; +@@ -1882,9 +1882,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + case SSH_KEYTYPE_ECDSA_P521: + #ifdef HAVE_GCRYPT_ECC + { +- ssh_string R; +- ssh_string S; +- ssh_buffer b; ++ ssh_string R = NULL; ++ ssh_string S = NULL; ++ ssh_buffer b = NULL; + + b = ssh_buffer_new(); + if (b == NULL) { +@@ -2054,8 +2054,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + case SSH_KEYTYPE_SK_ECDSA: + #ifdef HAVE_GCRYPT_ECC + { /* build ecdsa siganature */ +- ssh_buffer b; +- ssh_string r, s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL, s = NULL; + uint32_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c +index cb9d322..0181370 100644 +--- a/src/pki_mbedcrypto.c ++++ b/src/pki_mbedcrypto.c +@@ -1078,9 +1078,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { +- ssh_string r; +- ssh_string s; +- ssh_buffer b; ++ ssh_string r = NULL; ++ ssh_string s = NULL; ++ ssh_buffer b = NULL; + int rc; + + b = ssh_buffer_new(); +@@ -1234,9 +1234,9 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: + case SSH_KEYTYPE_SK_ECDSA: { +- ssh_buffer b; +- ssh_string r; +- ssh_string s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + size_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/poll.c b/src/poll.c +index 828f5e0..a4a104c 100644 +--- a/src/poll.c ++++ b/src/poll.c +@@ -560,8 +560,8 @@ void ssh_poll_ctx_free(ssh_poll_ctx ctx) + + static int ssh_poll_ctx_resize(ssh_poll_ctx ctx, size_t new_size) + { +- ssh_poll_handle *pollptrs; +- ssh_pollfd_t *pollfds; ++ ssh_poll_handle *pollptrs = NULL; ++ ssh_pollfd_t *pollfds = NULL; + + pollptrs = realloc(ctx->pollptrs, sizeof(ssh_poll_handle) * new_size); + if (pollptrs == NULL) { +@@ -855,7 +855,7 @@ ssh_event_add_fd(ssh_event event, socket_t fd, short events, + ssh_event_callback cb, void *userdata) + { + ssh_poll_handle p; +- struct ssh_event_fd_wrapper *pw; ++ struct ssh_event_fd_wrapper *pw = NULL; + + if(event == NULL || event->ctx == NULL || cb == NULL + || fd == SSH_INVALID_SOCKET) { +@@ -925,7 +925,7 @@ int ssh_event_add_session(ssh_event event, ssh_session session) + { + ssh_poll_handle p; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if(event == NULL || event->ctx == NULL || session == NULL) { +@@ -1072,7 +1072,7 @@ int ssh_event_remove_session(ssh_event event, ssh_session session) + register size_t i, used; + int rc = SSH_ERROR; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if (event == NULL || event->ctx == NULL || session == NULL) { +diff --git a/src/server.c b/src/server.c +index cf54d0c..a8e3ac8 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -85,8 +85,8 @@ int server_set_kex(ssh_session session) + { + struct ssh_kex_struct *server = &session->next_crypto->server_kex; + int i, j, rc; +- const char *wanted, *allowed; +- char *kept; ++ const char *wanted = NULL, *allowed = NULL; ++ char *kept = NULL; + char hostkeys[128] = {0}; + enum ssh_keytypes_e keytype; + size_t len; +@@ -219,9 +219,10 @@ int ssh_server_init_kex(ssh_session session) { + return server_set_kex(session); + } + +-static int ssh_server_send_extensions(ssh_session session) { ++static int ssh_server_send_extensions(ssh_session session) ++{ + int rc; +- const char *hostkey_algorithms; ++ const char *hostkey_algorithms = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Sending SSH_MSG_EXT_INFO"); + +@@ -286,8 +287,8 @@ ssh_get_key_params(ssh_session session, + ssh_key *privkey, + enum ssh_digest_e *digest) + { +- ssh_key pubkey; +- ssh_string pubkey_blob; ++ ssh_key pubkey = NULL; ++ ssh_string pubkey_blob = NULL; + int rc; + + switch(session->srv.hostkey) { +@@ -722,8 +723,9 @@ static int