diff --git a/CVE-2025-4877.patch b/CVE-2025-4877.patch new file mode 100644 index 0000000..7800a81 --- /dev/null +++ b/CVE-2025-4877.patch @@ -0,0 +1,54 @@ +From c9d785835f5b299c31b22be0506a658205c169bf Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 15 Apr 2025 11:41:24 +0200 +Subject: [PATCH] CVE-2025-4877 base64: Prevent integer overflow and potential + OOB + +Set maximum input to 256MB to have safe margin to the 1GB trigger point +for 32b arch. + +The OOB should not be reachable by any internal code paths as most of +the buffers and strings we use as input for this operation already have +similar limit and none really allows this much of data. + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit 00f09acbec55962839fc7837ef14c56fb8fbaf72) +--- + src/base64.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/base64.c b/src/base64.c +index 4148f49c..f42e0e80 100644 +--- a/src/base64.c ++++ b/src/base64.c +@@ -29,6 +29,9 @@ + #include "libssh/priv.h" + #include "libssh/buffer.h" + ++/* Do not allow encoding more than 256MB of data */ ++#define BASE64_MAX_INPUT_LEN 256 * 1024 * 1024 ++ + static + const uint8_t alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz" +@@ -274,7 +277,15 @@ uint8_t *bin_to_base64(const uint8_t *source, size_t len) + { + uint8_t *base64 = NULL; + uint8_t *ptr = NULL; +- size_t flen = len + (3 - (len % 3)); /* round to upper 3 multiple */ ++ size_t flen = 0; ++ ++ /* Set the artificial upper limit for the input. Otherwise on 32b arch, the ++ * following line could overflow for sizes larger than SIZE_MAX / 4 */ ++ if (len > BASE64_MAX_INPUT_LEN) { ++ return NULL; ++ } ++ ++ flen = len + (3 - (len % 3)); /* round to upper 3 multiple */ + flen = (4 * flen) / 3 + 1; + + base64 = malloc(flen); +-- +2.53.0 + diff --git a/CVE-2025-4878.patch b/CVE-2025-4878.patch new file mode 100644 index 0000000..d122a1d --- /dev/null +++ b/CVE-2025-4878.patch @@ -0,0 +1,2630 @@ +From 7b948394e1690b5ad9e23a1c9b75fe8cb9f1567b Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 23 Apr 2025 17:57:11 +0200 +Subject: [PATCH 1/2] CVE-2025-4878 Initialize pointers where possible + +This is mostly mechanical change initializing all the pointers I was able to +find with some grep and manual review of sources and examples. + +Used the following greps (which yield some false positives though): + + git grep " \w* *\* *\w*;$" + git grep " ssh_session \w*;" + git grep " ssh_channel \w*;" + git grep " struct ssh_iterator \*\w*;" + git grep " ssh_bind \w*;" + git grep " ssh_key \w*;" + git grep " ssh_string \w*;" + git grep " ssh_buffer \w*;" + git grep " HMACCTX \w*;" + git grep " SHACTX \w*;" + grep -rinP '^(?!.*=)\s*(?:\w+\s+)*\w+\s*\*\s*\w+\s*;' + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +--- + doc/authentication.dox | 10 +++---- + doc/command.dox | 2 +- + doc/forwarding.dox | 4 +-- + doc/guided_tour.dox | 14 ++++----- + doc/shell.dox | 2 +- + examples/authentication.c | 12 ++++---- + examples/connect_ssh.c | 2 +- + examples/exec.c | 4 +-- + examples/knownhosts.c | 2 +- + examples/libssh_scp.c | 11 ++++---- + examples/proxy.c | 18 ++++++------ + examples/samplesshd-cb.c | 10 +++---- + examples/samplesshd-kbdint.c | 16 +++++------ + examples/scp_download.c | 4 +-- + examples/senddata.c | 4 +-- + examples/ssh_client.c | 8 +++--- + examples/sshd_direct-tcpip.c | 14 ++++----- + examples/sshnetcat.c | 6 ++-- + src/agent.c | 13 +++++---- + src/auth.c | 7 +++-- + src/bind.c | 11 ++++---- + src/bind_config.c | 4 +-- + src/buffer.c | 9 +++--- + src/callbacks.c | 2 +- + src/chachapoly.c | 2 +- + src/channels.c | 55 ++++++++++++++++++------------------ + src/client.c | 2 +- + src/config.c | 4 +-- + src/config_parser.c | 12 ++++---- + src/connect.c | 4 +-- + src/connector.c | 5 ++-- + src/dh_crypto.c | 2 +- + src/ecdh_crypto.c | 14 ++++----- + src/ecdh_gcrypt.c | 10 +++---- + src/gcrypt_missing.c | 2 +- + src/getpass.c | 4 +-- + src/gssapi.c | 28 +++++++++--------- + src/kex.c | 4 +-- + src/known_hosts.c | 41 ++++++++++++++------------- + src/knownhosts.c | 18 ++++++------ + src/legacy.c | 43 +++++++++++++++------------- + src/libmbedcrypto.c | 2 +- + src/log.c | 2 +- + src/messages.c | 18 ++++++------ + src/misc.c | 24 ++++++++-------- + src/options.c | 22 +++++++-------- + src/packet.c | 6 ++-- + src/packet_crypt.c | 2 +- + src/pki.c | 48 +++++++++++++++---------------- + src/pki_container_openssh.c | 14 ++++----- + src/pki_crypto.c | 10 +++---- + src/pki_ed25519.c | 6 ++-- + src/pki_ed25519_common.c | 2 +- + src/pki_gcrypt.c | 12 ++++---- + src/pki_mbedcrypto.c | 12 ++++---- + src/poll.c | 10 +++---- + src/server.c | 17 +++++------ + src/session.c | 14 ++++----- + src/sftpserver.c | 12 ++++---- + src/string.c | 6 ++-- + src/threads/winlocks.c | 2 +- + src/wrapper.c | 2 +- + 62 files changed, 348 insertions(+), 334 deletions(-) + +diff --git a/doc/authentication.dox b/doc/authentication.dox +index 7d0ab81d..a0b2df84 100644 +--- a/doc/authentication.dox ++++ b/doc/authentication.dox +@@ -105,7 +105,7 @@ Here is a small example of password authentication: + @code + int authenticate_password(ssh_session session) + { +- char *password; ++ char *password = NULL; + int rc; + + password = getpass("Enter your password: "); +@@ -218,7 +218,7 @@ int authenticate_kbdint(ssh_session session) + rc = ssh_userauth_kbdint(session, NULL, NULL); + while (rc == SSH_AUTH_INFO) + { +- const char *name, *instruction; ++ const char *name = NULL, *instruction = NULL; + int nprompts, iprompt; + + name = ssh_userauth_kbdint_getname(session); +@@ -231,7 +231,7 @@ int authenticate_kbdint(ssh_session session) + printf("%s\n", instruction); + for (iprompt = 0; iprompt < nprompts; iprompt++) + { +- const char *prompt; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, iprompt, &echo); +@@ -251,7 +251,7 @@ int authenticate_kbdint(ssh_session session) + } + else + { +- char *ptr; ++ char *ptr = NULL; + + ptr = getpass(prompt); + if (ssh_userauth_kbdint_setanswer(session, iprompt, ptr) < 0) +@@ -354,7 +354,7 @@ The following example shows how to retrieve and dispose the issue banner: + int display_banner(ssh_session session) + { + int rc; +- char *banner; ++ char *banner = NULL; + + /* + *** Does not work without calling ssh_userauth_none() first *** +diff --git a/doc/command.dox b/doc/command.dox +index 588151c6..e82748ce 100644 +--- a/doc/command.dox ++++ b/doc/command.dox +@@ -22,7 +22,7 @@ a SSH session that uses this channel: + @code + int show_remote_files(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/doc/forwarding.dox b/doc/forwarding.dox +index 2b202b4d..3ca3aa8a 100644 +--- a/doc/forwarding.dox ++++ b/doc/forwarding.dox +@@ -100,7 +100,7 @@ used to retrieve google's home page from the remote SSH server. + @code + int direct_forwarding(ssh_session session) + { +- ssh_channel forwarding_channel; ++ ssh_channel forwarding_channel = NULL; + int rc = SSH_ERROR; + char *http_get = "GET / HTTP/1.1\nHost: www.google.com\n\n"; + int nbytes, nwritten; +@@ -161,7 +161,7 @@ local libssh application, which handles them: + int web_server(ssh_session session) + { + int rc; +- ssh_channel channel; ++ ssh_channel channel = NULL; + char buffer[256]; + int nbytes, nwritten; + int port = 0; +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox +index 69576f18..60f4087e 100644 +--- a/doc/guided_tour.dox ++++ b/doc/guided_tour.dox +@@ -79,7 +79,7 @@ Here is a small example of how to use it: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int verbosity = SSH_LOG_PROTOCOL; + int