CVE-2025-4878 Initialize pointers where possible

This is mostly mechanical change initializing all the pointers I was able to find with some grep and manual review of sources and examples. Used the following greps (which yield some false positives though): git grep " \w* *\* *\w*;$" git grep " ssh_session \w*;" git grep " ssh_channel \w*;" git grep " struct ssh_iterator \*\w*;" git grep " ssh_bind \w*;" git grep " ssh_key \w*;" git grep " ssh_string \w*;" git grep " ssh_buffer \w*;" git grep " HMACCTX \w*;" git grep " SHACTX \w*;" grep -rinP '^(?!.*=)\s*(?:\w+\s+)*\w+\s*\*\s*\w+\s*;' Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-07 02:39:48 +09:00 · 2025-04-23 17:57:11 +02:00
parent 5d27f69494
commit 2eb2af4426
62 changed files with 352 additions and 336 deletions
--- a/src/channels.c
+++ b/src/channels.c
@@ -169,7 +169,7 @@ uint32_t ssh_channel_new_id(ssh_session session)
 SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf)
 {
    uint32_t channelid = 0;
-    ssh_channel channel;
+    ssh_channel channel = NULL;
    int rc;
    (void)type;
    (void)user;
@@ -241,7 +241,7 @@ error:
 */
 SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail)
 {
-    ssh_channel channel;
+    ssh_channel channel = NULL;
    char *error = NULL;
    uint32_t code;
    int rc;
@@ -411,8 +411,8 @@ end:
 /* return channel with corresponding local id, or NULL if not found */
 ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id)
 {
-    struct ssh_iterator *it;
-    ssh_channel channel;
+    struct ssh_iterator *it = NULL;
+    ssh_channel channel = NULL;

    for (it = ssh_list_get_iterator(session->channels); it != NULL;
         it = it->next) {
@@ -509,7 +509,7 @@ error:
 */
 static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet)
 {
-    ssh_channel channel;
+    ssh_channel channel = NULL;
    uint32_t chan;
    int rc;

@@ -534,7 +534,7 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet)

 SSH_PACKET_CALLBACK(channel_rcv_change_window)
 {
-    ssh_channel channel;
+    ssh_channel channel = NULL;
    uint32_t bytes;
    int rc;
    bool was_empty;
@@ -709,7 +709,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data)

 SSH_PACKET_CALLBACK(channel_rcv_eof)
 {
-    ssh_channel channel;
+    ssh_channel channel = NULL;
    (void)user;
    (void)type;

@@ -753,8 +753,9 @@ static bool ssh_channel_has_unread_data(ssh_channel channel)
    return false;
 }

-SSH_PACKET_CALLBACK(channel_rcv_close) {
-    ssh_channel channel;
+SSH_PACKET_CALLBACK(channel_rcv_close)
+{
+    ssh_channel channel = NULL;
    (void)user;
    (void)type;

@@ -995,7 +996,7 @@ int channel_default_bufferize(ssh_channel channel,
                              void *data, uint32_t len,
                              bool is_stderr)
 {
-    ssh_session session;
+    ssh_session session = NULL;

    if (channel == NULL) {
        return -1;
@@ -1134,7 +1135,7 @@ int ssh_channel_open_auth_agent(ssh_channel channel)
 int ssh_channel_open_forward(ssh_channel channel, const char *remotehost,
    int remoteport, const char *sourcehost, int localport)
 {
-    ssh_session session;
+    ssh_session session = NULL;
    ssh_buffer payload = NULL;
    ssh_string str = NULL;
    int rc = SSH_ERROR;
@@ -1272,7 +1273,7 @@ error:
 */
 void ssh_channel_free(ssh_channel channel)
 {
-    ssh_session session;
+    ssh_session session = NULL;

    if (channel == NULL) {
        return;
@@ -1379,7 +1380,7 @@ void ssh_channel_do_free(ssh_channel channel)
 */
 int ssh_channel_send_eof(ssh_channel channel)
 {
-    ssh_session session;
+    ssh_session session = NULL;
    int rc = SSH_ERROR;
    int err;