ssh_message_service_request_reply_default(ssh_message msg) { + * + * @returns SSH_OK when success otherwise SSH_ERROR + */ +-int ssh_message_service_reply_success(ssh_message msg) { +- ssh_session session; ++int ssh_message_service_reply_success(ssh_message msg) ++{ ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1131,8 +1133,9 @@ int ssh_message_auth_reply_pk_ok(ssh_message msg, ssh_string algo, ssh_string pu + * + * @returns SSH_OK on success, otherwise SSH_ERROR + */ +-int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) { +- ssh_string algo; ++int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) ++{ ++ ssh_string algo = NULL; + ssh_string pubkey_blob = NULL; + int ret; + +diff --git a/src/session.c b/src/session.c +index 6e1432a..cb45a2f 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -58,7 +58,7 @@ + */ + ssh_session ssh_new(void) + { +- ssh_session session; ++ ssh_session session = NULL; + char *id = NULL; + int rc; + +@@ -280,7 +280,7 @@ void ssh_free(ssh_session session) + + /* options */ + if (session->opts.identity) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity); + id != NULL; +@@ -291,7 +291,7 @@ void ssh_free(ssh_session session) + } + + if (session->opts.identity_non_exp) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity_non_exp); + id != NULL; +@@ -1153,7 +1153,7 @@ int ssh_get_publickey_hash(const ssh_key key, + unsigned char **hash, + size_t *hlen) + { +- ssh_string blob; ++ ssh_string blob = NULL; + unsigned char *h = NULL; + int rc; + +@@ -1165,7 +1165,7 @@ int ssh_get_publickey_hash(const ssh_key key, + switch (type) { + case SSH_PUBLICKEY_HASH_SHA1: + { +- SHACTX ctx; ++ SHACTX ctx = NULL; + + h = calloc(1, SHA_DIGEST_LEN); + if (h == NULL) { +@@ -1197,7 +1197,7 @@ int ssh_get_publickey_hash(const ssh_key key, + break; + case SSH_PUBLICKEY_HASH_SHA256: + { +- SHA256CTX ctx; ++ SHA256CTX ctx = NULL; + + h = calloc(1, SHA256_DIGEST_LEN); + if (h == NULL) { +@@ -1229,7 +1229,7 @@ int ssh_get_publickey_hash(const ssh_key key, + break; + case SSH_PUBLICKEY_HASH_MD5: + { +- MD5CTX ctx; ++ MD5CTX ctx = NULL; + + /* In FIPS mode, we cannot use MD5 */ + if (ssh_fips_mode()) { +diff --git a/src/sftpserver.c b/src/sftpserver.c +index b3349e1..528ef6f 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -299,8 +299,8 @@ void sftp_client_message_free(sftp_client_message msg) { + + int sftp_reply_name(sftp_client_message msg, const char *name, + sftp_attributes attr) { +- ssh_buffer out; +- ssh_string file; ++ ssh_buffer out = NULL; ++ ssh_string file = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -369,7 +369,7 @@ int sftp_reply_attr(sftp_client_message msg, sftp_attributes attr) { + + int sftp_reply_names_add(sftp_client_message msg, const char *file, + const char *longname, sftp_attributes attr) { +- ssh_string name; ++ ssh_string name = NULL; + + name = ssh_string_from_char(file); + if (name == NULL) { +@@ -435,8 +435,8 @@ int sftp_reply_names(sftp_client_message msg) { + + int sftp_reply_status(sftp_client_message msg, uint32_t status, + const char *message) { +- ssh_buffer out; +- ssh_string s; ++ ssh_buffer out = NULL; ++ ssh_string s = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -492,7 +492,7 @@ int sftp_reply_data(sftp_client_message msg, const void *data, int len) { + * valid info (or worse). + */ + ssh_string sftp_handle_alloc(sftp_session sftp, void *info) { +- ssh_string ret; ++ ssh_string ret = NULL; + uint32_t val; + uint32_t i; + +diff --git a/src/string.c b/src/string.c +index 4440348..670c2f3 100644 +--- a/src/string.c ++++ b/src/string.c +@@ -180,7 +180,7 @@ const char *ssh_string_get_char(struct