port = 22; + +@@ -126,7 +126,7 @@ Here's an example: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; + + my_ssh_session = ssh_new(); +@@ -190,8 +190,8 @@ int verify_knownhost(ssh_session session) + ssh_key srv_pubkey = NULL; + size_t hlen; + char buf[10]; +- char *hexa; +- char *p; ++ char *hexa = NULL; ++ char *p = NULL; + int cmp; + int rc; + +@@ -317,9 +317,9 @@ The example below shows an authentication with password: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; +- char *password; ++ char *password = NULL; + + // Open session and set options + my_ssh_session = ssh_new(); +@@ -380,7 +380,7 @@ The example below shows how to execute a remote command: + @code + int show_remote_processes(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + char buffer[256]; + int nbytes; +diff --git a/doc/shell.dox b/doc/shell.dox +index d770f27a..54d97888 100644 +--- a/doc/shell.dox ++++ b/doc/shell.dox +@@ -26,7 +26,7 @@ The code sample below achieves these tasks: + @code + int shell_session(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/examples/authentication.c b/examples/authentication.c +index 7c47c8bd..31de7cfc 100644 +--- a/examples/authentication.c ++++ b/examples/authentication.c +@@ -30,8 +30,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + + err = ssh_userauth_kbdint(session, NULL, NULL); + while (err == SSH_AUTH_INFO) { +- const char *instruction; +- const char *name; ++ const char *instruction = NULL; ++ const char *name = NULL; + char buffer[128]; + int i, n; + +@@ -48,8 +48,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + for (i = 0; i < n; i++) { +- const char *answer; +- const char *prompt; ++ const char *answer = NULL; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, i, &echo); +@@ -58,7 +58,7 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + if (echo) { +- char *p; ++ char *p = NULL; + + printf("%s", prompt); + +@@ -143,7 +143,7 @@ int authenticate_console(ssh_session session) + int rc; + int method; + char password[128] = {0}; +- char *banner; ++ char *banner = NULL; + + // Try to authenticate + rc = ssh_userauth_none(session, NULL); +diff --git a/examples/connect_ssh.c b/examples/connect_ssh.c +index c9e4ef6e..06094272 100644 +--- a/examples/connect_ssh.c ++++ b/examples/connect_ssh.c +@@ -22,7 +22,7 @@ clients must be made or how a client should react. + #include + + ssh_session connect_ssh(const char *host, const char *user,int verbosity){ +- ssh_session session; ++ ssh_session session = NULL; + int auth=0; + + session=ssh_new(); +diff --git a/examples/exec.c b/examples/exec.c +index 77d3be47..f90df364 100644 +--- a/examples/exec.c ++++ b/examples/exec.c +@@ -5,8 +5,8 @@ + #include "examples_common.h" + + int main(void) { +- ssh_session session; +- ssh_channel channel; ++ ssh_session session = NULL; ++ ssh_channel channel = NULL; + char buffer[256]; + int rbytes, wbytes, total = 0; + int rc; +diff --git a/examples/knownhosts.c b/examples/knownhosts.c +index 0726bfa8..2857a085 100644 +--- a/examples/knownhosts.c ++++ b/examples/knownhosts.c +@@ -38,7 +38,7 @@ int verify_knownhost(ssh_session session) + char buf[10]; + unsigned char *hash = NULL; + size_t hlen; +- ssh_key srv_pubkey; ++ ssh_key srv_pubkey = NULL; + int rc; + + rc = ssh_get_server_publickey(session, &srv_pubkey); +diff --git a/examples/libssh_scp.c b/examples/libssh_scp.c +index 6fdf8a4f..a332e0d2 100644 +--- a/examples/libssh_scp.c ++++ b/examples/libssh_scp.c +@@ -26,9 +26,9 @@ program. + #define BUF_SIZE 16384 + #endif + +-static char **sources; ++static char **sources = NULL; + static int nsources; +-static char *destination; ++static char *destination = NULL; + static int verbosity = 0; + + struct location { +@@ -114,9 +114,10 @@ static void location_free(struct location *loc) + } + } + +-static struct location *parse_location(char *loc) { +- struct location *location; +- char *ptr; ++static struct location *parse_location(char *loc) ++{ ++ struct location *location = NULL; ++ char *ptr = NULL; + + location = malloc(sizeof(struct location)); + if (location == NULL) { +diff --git a/examples/proxy.c b/examples/proxy.c +index 159a37e5..25451789 100644 +--- a/examples/proxy.c ++++ b/examples/proxy.c +@@ -35,8 +35,8 @@ clients must be made or how a client should react. + static int authenticated=0; + static int tries = 0; + static int error = 0; +-static ssh_channel chan=NULL; +-static char *username; ++static ssh_channel chan = NULL; ++static char *username = NULL; + static ssh_gssapi_creds client_creds = NULL; + + static int auth_password(ssh_session session, const char *user, +@@ -216,11 +216,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; +- ssh_session client_session; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; ++ ssh_session client_session = NULL; + + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, +@@ -231,7 +232,7 @@ int main(int argc, char **argv){ + + char buf[BUF_SIZE]; + char host[128]=""; +- char *ptr; ++ char *ptr = NULL; + int i,r, rc; + + sshbind=ssh_bind_new(); +@@ -348,4 +349,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-cb.c b/examples/samplesshd-cb.c +index e5b48994..693b040d 100644 +--- a/examples/samplesshd-cb.c ++++ b/examples/samplesshd-cb.c +@@ -257,10 +257,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_none_function = auth_none, +@@ -353,4 +354,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-kbdint.c b/examples/samplesshd-kbdint.c +index 9b09cf27..66e41fc7 100644 +--- a/examples/samplesshd-kbdint.c ++++ b/examples/samplesshd-kbdint.c +@@ -187,8 +187,8 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-static const char *name; +-static const char *instruction; ++static const char *name = NULL; ++static const char *instruction = NULL; + static const char *prompts[2]; + static char echo[] = { 1, 0 }; + +@@ -292,11 +292,12 @@ static int authenticate(ssh_session session) { + return 0; + } + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_message message; +- ssh_channel chan=0; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_message message = NULL; ++ ssh_channel chan = NULL; + char buf[BUF_SIZE]; + int auth=0; + int shell=0; +@@ -426,4 +427,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/scp_download.c b/examples/scp_download.c +index e6c1e796..dcaa2cb7 100644 +--- a/examples/scp_download.c ++++ b/examples/scp_download.c +@@ -108,7 +108,7 @@ static int fetch_files(ssh_session session){ + int size; + char buffer[BUF_SIZE]; + int mode; +- char *filename; ++ char *filename = NULL; + int r; + ssh_scp scp=ssh_scp_new(session, SSH_SCP_READ | SSH_SCP_RECURSIVE, "/tmp/libssh_tests/*"); + if(ssh_scp_init(scp) != SSH_OK){ +@@ -167,7 +167,7 @@ static int fetch_files(ssh_session session){ + } + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + if(opts(argc,argv)<0) + return EXIT_FAILURE; + session=connect_ssh(host,NULL,verbosity); +diff --git a/examples/senddata.c b/examples/senddata.c +index 21181fb9..78383a2b 100644 +--- a/examples/senddata.c ++++ b/examples/senddata.c +@@ -6,7 +6,7 @@ + #define LIMIT 0x100000000UL + + int main(void) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_channel channel; + char buffer[1024*1024]; + int rc; +@@ -47,7 +47,7 @@ int main(void) { + if(total > LIMIT) + break; + } +- ++ + if (rc < 0) { + printf("error : %s\n",ssh_get_error(session)); + ssh_channel_close(channel); +diff --git a/examples/ssh_client.c b/examples/ssh_client.c +index aaf0cb5b..896890c3 100644 +--- a/examples/ssh_client.c ++++ b/examples/ssh_client.c +@@ -53,7 +53,7 @@ static struct termios terminal; + + static char *pcap_file = NULL; + +-static char *proxycommand; ++static char *proxycommand = NULL; + + static int auth_callback(const char *prompt, + char *buf, +@@ -252,7 +252,7 @@ static void select_loop(ssh_session session,ssh_channel channel) + + static void shell(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + struct termios terminal_local; + int interactive=isatty(0); + +@@ -324,7 +324,7 @@ static void batch_shell(ssh_session session) + static int client(ssh_session session) + { + int auth = 0; +- char *banner; ++ char *banner = NULL; + int state; + + if (user) { +@@ -408,7 +408,7 @@ static void cleanup_pcap(void) + + int main(int argc, char **argv) + { +- ssh_session session; ++ ssh_session session = NULL; + + ssh_init(); + session = ssh_new(); +diff --git a/examples/sshd_direct-tcpip.c b/examples/sshd_direct-tcpip.c +index 18a870b9..1230cc8c 100644 +--- a/examples/sshd_direct-tcpip.c ++++ b/examples/sshd_direct-tcpip.c +@@ -355,7 +355,7 @@ my_fd_data_function(UNUSED_PARAM(socket_t fd), + { + struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata; + ssh_channel channel = event_fd_data->channel; +- ssh_session session; ++ ssh_session session = NULL; + int len, i, wr; + char buf[BUF_SIZE]; + int blocking; +@@ -449,8 +449,8 @@ open_tcp_socket(ssh_message msg) + { + struct sockaddr_in sin; + int forwardsock = -1; +- struct hostent *host; +- const char *dest_hostname; ++ struct hostent *host = NULL; ++ const char *dest_hostname = NULL; + int dest_port; + + forwardsock = socket(AF_INET, SOCK_STREAM, 0); +@@ -493,8 +493,8 @@ message_callback(UNUSED_PARAM(ssh_session session), + UNUSED_PARAM(void *userdata)) + { + ssh_channel channel; +- int socket_fd, *pFd; +- struct ssh_channel_callbacks_struct *cb_chan; ++ int socket_fd, *pFd = NULL; ++ struct ssh_channel_callbacks_struct *cb_chan = NULL; + struct event_fd_data_struct *event_fd_data; + + _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message type: %d", +@@ -662,8 +662,8 @@ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + int + main(int argc, char **argv) + { +- ssh_session session; +- ssh_bind sshbind; ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_password_function = auth_password, +diff --git a/examples/sshnetcat.c b/examples/sshnetcat.c +index 9bc5d52e..6114378e 100644 +--- a/examples/sshnetcat.c ++++ b/examples/sshnetcat.c +@@ -39,7 +39,7 @@ clients must be made or how a client should react. + #define BUF_SIZE 4096 + #endif + +-char *host; ++char *host = NULL; + const char *desthost="localhost"; + const char *port="22"; + +@@ -193,7 +193,7 @@ static void forwarding(ssh_session session){ + + static int client(ssh_session session){ + int auth=0; +- char *banner; ++ char *banner = NULL; + int state; + + if (ssh_options_set(session, SSH_OPTIONS_HOST ,host) < 0) +@@ -245,7 +245,7 @@ void cleanup_pcap(){ + #endif + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + + session = ssh_new(); + +diff --git a/src/agent.c b/src/agent.c +index 4542f424..6a543bbf 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -410,8 +410,9 @@ ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session, + + /* caller has to free comment */ + ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session, +- char **comment) { +- struct ssh_key_struct *key; ++ char **comment) ++{ ++ struct ssh_key_struct *key = NULL; + struct ssh_string_struct *blob = NULL; + struct ssh_string_struct *tmp = NULL; + int rc; +@@ -480,10 +481,10 @@ ssh_string ssh_agent_sign_data(ssh_session session, + const ssh_key pubkey, + struct ssh_buffer_struct *data) + { +- ssh_buffer request; +- ssh_buffer reply; +- ssh_string key_blob; +- ssh_string sig_blob; ++ ssh_buffer request = NULL; ++ ssh_buffer reply = NULL; ++ ssh_string key_blob = NULL; ++ ssh_string sig_blob = NULL; + unsigned int type = 0; + unsigned int flags = 0; + uint32_t dlen; +diff --git a/src/auth.c b/src/auth.c +index 08d895a2..e86ea247 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -195,8 +195,9 @@ static int ssh_userauth_get_response(ssh_session session) + * + * This banner should be shown to user prior to authentication + */ +-SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) { +- ssh_string banner; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) ++{ ++ ssh_string banner = NULL; + (void)type; + (void)user; + +@@ -1395,7 +1396,7 @@ int ssh_userauth_agent_pubkey(ssh_session session, + const char *username, + ssh_public_key publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + key = ssh_key_new(); +diff --git a/src/bind.c b/src/bind.c +index d947cd78..c5dc8a3f 100644 +--- a/src/bind.c ++++ b/src/bind.c +@@ -74,7 +74,7 @@ + static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + int port) { + char port_c[6]; +- struct addrinfo *ai; ++ struct addrinfo *ai = NULL; + struct addrinfo hints; + int opt = 1; + socket_t s; +@@ -132,8 +132,9 @@ static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + return s; + } + +-ssh_bind ssh_bind_new(void) { +- ssh_bind ptr; ++ssh_bind ssh_bind_new(void) ++{ ++ ssh_bind ptr = NULL; + + ptr = calloc(1, sizeof(struct ssh_bind_struct)); + if (ptr == NULL) { +@@ -251,7 +252,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) { + } + + int ssh_bind_listen(ssh_bind sshbind) { +- const char *host; ++ const char *host = NULL; + socket_t fd; + int rc; + +@@ -473,7 +474,7 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd){ + return SSH_ERROR; + } + } else { +- char *p; ++ char *p = NULL; + /* If something was set to the session prior to calling this + * function, keep only what is allowed by the options set in + * sshbind */ +diff --git a/src/bind_config.c b/src/bind_config.c +index a4c7a8d7..9e4a7fd4 100644 +--- a/src/bind_config.c ++++ b/src/bind_config.c +@@ -200,7 +200,7 @@ local_parse_file(ssh_bind bind, + uint8_t *seen, + unsigned int depth) + { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + int rv; +@@ -626,7 +626,7 @@ int ssh_bind_config_parse_file(ssh_bind bind, const char *filename) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + uint32_t parser_flags; + int rv; + +diff --git a/src/buffer.c b/src/buffer.c +index 2744da3f..d631686e 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -370,7 +370,8 @@ int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer, + */ + void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len) + { +- void *ptr; ++ void *ptr = NULL; ++ + buffer_verify(buffer); + + if (buffer->used + len < len) { +@@ -924,7 +925,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p; ++ const char *p = NULL; + union { + uint8_t byte; + uint16_t word; +@@ -933,7 +934,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + ssh_string string; + void *data; + } o; +- char *cstring; ++ char *cstring = NULL; + bignum b; + size_t len; + size_t count; +@@ -1092,7 +1093,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p = format, *last; ++ const char *p = format, *last = NULL; + union { + uint8_t *byte; + uint16_t *word; +diff --git a/src/callbacks.c b/src/callbacks.c +index 3ed2f11c..6bfed62a 100644 +--- a/src/callbacks.c ++++ b/src/callbacks.c +@@ -113,7 +113,7 @@ int ssh_add_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + + int ssh_remove_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (channel == NULL || channel->callbacks == NULL){ + return SSH_ERROR; +diff --git a/src/chachapoly.c b/src/chachapoly.c +index 2cd23854..354a0d26 100644 +--- a/src/chachapoly.c ++++ b/src/chachapoly.c +@@ -42,7 +42,7 @@ static int