@@ -1440,7 +1441,7 @@ error:
 */
 int ssh_channel_close(ssh_channel channel)
 {
-    ssh_session session;
+    ssh_session session = NULL;
    int rc = 0;

    if(channel == NULL) {
@@ -1536,7 +1537,7 @@ static int channel_write_common(ssh_channel channel,
                                const void *data,
                                uint32_t len, int is_stderr)
 {
-    ssh_session session;
+    ssh_session session = NULL;
    uint32_t origlen = len;
    uint32_t effectivelen;
    int rc;
@@ -1804,7 +1805,7 @@ void ssh_channel_set_blocking(ssh_channel channel, int blocking)
 */
 SSH_PACKET_CALLBACK(ssh_packet_channel_success)
 {
-    ssh_channel channel;
+    ssh_channel channel = NULL;
    (void)type;
    (void)user;

@@ -1842,7 +1843,7 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_success)
 */
 SSH_PACKET_CALLBACK(ssh_packet_channel_failure)
 {
-    ssh_channel channel;
+    ssh_channel channel = NULL;
    (void)type;
    (void)user;

@@ -1992,7 +1993,7 @@ error:
 int ssh_channel_request_pty_size_modes(ssh_channel channel, const char *terminal,
    int col, int row, const unsigned char* modes, size_t modes_len)
 {
-    ssh_session session;
+    ssh_session session = NULL;
    ssh_buffer buffer = NULL;
    int rc = SSH_ERROR;

@@ -2321,7 +2322,7 @@ static ssh_channel ssh_channel_accept(ssh_session session, int channeltype,
 #endif
  ssh_message msg = NULL;
  ssh_channel channel = NULL;
-  struct ssh_iterator *iterator;
+  struct ssh_iterator *iterator = NULL;
  int t;

  /*
@@ -2990,7 +2991,7 @@ error:
 int channel_read_buffer(ssh_channel channel, ssh_buffer buffer, uint32_t count,
    int is_stderr)
 {
-    ssh_session session;
+    ssh_session session = NULL;
    char *buffer_tmp = NULL;
    int r;
    uint32_t total = 0;
@@ -3126,8 +3127,8 @@ int ssh_channel_read_timeout(ssh_channel channel,
                             int is_stderr,
                             int timeout_ms)
 {
-    ssh_session session;
-    ssh_buffer stdbuf;
+    ssh_session session = NULL;
+    ssh_buffer stdbuf = NULL;
    uint32_t len;
    struct ssh_channel_read_termination_struct ctx;
    int rc;
@@ -3235,7 +3236,7 @@ int ssh_channel_read_nonblocking(ssh_channel channel,
                                 uint32_t count,
                                 int is_stderr)
 {
-    ssh_session session;
+    ssh_session session = NULL;
    uint32_t to_read;
    int rc;
    int blocking;
@@ -3347,8 +3348,8 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr)
 */
 int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr)
 {
-    ssh_session session;
-    ssh_buffer stdbuf;
+    ssh_session session = NULL;
+    ssh_buffer stdbuf = NULL;
    struct ssh_channel_read_termination_struct ctx;
    size_t len;
    int rc;
@@ -3550,7 +3551,7 @@ channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans,
                        ssh_channel *echans, ssh_channel *rout,
                        ssh_channel *wout, ssh_channel *eout)
 {
-    ssh_channel chan;
+    ssh_channel chan = NULL;
    int i;
    int j = 0;

@@ -3635,7 +3636,7 @@ static size_t count_ptrs(ssh_channel *ptrs)
 int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans,
                       ssh_channel *exceptchans, struct timeval * timeout)
 {
-    ssh_channel *rchans, *wchans, *echans;
+    ssh_channel *rchans = NULL, *wchans = NULL, *echans = NULL;
    ssh_channel dummy = NULL;
    ssh_event event = NULL;
    int rc;
@@ -3839,7 +3840,7 @@ int ssh_channel_write_stderr(ssh_channel channel, const void *data, uint32_t len
 int ssh_channel_open_reverse_forward(ssh_channel channel, const char *remotehost,
                                     int remoteport, const char *sourcehost, int localport)
 {
-    ssh_session session;
+    ssh_session session = NULL;
    ssh_buffer payload = NULL;
    int rc = SSH_ERROR;

@@ -3903,7 +3904,7 @@ error:
 int ssh_channel_open_x11(ssh_channel channel,
                         const char *orig_addr, int orig_port)
 {
-    ssh_session session;
+    ssh_session session = NULL;
    ssh_buffer payload = NULL;
    int rc = SSH_ERROR;