ssh_string_struct *s) + */ + char *ssh_string_to_char(struct ssh_string_struct *s) { + size_t len; +- char *new; ++ char *new = NULL; + + if (s == NULL) { + return NULL; +@@ -219,7 +219,7 @@ void ssh_string_free_char(char *s) { + * @return Newly allocated copy of the string, NULL on error. + */ + struct ssh_string_struct *ssh_string_copy(struct ssh_string_struct *s) { +- struct ssh_string_struct *new; ++ struct ssh_string_struct *new = NULL; + size_t len; + + if (s == NULL) { +diff --git a/src/threads/winlocks.c b/src/threads/winlocks.c +index da60041..e63635e 100644 +--- a/src/threads/winlocks.c ++++ b/src/threads/winlocks.c +@@ -82,7 +82,7 @@ static struct ssh_threads_callbacks_struct ssh_threads_winlock = + + void ssh_mutex_lock(SSH_MUTEX *mutex) + { +- void *rc; ++ void *rc = NULL; + + CRITICAL_SECTION *mutex_tmp = NULL; + +diff --git a/src/wrapper.c b/src/wrapper.c +index d317dc4..43bf213 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -152,7 +152,7 @@ static void cipher_free(struct ssh_cipher_struct *cipher) { + + struct ssh_crypto_struct *crypto_new(void) + { +- struct ssh_crypto_struct *crypto; ++ struct ssh_crypto_struct *crypto = NULL; + + crypto = malloc(sizeof(struct ssh_crypto_struct)); + if (crypto == NULL) { +-- +2.33.0 + diff --git a/backport-0023-CVE-2025-4878-Properly-check-ret-to-avoid-NULL-dereference.patch b/backport-0023-CVE-2025-4878-Properly-check-ret-to-avoid-NULL-dereference.patch new file mode 100644 index 0000000..2812885 --- /dev/null +++ b/backport-0023-CVE-2025-4878-Properly-check-ret-to-avoid-NULL-dereference.patch @@ -0,0 +1,31 @@ +From 8dc29f140be33b34e6e4a0c228bdce18eb610441 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 28 Apr 2025 11:04:55 +0200 +Subject: CVE-2025-4878 legacy: Properly check return value to avoid NULL + pointer dereference + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:NA +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=8dc29f140be33b34e6e4a0c228bdce18eb610441 +--- + src/legacy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/legacy.c b/src/legacy.c +index 7b165db..c853cb3 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -451,7 +451,7 @@ ssh_private_key privatekey_from_file(ssh_session session, + auth_fn, + auth_data, + &key); +- if (rc == SSH_ERROR) { ++ if (rc != SSH_OK) { + return NULL; + } + +-- +2.33.0 + diff --git a/backport-0024-CVE-2025-5351-avoid-double-free-on-low-memory-conditions.patch b/backport-0024-CVE-2025-5351-avoid-double-free-on-low-memory-conditions.patch new file mode 100644 index 0000000..e246076 --- /dev/null +++ b/backport-0024-CVE-2025-5351-avoid-double-free-on-low-memory-conditions.patch @@ -0,0 +1,46 @@ +From acb158e8277adad473ed32ea1640a3d0b70d733b Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 6 May 2025 22:43:31 +0200 +Subject: CVE-2025-5351 pki_crypto: Avoid double-free on low-memory +conditions + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:set params to NULL after all OSSL_PARAM_free(params) +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=acb158e8277adad473ed32ea1640a3d0b70d733b +--- + src/pki_crypto.