chacha20_set_encrypt_key(struct ssh_cipher_struct *cipher, + void *key, + void *IV) + { +- struct chacha20_poly1305_keysched *sched; ++ struct chacha20_poly1305_keysched *sched = NULL; + uint8_t *u8key = key; + (void)IV; + +diff --git a/src/channels.c b/src/channels.c +index 440707d6..9cc8ab2f 100644 +--- a/src/channels.c ++++ b/src/channels.c +@@ -165,7 +165,7 @@ uint32_t ssh_channel_new_id(ssh_session session) + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){ + uint32_t channelid=0; +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + (void)type; + (void)user; +@@ -226,7 +226,7 @@ error: + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ + +- ssh_channel channel; ++ ssh_channel channel = NULL; + char *error = NULL; + uint32_t code; + int rc; +@@ -386,7 +386,7 @@ end: + /* return channel with corresponding local id, or NULL if not found */ + ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id) { + struct ssh_iterator *it; +- ssh_channel channel; ++ ssh_channel channel = NULL; + + for (it = ssh_list_get_iterator(session->channels); it != NULL ; it=it->next) { + channel = ssh_iterator_value(ssh_channel, it); +@@ -471,7 +471,7 @@ error: + */ + static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t chan; + int rc; + +@@ -493,7 +493,7 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) + } + + SSH_PACKET_CALLBACK(channel_rcv_change_window) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t bytes; + int rc; + (void)user; +@@ -632,7 +632,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){ + } + + SSH_PACKET_CALLBACK(channel_rcv_eof) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -676,8 +676,9 @@ static bool ssh_channel_has_unread_data(ssh_channel channel) + return false; + } + +-SSH_PACKET_CALLBACK(channel_rcv_close) { +- ssh_channel channel; ++SSH_PACKET_CALLBACK(channel_rcv_close) ++{ ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -902,7 +903,7 @@ int channel_default_bufferize(ssh_channel channel, + void *data, uint32_t len, + bool is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + + if(channel == NULL) { + return -1; +@@ -1041,7 +1042,7 @@ int ssh_channel_open_auth_agent(ssh_channel channel) + int ssh_channel_open_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + ssh_string str = NULL; + int rc = SSH_ERROR; +@@ -1179,7 +1180,7 @@ error: + */ + void ssh_channel_free(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + + if (channel == NULL) { + return; +@@ -1280,7 +1281,7 @@ void ssh_channel_do_free(ssh_channel channel) + */ + int ssh_channel_send_eof(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = SSH_ERROR; + int err; + +@@ -1341,7 +1342,7 @@ error: + */ + int ssh_channel_close(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = 0; + + if(channel == NULL) { +@@ -1437,7 +1438,7 @@ static int channel_write_common(ssh_channel channel, + const void *data, + uint32_t len, int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t origlen = len; + size_t effectivelen; + size_t maxpacketlen; +@@ -1694,7 +1695,7 @@ void ssh_channel_set_blocking(ssh_channel channel, int blocking) + * @brief handle a SSH_CHANNEL_SUCCESS packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_success){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1724,7 +1725,7 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_success){ + * @brief Handle a SSH_CHANNEL_FAILURE packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_failure){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1863,7 +1864,7 @@ error: + int ssh_channel_request_pty_size(ssh_channel channel, const char *terminal, + int col, int row) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer buffer = NULL; + int rc = SSH_ERROR; + +@@ -2174,7 +2175,7 @@ static ssh_channel ssh_channel_accept(ssh_session session, int channeltype, + #endif + ssh_message msg = NULL; + ssh_channel channel = NULL; +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + int t; + + /* +@@ -2836,7 +2837,7 @@ error: + int channel_read_buffer(ssh_channel channel, ssh_buffer buffer, uint32_t count, + int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + char *buffer_tmp = NULL; + int r; + uint32_t total=0; +@@ -2977,7 +2978,7 @@ int ssh_channel_read_timeout(ssh_channel channel, + int is_stderr, + int timeout_ms) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer stdbuf; + uint32_t len; + struct ssh_channel_read_termination_struct ctx; +@@ -3101,7 +3102,7 @@ int ssh_channel_read_nonblocking(ssh_channel channel, + uint32_t count, + int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t to_read; + int rc; + int blocking; +@@ -3211,8 +3212,8 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr) + */ + int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr) + { +- ssh_session session; +- ssh_buffer stdbuf; ++ ssh_session session = NULL; ++ ssh_buffer stdbuf = NULL; + struct ssh_channel_read_termination_struct ctx; + size_t len; + int rc; +@@ -3339,7 +3340,7 @@ channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans, + ssh_channel *echans, ssh_channel *rout, + ssh_channel *wout, ssh_channel *eout) + { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int i; + int j = 0; + +@@ -3420,7 +3421,7 @@ static size_t count_ptrs(ssh_channel *ptrs) + int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans, + ssh_channel *exceptchans, struct timeval * timeout) + { +- ssh_channel *rchans, *wchans, *echans; ++ ssh_channel *rchans = NULL, *wchans = NULL, *echans = NULL; + ssh_channel dummy = NULL; + ssh_event event = NULL; + int rc; +@@ -3607,7 +3608,7 @@ int ssh_channel_write_stderr(ssh_channel channel, const void *data, uint32_t len + int ssh_channel_open_reverse_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +@@ -3671,7 +3672,7 @@ error: + int ssh_channel_open_x11(ssh_channel channel, + const char *orig_addr, int orig_port) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +diff --git a/src/client.c b/src/client.c +index 90f5ad53..38c62417 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -750,7 +750,7 @@ ssh_session_set_disconnect_message(ssh_session session, const char *message) + void + ssh_disconnect(ssh_session session) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + int rc; + + if (session == NULL) { +diff --git a/src/config.c b/src/config.c +index aab6dc5d..94b70d58 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -203,7 +203,7 @@ local_parse_file(ssh_session session, + unsigned int depth, + bool global) + { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + int rv; +@@ -1201,7 +1201,7 @@ int ssh_config_parse_file(ssh_session session, const char *filename) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + int parsing, rv; + bool global = 0; + +diff --git a/src/config_parser.c b/src/config_parser.c +index f5f1b851..5555f6fd 100644 +--- a/src/config_parser.c ++++ b/src/config_parser.c +@@ -39,8 +39,8 @@ + */ + char *ssh_config_get_cmd(char **str) + { +- register char *c; +- char *r; ++ register char *c = NULL; ++ char *r = NULL; + + /* Ignore leading spaces */ + for (c = *str; *c; c++) { +@@ -76,7 +76,7 @@ out: + */ + char *ssh_config_get_token(char **str) + { +- register char *c; ++ register char *c = NULL; + bool had_equal = false; + char *r = NULL; + +@@ -125,7 +125,7 @@ out: + + long ssh_config_get_long(char **str, long notfound) + { +- char *p, *endp; ++ char *p = NULL, *endp = NULL; + long i; + + p = ssh_config_get_token(str); +@@ -142,7 +142,7 @@ long ssh_config_get_long(char **str, long notfound) + + const char *ssh_config_get_str_tok(char **str, const char *def) + { +- char *p; ++ char *p = NULL; + + p = ssh_config_get_token(str); + if (p && *p) { +@@ -154,7 +154,7 @@ const char *ssh_config_get_str_tok(char **str, const char *def) + + int ssh_config_get_yesno(char **str, int notfound) + { +- const char *p; ++ const char *p = NULL; + + p = ssh_config_get_str_tok(str, NULL); + if (p == NULL) { +diff --git a/src/connect.c b/src/connect.c +index 15cae644..2d09af5e 100644 +--- a/src/connect.c ++++ b/src/connect.c +@@ -194,8 +194,8 @@ socket_t ssh_connect_host_nonblocking(ssh_session session, const char *host, + } + + if (bind_addr) { +- struct addrinfo *bind_ai; +- struct addrinfo *bind_itr; ++ struct addrinfo *bind_ai = NULL; ++ struct addrinfo *bind_itr = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Resolving %s", bind_addr); + +diff --git a/src/connector.c b/src/connector.c +index c9f2cf03..365030f2 100644 +--- a/src/connector.c ++++ b/src/connector.c +@@ -632,8 +632,9 @@ error: + return rc; + } + +-int ssh_connector_remove_event(ssh_connector connector) { +- ssh_session session; ++int ssh_connector_remove_event(ssh_connector connector) ++{ ++ ssh_session session = NULL; + + if (connector->in_poll != NULL) { + ssh_event_remove_poll(connector->event, connector->in_poll); +diff --git a/src/dh_crypto.c b/src/dh_crypto.c +index bcf817d4..85249bfc 100644 +--- a/src/dh_crypto.c ++++ b/src/dh_crypto.c +@@ -404,7 +404,7 @@ done: + */ + int ssh_dh_init_common(struct ssh_crypto_struct *crypto) + { +- struct dh_ctx *ctx; ++ struct dh_ctx *ctx = NULL; + int rc; + + ctx = calloc(1, sizeof(*ctx)); +diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c +index 56bf4c06..178d9060 100644 +--- a/src/ecdh_crypto.c ++++ b/src/ecdh_crypto.c +@@ -415,17 +415,17 @@ int ecdh_build_k(ssh_session session) { + */ + SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){ + /* ECDH keys */ +- ssh_string q_c_string; +- ssh_string q_s_string; ++ ssh_string q_c_string = NULL; ++ ssh_string q_s_string = NULL; + /* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys + * https://github.com/openssl/openssl/pull/16624 + * #if OPENSSL_VERSION_NUMBER < 0x30000000L + */ + #if 1 +- EC_KEY *ecdh_key; +- const EC_GROUP *group; +- const EC_POINT *ecdh_pubkey; +- bignum_CTX ctx; ++ EC_KEY *ecdh_key = NULL; ++ const EC_GROUP *group = NULL; ++ const EC_POINT *ecdh_pubkey = NULL; ++ bignum_CTX ctx = NULL; + int curve; + int len; + #else +@@ -437,7 +437,7 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){ + const char *curve = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + /* SSH host keys (rsa,dsa,ecdsa) */ +- ssh_key privkey; ++ ssh_key privkey = NULL; + enum ssh_digest_e digest = SSH_DIGEST_AUTO; + ssh_string sig_blob = NULL; + ssh_string pubkey_blob = NULL; +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index ae8022e8..722428c2 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -132,9 +132,9 @@ int ecdh_build_k(ssh_session session) + #else + size_t k_len = 0; + enum ssh_key_exchange_e kex_type = session->next_crypto->kex_type; +- ssh_string s; ++ ssh_string s = NULL; + #endif +- ssh_string pubkey_raw; ++ ssh_string pubkey_raw = NULL; + gcry_sexp_t pubkey = NULL; + ssh_string privkey = NULL; + int rc = SSH_ERROR; +@@ -267,12 +267,12 @@ int ecdh_build_k(ssh_session session) + SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){ + gpg_error_t err; + /* ECDH keys */ +- ssh_string q_c_string; +- ssh_string q_s_string; ++ ssh_string q_c_string = NULL; ++ ssh_string q_s_string = NULL; + gcry_sexp_t param = NULL; + gcry_sexp_t key = NULL; + /* SSH host keys (rsa,dsa,ecdsa) */ +- ssh_key privkey; ++ ssh_key privkey = NULL; + enum ssh_digest_e digest = SSH_DIGEST_AUTO; + ssh_string sig_blob = NULL; + ssh_string pubkey_blob = NULL; +diff --git a/src/gcrypt_missing.c b/src/gcrypt_missing.c +index e931ec5b..56dcfb6d 100644 +--- a/src/gcrypt_missing.c ++++ b/src/gcrypt_missing.c +@@ -47,7 +47,7 @@ int ssh_gcry_dec2bn(bignum *bn, const char *data) { + + char *ssh_gcry_bn2dec(bignum bn) { + bignum bndup, num, ten; +- char *ret; ++ char *ret = NULL; + int count, count2; + int size, rsize; + char decnum; +diff --git a/src/getpass.c b/src/getpass.c +index 6be33c77..c19c4bc0 100644 +--- a/src/getpass.c ++++ b/src/getpass.c +@@ -46,7 +46,7 @@ + */ + static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) + { +- char *tmp; ++ char *tmp = NULL; + char *ptr = NULL; + int ok = 0; + +@@ -78,7 +78,7 @@ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) + } + + if (verify) { +- char *key_string; ++ char *key_string = NULL; + + key_string = calloc(1, len); + if (key_string == NULL) { +diff --git a/src/gssapi.c b/src/gssapi.c +index c7844fd1..934ba0a8 100644 +--- a/src/gssapi.c ++++ b/src/gssapi.c +@@ -196,7 +196,7 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user, + gss_name_t server_name; /* local server fqdn */ + OM_uint32 maj_stat, min_stat; + size_t i; +- char *ptr; ++ char *ptr = NULL; + gss_OID_set supported; /* oids supported by server */ + gss_OID_set both_supported; /* oids supported by both client and server */ + gss_OID_set selected; /* oid selected for authentication */ +@@ -341,7 +341,7 @@ static char *ssh_gssapi_name_to_char(gss_name_t name) + { + gss_buffer_desc buffer; + OM_uint32 maj_stat, min_stat; +- char *ptr; ++ char *ptr = NULL; + maj_stat = gss_display_name(&min_stat, name, &buffer, NULL); + ssh_gssapi_log_error(SSH_LOG_DEBUG, + "converting name", +@@ -359,9 +359,10 @@ static char *ssh_gssapi_name_to_char(gss_name_t name) + + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ +- ssh_string token; +- char *hexa; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server) ++{ ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + gss_name_t client_name = GSS_C_NO_NAME; +@@ -385,7 +386,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ + } + + if (ssh_callbacks_exists(session->server_callbacks, gssapi_accept_sec_ctx_function)){ +- ssh_string out_token=NULL; ++ ssh_string out_token = NULL; + rc = session->server_callbacks->gssapi_accept_sec_ctx_function(session, + token, &out_token, session->server_callbacks->userdata); + if (rc == SSH_ERROR){ +@@ -507,7 +508,7 @@ static ssh_buffer ssh_gssapi_build_mic(ssh_session session) + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_mic) + { +- ssh_string mic_token; ++ ssh_string mic_token = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER; + gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER; +@@ -669,7 +670,7 @@ static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids) + gss_name_t client_id = GSS_C_NO_NAME; + gss_OID oid; + unsigned int i; +- char *ptr; ++ char *ptr = NULL; + int ret; + + if (session->gssapi->client.client_deleg_creds == NULL) { +@@ -865,11 +866,11 @@ static gss_OID ssh_gssapi_oid_from_string(ssh_string oid_s) + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){ + int rc; +- ssh_string oid_s; ++ ssh_string oid_s = NULL; + gss_uint32 maj_stat, min_stat; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; +- char *hexa; ++ char *hexa = NULL; + (void)type; + (void)user; + +@@ -986,10 +987,11 @@ static int ssh_gssapi_send_mic(ssh_session session) + return ssh_packet_send(session); + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){ ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client) ++{ + int rc; +- ssh_string token; +- char *hexa; ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + (void)user; +diff --git a/src/kex.c b/src/kex.c +index 2a397d23..f71482fd 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -328,7 +328,7 @@ static int cmp_first_kex_algo(const char *client_str, + size_t client_kex_len; + size_t server_kex_len; + +- char *colon; ++ char *colon = NULL; + + int is_wrong = 1; + +@@ -760,7 +760,7 @@ char *ssh_client_select_hostkeys(ssh_session session) + int ssh_set_client_kex(ssh_session session) + { + struct ssh_kex_struct *client = &session->next_crypto->client_kex; +- const char *wanted; ++ const char *wanted = NULL; + int ok; + int i; + +diff --git a/src/known_hosts.c b/src/known_hosts.c +index 84e15572..f660a6f3 100644 +--- a/src/known_hosts.c ++++ b/src/known_hosts.c +@@ -79,8 +79,8 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + const char **found_type) + { + char buffer[MAX_LINE_SIZE] = {0}; +- char *ptr; +- struct ssh_tokens_st *tokens; ++ char *ptr = NULL; ++ struct ssh_tokens_st *tokens = NULL; + + if (*file == NULL) { + *file = fopen(filename,"r"); +@@ -149,7 +149,7 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + static int check_public_key(ssh_session session, char **tokens) { + ssh_string pubkey_blob = NULL; + ssh_buffer pubkey_buffer; +- char *pubkey_64; ++ char *pubkey_64 = NULL; + int rc; + + /* ssh-dss or ssh-rsa */ +@@ -205,11 +205,11 @@ static int match_hashed_host(const char *host, const char *sourcehash) + * hash := HMAC_SHA1(key=salt,data=host) + */ + unsigned char buffer[256] = {0}; +- ssh_buffer salt; +- ssh_buffer hash; +- HMACCTX mac; +- char *source; +- char *b64hash; ++ ssh_buffer salt = NULL; ++ ssh_buffer hash = NULL; ++ HMACCTX mac = NULL; ++ char *source = NULL; ++ char *b64hash = NULL; + int match, rc; + size_t size; + +@@ -304,14 +304,14 @@ static int match_hashed_host(const char *host, const char *sourcehash) + int ssh_is_server_known(ssh_session session) + { + FILE *file = NULL; +- char *host; +- char *hostport; +- const char *type; ++ char *host = NULL; ++ char *hostport = NULL; ++ const char *type = NULL; + int match; + int i = 0; +- char *files[3]; ++ char *files[3] = {0}; + +- struct ssh_tokens_st *tokens; ++ struct ssh_tokens_st *tokens = NULL; + + int ret = SSH_SERVER_NOT_KNOWN; + +@@ -443,12 +443,13 @@ int ssh_is_server_known(ssh_session session) + * @deprecated Please use ssh_session_export_known_hosts_entry() + * @brief This function is deprecated. + */ +-char * ssh_dump_knownhost(ssh_session session) { ++char *ssh_dump_knownhost(ssh_session session) ++{ + ssh_key server_pubkey = NULL; +- char *host; +- char *hostport; +- char *buffer; +- char *b64_key; ++ char *host = NULL; ++ char *hostport = NULL; ++ char *buffer = NULL; ++ char *b64_key = NULL; + int rc; + + if (session->opts.host == NULL) { +@@ -513,9 +514,9 @@ char * ssh_dump_knownhost(ssh_session session) { + */ + int ssh_write_knownhost(ssh_session session) + { +- FILE *file; ++ FILE *file = NULL; + char *buffer = NULL; +- char *dir; ++ char *dir = NULL; + int rc; + + if (session->opts.knownhosts == NULL) { +diff --git a/src/knownhosts.c b/src/knownhosts.c +index 94618fe2..62777ad2 100644 +--- a/src/knownhosts.c ++++ b/src/knownhosts.c +@@ -61,7 +61,7 @@ static int hash_hostname(const char *name, + size_t *hash_size) + { + int rc; +- HMACCTX mac_ctx; ++ HMACCTX mac_ctx = NULL; + + mac_ctx = hmac_init(salt, salt_size, SSH_HMAC_SHA1); + if (mac_ctx == NULL) { +@@ -81,8 +81,8 @@ static int hash_hostname(const char *name, + + static int match_hashed_hostname(const char *host, const char *hashed_host) + { +- char *hashed; +- char *b64_hash; ++ char *hashed = NULL; ++ char *b64_hash = NULL; + ssh_buffer salt = NULL; + ssh_buffer hash = NULL; + unsigned char hashed_buf[256] = {0}; +@@ -229,7 +229,7 @@ static int ssh_known_hosts_read_entries(const char *match, + char line[MAX_LINE_SIZE]; + size_t lineno = 0; + size_t len = 0; +- FILE *fp; ++ FILE *fp = NULL; + int rc; + + fp = fopen(filename, "r"); +@@ -288,7 +288,7 @@ static int ssh_known_hosts_read_entries(const char *match, + for (it = ssh_list_get_iterator(*entries); + it != NULL; + it = it->next) { +- struct ssh_knownhosts_entry *entry2; ++ struct ssh_knownhosts_entry *entry2 = NULL; + int cmp; + entry2 = ssh_iterator_value(struct ssh_knownhosts_entry *, it); + cmp = ssh_known_hosts_entries_compare(entry, entry2); +@@ -312,8 +312,8 @@ error: + + static char *ssh_session_get_host_port(ssh_session session) + { +- char *host_port; +- char *host; ++ char *host_port = NULL; ++ char *host = NULL; + + if (session->opts.host == NULL) { + ssh_set_error(session, +@@ -537,7 +537,7 @@ char *ssh_known_hosts_get_algorithms_names(ssh_session session) + char *host_port = NULL; + size_t count; + bool needcomma = false; +- char *names; ++ char *names = NULL; + + int rc; + +@@ -645,7 +645,7 @@ int ssh_known_hosts_parse_line(const char *hostname, + { + struct ssh_knownhosts_entry *e = NULL; + char *known_host = NULL; +- char *p; ++ char *p = NULL; + char *save_tok = NULL; + enum ssh_keytypes_e key_type; + int match = 0; +diff --git a/src/legacy.c b/src/legacy.c +index 7b165dbe..7359040c 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -48,7 +48,7 @@ int ssh_auth_list(ssh_session session) { + int ssh_userauth_offer_pubkey(ssh_session session, const char *username, + int type, ssh_string publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -70,7 +70,7 @@ int ssh_userauth_pubkey(ssh_session session, + ssh_string publickey, + ssh_private_key privatekey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) publickey; /* unused */ +@@ -389,10 +389,11 @@ void publickey_free(ssh_public_key key) { + SAFE_FREE(key); + } + +-ssh_public_key publickey_from_privatekey(ssh_private_key prv) { +- struct ssh_public_key_struct *p; +- ssh_key privkey; +- ssh_key pubkey; ++ssh_public_key publickey_from_privatekey(ssh_private_key prv) ++{ ++ struct ssh_public_key_struct *p = NULL; ++ ssh_key privkey = NULL; ++ ssh_key pubkey = NULL; + int rc; + + privkey = ssh_key_new(); +@@ -434,8 +435,8 @@ ssh_private_key privatekey_from_file(ssh_session session, + const char *passphrase) { + ssh_auth_callback auth_fn = NULL; + void *auth_data = NULL; +- ssh_private_key privkey; +- ssh_key key; ++ ssh_private_key privkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -510,7 +511,7 @@ void privatekey_free(ssh_private_key prv) { + + ssh_string publickey_from_file(ssh_session session, const char *filename, + int *type) { +- ssh_key key; ++ ssh_key key = NULL; + ssh_string key_str = NULL; + int rc; + +@@ -543,9 +544,10 @@ int ssh_type_from_name(const char *name) { + return ssh_key_type_from_name(name); + } + +-ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { +- struct ssh_public_key_struct *pubkey; +- ssh_key key; ++ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) ++{ ++ struct ssh_public_key_struct *pubkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) session; /* unused */ +@@ -579,9 +581,10 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { + return pubkey; + } + +-ssh_string publickey_to_string(ssh_public_key pubkey) { +- ssh_key key; +- ssh_string key_blob; ++ssh_string publickey_to_string(ssh_public_key pubkey) ++{ ++ ssh_key key = NULL; ++ ssh_string key_blob = NULL; + int rc; + + if (pubkey == NULL) { +@@ -624,11 +627,11 @@ int ssh_publickey_to_file(ssh_session session, + ssh_string pubkey, + int type) + { +- FILE *fp; +- char *user; ++ FILE *fp = NULL; ++ char *user = NULL; + char buffer[1024]; + char host[256]; +- unsigned char *pubkey_64; ++ unsigned char *pubkey_64 = NULL; + size_t len; + int rc; + if(session==NULL) +@@ -695,9 +698,9 @@ int ssh_try_publickey_from_file(ssh_session