Skip to content

Potential security issue in lib/sha256.c: Unchecked return from initialization function#5414

Closed
monocle-ai wants to merge 1 commit into
curl:masterfrom
monocle-ai:sha256-cuv-2020-05-18-08-59-31-5414
Closed

Potential security issue in lib/sha256.c: Unchecked return from initialization function#5414
monocle-ai wants to merge 1 commit into
curl:masterfrom
monocle-ai:sha256-cuv-2020-05-18-08-59-31-5414

Conversation

@monocle-ai
Copy link
Copy Markdown

@monocle-ai monocle-ai commented May 18, 2020

What is a Conditionally Uninitialized Variable? The return value of a function that is potentially used to initialize a local variable is not checked. Therefore, reading the local variable may result in undefined behavior.

1 instance of this defect were found in the following locations:

Instance 1
File : lib/sha256.c
Function: CryptGetHashParam

curl/lib/sha256.c

Line 228 in 17b1405

CryptGetHashParam(ctx->hHash, HP_HASHVAL, NULL, &length, 0);

Code extract:

{
  unsigned long length;

  CryptGetHashParam(ctx->hHash, HP_HASHVAL, NULL, &length, 0); <------ HERE
  if(length == SHA256_DIGEST_LENGTH)
    CryptGetHashParam(ctx->hHash, HP_HASHVAL, digest, &length, 0);

bagder
bagder reviewed May 18, 2020
View reviewed changes
Comment thread lib/sha256.c
@bagder bagder closed this in fae3065 May 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bagder bagder bagder left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@monocle-ai @bagder @siva-msft