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pki_crypto.c b/src/pki_crypto.c +index 5b0d7de..1c91d1e 100644 +--- a/src/pki_crypto.c ++++ b/src/pki_crypto.c +@@ -1962,6 +1962,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key) + bignum_safe_free(bg); + bignum_safe_free(bpub_key); + OSSL_PARAM_free(params); ++ params = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + + break; +@@ -2023,6 +2024,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key) + bignum_safe_free(bn); + bignum_safe_free(be); + OSSL_PARAM_free(params); ++ params = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + break; + } +@@ -2193,6 +2195,7 @@ fail: + bignum_safe_free(bn); + bignum_safe_free(be); + OSSL_PARAM_free(params); ++ params = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + + return NULL; +-- +2.33.0 + diff --git a/backport-0025-CVE-2025-5987-correctly-detect-failures-of-chacha-init.patch b/backport-0025-CVE-2025-5987-correctly-detect-failures-of-chacha-init.patch new file mode 100644 index 0000000..0abb2a9 --- /dev/null +++ b/backport-0025-CVE-2025-5987-correctly-detect-failures-of-chacha-init.patch @@ -0,0 +1,34 @@ +From bc4804aa9bb1092a4ede288cb29cae4506c0e393 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 6 May 2025 22:51:41 +0200 +Subject: CVE-2025-5987 libcrypto: Correctly detect failures of chacha + initialization + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:NA +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=bc4804aa9bb1092a4ede288cb29cae4506c0e393 +--- + src/libcrypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcrypto.c b/src/libcrypto.c +index 4f945d9..911b363 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -777,9 +777,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher, + SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed"); + goto out; + } +- ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, ++ rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, + u8key + CHACHA20_KEYLEN, NULL); +- if (ret != 1) { ++ if (rv != 1) { + SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed"); + goto out; + } +-- +2.33.0 + diff --git a/backport-0026-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch b/backport-0026-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch new file mode 100644 index 0000000..dbeb1ac --- /dev/null +++ b/backport-0026-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch @@ -0,0 +1,150 @@ +From e2afe196d8d77c42b2a764ae86f92c2964221f69 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 14 May 2025 14:07:58 +0200 +Subject: CVE-2025-5372 libgcrypto: Simplify error checking and handling +of + return codes in ssh_kdf() + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +Conflict:NA +Reference:https://git.libssh.org/projects/libssh.git/patch/?id=e2afe196d8d77c42b2a764ae86f92c2964221f69 +--- + src/libcrypto.c | 63 ++++++++++++++++++++++--------------------------- + 1 file changed, 28 insertions(+), 35 deletions(-) + +diff --git a/src/libcrypto.c b/src/libcrypto.c +index 4f945d9..2815e2b 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -163,7 +163,7 @@ int ssh_kdf(struct ssh_crypto_struct *crypto, + uint8_t key_type, unsigned char *output, + size_t requested_len) + { +- int rc = -1; ++ int ret = SSH_ERROR, rv; + #if OPENSSL_VERSION_NUMBER < 0x30000000L + EVP_KDF_CTX *ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF); + #else +@@ -185,90 +185,83 @@ int ssh_kdf(struct ssh_crypto_struct *crypto, + } + + #if OPENSSL_VERSION_NUMBER < 0x30000000L +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, + sshkdf_digest_to_md(crypto->digest_type)); +- if (rc != 1) { ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len); +- if (rc != 1) { ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, key_len); ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, + crypto->secret_hash, crypto->digest_len); +- if (rc != 1) { ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type); +- if (rc != 1) { ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, key_type); ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, ++ rv = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, + crypto->session_id, crypto->session_id_len); +- if (rc != 1) { ++ if (rv != 1) { + goto out; + } +- rc = EVP_KDF_derive(ctx, output, requested_len); +- if (rc != 1) { ++ rv = EVP_KDF_derive(ctx, output, requested_len); ++ if (rv != 1) { + goto out; + } + #else +- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST, ++ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST, + md, strlen(md)); +- if (rc != 1) { +- rc = -1; ++ if (rv != 1) { + goto out; + } +- rc = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY, ++ rv = OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY, + key, key_len); +- if (rc != 1) { +- rc = -1; ++ if (rv != 1) { + goto out; + } +- rc = OSSL_PARAM_BLD_push_octet_string(param_bld, ++ rv = OSSL_PARAM_BLD_push_octet_string(param_bld, + OSSL_KDF_PARAM_SSHKDF_XCGHASH, + crypto->secret_hash, + crypto->digest_len); +- if (rc != 1) { +- rc = -1; ++ if (rv != 1) { + goto out; + } +- rc = OSSL_PARAM_BLD_push_octet_string(param_bld, ++ rv = OSSL_PARAM_BLD_push_octet_string(param_bld, + OSSL_KDF_PARAM_SSHKDF_SESSION_ID, + crypto->session_id, + crypto->session_id_len); +- if (rc != 1) { +- rc = -1; ++ if (rv != 1) { + goto out; + } +- rc = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE, ++ rv = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE, + (const char*)&key_type, 1); +- if (rc != 1) { +- rc = -1; ++ if (rv != 1) { + goto out; + } + + params = OSSL_PARAM_BLD_to_param(param_bld); + if (params == NULL) { +- rc = -1; + goto out; + } + +- rc = EVP_KDF_derive(ctx, output, requested_len, params); +- if (rc != 1) { +- rc = -1; ++ rv = EVP_KDF_derive(ctx, output, requested_len, params); ++ if (rv != 1) { + goto out; + } + #endif /* OPENSSL_VERSION_NUMBER */ +- ++ ret = SSH_OK; + out: + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + OSSL_PARAM_BLD_free(param_bld); + OSSL_PARAM_free(params); + #endif + EVP_KDF_CTX_free(ctx); +- if (rc < 0) { +- return rc; ++ if (ret < 0) { ++ return ret; + } + return 0; + } +-- +2.33.0 + diff --git a/libssh.spec b/libssh.spec index 2524206..be1b902 100644 --- a/libssh.spec +++ b/libssh.spec @@ -2,7 +2,7 @@ Name: libssh Version: 0.10.5 -Release: 5 +Release: 6 Summary: A library implementing the SSH protocol License: LGPL-2.1-or-later URL: https://www.libssh.org @@ -32,6 +32,12 @@ Patch18: backport-0018-CVE-2023-6918-kdf-Detect-context-init-failures.pat Patch19: backport-0019-CVE-2023-6918-tests-Code-coverage-for-ssh_get_pubkey.patch Patch20: backport-Fix-regression-in-IPv6-addresses-in-hostname-parsing.patch Patch21: backport-0020-CVE-2025-5318-fix-possible-buffer-overrun.patch +Patch22: backport-0021-CVE-2025-4877-prevent-integer-overflow-and-potential-OOB.patch +Patch23: backport-0022-CVE-2025-4878-Initialize-pointers-where-posibble.patch +Patch24: backport-0023-CVE-2025-4878-Properly-check-ret-to-avoid-NULL-dereference.patch +Patch25: backport-0024-CVE-2025-5351-avoid-double-free-on-low-memory-conditions.patch +Patch26: backport-0025-CVE-2025-5987-correctly-detect-failures-of-chacha-init.patch +Patch27: backport-0026-CVE-2025-5372-Simplify-error-checking-in-ssh_kdf.patch BuildRequires: cmake gcc-c++ gnupg2 openssl-devel pkgconfig zlib-devel BuildRequires: krb5-devel libcmocka-devel openssh-clients openssh-server @@ -103,6 +109,12 @@ popd %doc CHANGELOG README %changelog +* Mon Aug 18 2025 zhangbinqin - 0.10.5-6 +- Type:CVE +- Id:CVE-2025-4877 CVE-2025-4878 CVE-2025-5351 CVE-2025-5987 CVE-2025-5372 +- SUG:NA +- DESC:fix CVE-2025-4877 CVE-2025-4878 CVE-2025-5351 CVE-2025-5987 CVE-2025-5372 + * Wed Jul 2 2025 zhangbinqin - 0.10.5-5 - Type:CVE - Id:CVE-2025-5318 -- Gitee