session, + const char *keyfile, + ssh_string *publickey, + int *type) { +- char *pubkey_file; ++ char *pubkey_file = NULL; + size_t len; +- ssh_string pubkey_string; ++ ssh_string pubkey_string = NULL; + int pubkey_type; + + if (session == NULL || keyfile == NULL || publickey == NULL || type == NULL) { +diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c +index 5e6d2465..f15eac0d 100644 +--- a/src/libmbedcrypto.c ++++ b/src/libmbedcrypto.c +@@ -133,7 +133,7 @@ cipher_init(struct ssh_cipher_struct *cipher, + void *IV) + { + const mbedtls_cipher_info_t *cipher_info = NULL; +- mbedtls_cipher_context_t *ctx; ++ mbedtls_cipher_context_t *ctx = NULL; + size_t key_bitlen = 0; + size_t iv_size = 0; + int rc; +diff --git a/src/log.c b/src/log.c +index 8ce1e71e..8369ebc7 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -44,7 +44,7 @@ + + static LIBSSH_THREAD int ssh_log_level; + static LIBSSH_THREAD ssh_logging_callback ssh_log_cb; +-static LIBSSH_THREAD void *ssh_log_userdata; ++static LIBSSH_THREAD void *ssh_log_userdata = NULL; + + /** + * @defgroup libssh_log The SSH logging functions. +diff --git a/src/messages.c b/src/messages.c +index 91d23e7d..ceb42b2c 100644 +--- a/src/messages.c ++++ b/src/messages.c +@@ -479,7 +479,7 @@ static void ssh_message_queue(ssh_session session, ssh_message message) + */ + ssh_message ssh_message_pop_head(ssh_session session){ + ssh_message msg=NULL; +- struct ssh_iterator *i; ++ struct ssh_iterator *i = NULL; + if(session->ssh_message_list == NULL) + return NULL; + i=ssh_list_get_iterator(session->ssh_message_list); +@@ -493,7 +493,7 @@ ssh_message ssh_message_pop_head(ssh_session session){ + /* Returns 1 if there is a message available */ + static int ssh_message_termination(void *s){ + ssh_session session = s; +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + if(session->session_state == SSH_SESSION_STATE_ERROR) + return 1; + it = ssh_list_get_iterator(session->ssh_message_list); +@@ -694,7 +694,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, + ssh_string algo) + { + struct ssh_crypto_struct *crypto = NULL; +- ssh_buffer buffer; ++ ssh_buffer buffer = NULL; + ssh_string str=NULL; + int rc; + +@@ -933,9 +933,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ + #ifdef WITH_GSSAPI + if (strcmp(method, "gssapi-with-mic") == 0) { + uint32_t n_oid; +- ssh_string *oids; +- ssh_string oid; +- char *hexa; ++ ssh_string *oids = NULL; ++ ssh_string oid = NULL; ++ char *hexa = NULL; + int i; + ssh_buffer_get_u32(packet, &n_oid); + n_oid=ntohl(n_oid); +@@ -1019,7 +1019,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + uint32_t nanswers; + uint32_t i; +- ssh_string tmp; ++ ssh_string tmp = NULL; + int rc; + + ssh_message msg = NULL; +@@ -1251,7 +1251,7 @@ end: + * @returns SSH_OK on success, SSH_ERROR if an error occurred. + */ + int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan) { +- ssh_session session; ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1302,7 +1302,7 @@ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_c + * @returns NULL in case of error + */ + ssh_channel ssh_message_channel_request_open_reply_accept(ssh_message msg) { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int rc; + + if (msg == NULL) { +diff --git a/src/misc.c b/src/misc.c +index bef417b7..7bb431b6 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -393,7 +393,7 @@ int ssh_is_ipaddr(const char *str) + + char *ssh_lowercase(const char* str) + { +- char *new, *p; ++ char *new = NULL, *p = NULL; + + if (str == NULL) { + return NULL; +@@ -447,7 +447,7 @@ char *ssh_hostport(const char *host, int port) + char *ssh_get_hexa(const unsigned char *what, size_t len) + { + const char h[] = "0123456789abcdef"; +- char *hexa; ++ char *hexa = NULL; + size_t i; + size_t hlen = len * 3; + +@@ -716,7 +716,7 @@ struct ssh_list *ssh_list_new(void) + + void ssh_list_free(struct ssh_list *list) + { +- struct ssh_iterator *ptr, *next; ++ struct ssh_iterator *ptr = NULL, *next = NULL; + if (!list) + return; + ptr = list->root; +@@ -737,7 +737,7 @@ struct ssh_iterator *ssh_list_get_iterator(const struct ssh_list *list) + + struct ssh_iterator *ssh_list_find(const struct ssh_list *list, void *value) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + for (it = ssh_list_get_iterator(list); it != NULL ; it = it->next) + if (it->data == value) +@@ -826,7 +826,7 @@ int ssh_list_prepend(struct ssh_list *list, const void *data) + + void ssh_list_remove(struct ssh_list *list, struct ssh_iterator *iterator) + { +- struct ssh_iterator *ptr, *prev; ++ struct ssh_iterator *ptr = NULL, *prev = NULL; + + if (list == NULL) { + return; +@@ -967,7 +967,7 @@ char *ssh_dirname (const char *path) + char *ssh_basename (const char *path) + { + char *new = NULL; +- const char *s; ++ const char *s = NULL; + size_t len; + + if (path == NULL || *path == '\0') { +@@ -1105,8 +1105,8 @@ int ssh_mkdirs(const char *pathname, mode_t mode) + */ + char *ssh_path_expand_tilde(const char *d) + { +- char *h = NULL, *r; +- const char *p; ++ char *h = NULL, *r = NULL; ++ const char *p = NULL; + size_t ld; + size_t lh = 0; + +@@ -1121,7 +1121,7 @@ char *ssh_path_expand_tilde(const char *d) + #ifdef _WIN32 + return strdup(d); + #else +- struct passwd *pw; ++ struct passwd *pw = NULL; + size_t s = p - d; + char u[128]; + +@@ -1182,7 +1182,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) + char *buf = NULL; + char *r = NULL; + char *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -1335,8 +1335,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) + */ + int ssh_analyze_banner(ssh_session session, int server) + { +- const char *banner; +- const char *openssh; ++ const char *banner = NULL; ++ const char *openssh = NULL; + + if (server) { + banner = session->clientbanner; +diff --git a/src/options.c b/src/options.c +index 5e97d8fd..a8023fbf 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -67,7 +67,7 @@ + */ + int ssh_options_copy(ssh_session src, ssh_session *dest) + { +- ssh_session new; ++ ssh_session new = NULL; + struct ssh_iterator *it = NULL; + struct ssh_list *list = NULL; + char *id = NULL; +@@ -540,8 +540,8 @@ int ssh_options_set_algo(ssh_session session, + int ssh_options_set(ssh_session session, enum ssh_options_e type, + const void *value) + { +- const char *v; +- char *p, *q; ++ const char *v = NULL; ++ char *p = NULL, *q = NULL; + long int i; + unsigned int u; + int rc; +@@ -1227,7 +1227,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) { + */ + int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + { +- char* src = NULL; ++ char *src = NULL; + + if (session == NULL) { + return SSH_ERROR; +@@ -1249,7 +1249,7 @@ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + break; + } + case SSH_OPTIONS_IDENTITY: { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + it = ssh_list_get_iterator(session->opts.identity); + if (it == NULL) { + it = ssh_list_get_iterator(session->opts.identity_non_exp); +@@ -1502,7 +1502,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv) + */ + int ssh_options_parse_config(ssh_session session, const char *filename) + { +- char *expanded_filename; ++ char *expanded_filename = NULL; + int r; + + if (session == NULL) { +@@ -1548,7 +1548,7 @@ out: + + int ssh_options_apply(ssh_session session) + { +- char *tmp; ++ char *tmp = NULL; + int rc; + + if (session->opts.sshdir == NULL) { +@@ -1843,8 +1843,8 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type, + const void *value) + { + bool allowed; +- char *p, *q; +- const char *v; ++ char *p = NULL, *q = NULL; ++ const char *v = NULL; + int i, rc; + char **wanted_methods = sshbind->wanted_methods; + +@@ -2266,7 +2266,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) + char *buf = NULL; + char *r = NULL; + char *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -2372,7 +2372,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) + int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename) + { + int rc = 0; +- char *expanded_filename; ++ char *expanded_filename = NULL; + + if (sshbind == NULL) { + return -1; +diff --git a/src/packet.c b/src/packet.c +index 1bb7b02d..891d120c 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -1423,8 +1423,8 @@ error: + static void ssh_packet_socket_controlflow_callback(int code, void *userdata) + { + ssh_session session = userdata; +- struct ssh_iterator *it; +- ssh_channel channel; ++ struct ssh_iterator *it = NULL; ++ ssh_channel channel = NULL; + + if (code == SSH_SOCKET_FLOW_WRITEWONTBLOCK) { + SSH_LOG(SSH_LOG_TRACE, "sending channel_write_wontblock callback"); +@@ -1885,7 +1885,7 @@ int ssh_packet_send(ssh_session session) + + /* We finished the key exchange so we can try to send our queue now */ + if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) { + /* reset packet sequence number when running in strict kex mode */ +diff --git a/src/packet_crypt.c b/src/packet_crypt.c +index fe3f489e..96e9586c 100644 +--- a/src/packet_crypt.c ++++ b/src/packet_crypt.c +@@ -262,7 +262,7 @@ int ssh_packet_hmac_verify(ssh_session session, + { + struct ssh_crypto_struct *crypto = NULL; + unsigned char hmacbuf[DIGEST_MAX_LEN] = {0}; +- HMACCTX ctx; ++ HMACCTX ctx = NULL; + size_t hmaclen = DIGEST_MAX_LEN; + uint32_t seq; + int cmp; +diff --git a/src/pki.c b/src/pki.c +index 512201d9..08a84c2f 100644 +--- a/src/pki.c ++++ b/src/pki.c +@@ -360,7 +360,7 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name) + */ + int ssh_key_algorithm_allowed(ssh_session session, const char *type) + { +- const char *allowed_list; ++ const char *allowed_list = NULL; + + if (session->client) { + allowed_list = session->opts.pubkey_accepted_types; +@@ -720,7 +720,7 @@ int ssh_key_cmp(const ssh_key k1, + + ssh_signature ssh_signature_new(void) + { +- struct ssh_signature_struct *sig; ++ struct ssh_signature_struct *sig = NULL; + + sig = malloc(sizeof(struct ssh_signature_struct)); + if (sig == NULL) { +@@ -812,7 +812,7 @@ int ssh_pki_import_privkey_base64(const char *b64_key, + void *auth_data, + ssh_key *pkey) + { +- ssh_key key; ++ ssh_key key = NULL; + char *openssh_header = NULL; + + if (b64_key == NULL || pkey == NULL) { +@@ -935,8 +935,8 @@ int ssh_pki_import_privkey_file(const char *filename, + void *auth_data, + ssh_key *pkey) { + struct stat sb; +- char *key_buf; +- FILE *file; ++ char *key_buf = NULL; ++ FILE *file = NULL; + off_t size; + int rc; + char err_msg[SSH_ERRNO_MSG_MAX] = {0}; +@@ -1084,8 +1084,8 @@ int ssh_pki_export_privkey_file(const ssh_key privkey, + /* temporary function to migrate seemlessly to ssh_key */ + ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) + { +- ssh_public_key pub; +- ssh_key tmp; ++ ssh_public_key pub = NULL; ++ ssh_key tmp = NULL; + + if (key == NULL) { + return NULL; +@@ -1122,7 +1122,7 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) + + ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key) + { +- ssh_private_key privkey; ++ ssh_private_key privkey = NULL; + + privkey = calloc(1, sizeof(struct ssh_private_key_struct)); + if (privkey == NULL) { +@@ -1512,9 +1512,9 @@ static int pki_import_cert_buffer(ssh_buffer buffer, + enum ssh_keytypes_e type, + ssh_key *pkey) + { +- ssh_buffer cert; +- ssh_string tmp_s; +- const char *type_c; ++ ssh_buffer cert = NULL; ++ ssh_string tmp_s = NULL; ++ const char *type_c = NULL; + ssh_key key = NULL; + int rc; + +@@ -2056,7 +2056,7 @@ error: + int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + ssh_key *pkey) + { +- ssh_key pubkey; ++ ssh_key pubkey = NULL; + + if (privkey == NULL || !ssh_key_is_private(privkey)) { + return SSH_ERROR; +@@ -2094,7 +2094,7 @@ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + int ssh_pki_export_pubkey_blob(const ssh_key key, + ssh_string *pblob) + { +- ssh_string blob; ++ ssh_string blob = NULL; + + if (key == NULL) { + return SSH_OK; +@@ -2124,8 +2124,8 @@ int ssh_pki_export_pubkey_blob(const ssh_key key, + int ssh_pki_export_pubkey_base64(const ssh_key key, + char **b64_key) + { +- ssh_string key_blob; +- unsigned char *b64; ++ ssh_string key_blob = NULL; ++ unsigned char *b64 = NULL; + + if (key == NULL || b64_key == NULL) { + return SSH_ERROR; +@@ -2152,9 +2152,9 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + { + char key_buf[MAX_LINE_SIZE]; + char host[256]; +- char *b64_key; +- char *user; +- FILE *fp; ++ char *b64_key = NULL; ++ char *user = NULL; ++ FILE *fp = NULL; + int rc; + + if (key == NULL || filename == NULL || *filename == '\0') { +@@ -2215,7 +2215,7 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + * @returns SSH_OK on success, SSH_ERROR otherwise. + **/ + int ssh_pki_copy_cert_to_privkey(const ssh_key certkey, ssh_key privkey) { +- ssh_buffer cert_buffer; ++ ssh_buffer cert_buffer = NULL; + int rc; + + if (certkey == NULL || privkey == NULL) { +@@ -2250,7 +2250,7 @@ int ssh_pki_export_signature_blob(const ssh_signature sig, + ssh_string *sig_blob) + { + ssh_buffer buf = NULL; +- ssh_string str; ++ ssh_string str = NULL; + int rc; + + if (sig == NULL || sig_blob == NULL) { +@@ -2314,7 +2314,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, + enum ssh_keytypes_e type; + enum ssh_digest_e hash_type; + ssh_string algorithm = NULL, blob = NULL; +- ssh_buffer buf; ++ ssh_buffer buf = NULL; + const char *alg = NULL; + uint8_t flags = 0; + uint32_t counter = 0; +@@ -2674,9 +2674,9 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session, + const ssh_key pubkey) + { + struct ssh_crypto_struct *crypto = NULL; +- ssh_string session_id; +- ssh_string sig_blob; +- ssh_buffer sig_buf; ++ ssh_string session_id = NULL; ++ ssh_string sig_blob = NULL; ++ ssh_buffer sig_buf = NULL; + int rc; + + crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_BOTH); +diff --git a/src/pki_container_openssh.c b/src/pki_container_openssh.c +index eed977f8..58d03fc4 100644 +--- a/src/pki_container_openssh.c ++++ b/src/pki_container_openssh.c +@@ -234,12 +234,12 @@ ssh_pki_openssh_import(const char *text_key, + bool private) + { + const char *ptr = text_key; +- const char *end; +- char *base64; ++ const char *end = NULL; ++ char *base64 = NULL; + int cmp; + int rc; + int i; +- ssh_buffer buffer = NULL, privkey_buffer=NULL; ++ ssh_buffer buffer = NULL, privkey_buffer = NULL; + char *magic = NULL, *ciphername = NULL, *kdfname = NULL; + uint32_t nkeys = 0, checkint1 = 0, checkint2 = 0xFFFF; + ssh_string kdfoptions = NULL; +@@ -536,16 +536,16 @@ ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey, + ssh_auth_callback auth_fn, + void *auth_data) + { +- ssh_buffer buffer; ++ ssh_buffer buffer = NULL; + ssh_string str = NULL; + ssh_string pubkey_s=NULL; + ssh_buffer privkey_buffer = NULL; + uint32_t rnd; + uint32_t rounds = 16; +- ssh_string salt=NULL; +- ssh_string kdf_options=NULL; ++ ssh_string salt = NULL; ++ ssh_string kdf_options = NULL; + int to_encrypt=0; +- unsigned char *b64; ++ unsigned char *b64 = NULL; + uint32_t str_len, len; + uint8_t padding = 1; + int ok; +diff --git a/src/pki_crypto.c b/src/pki_crypto.c +index fa233e70..b99a6e8c 100644 +--- a/src/pki_crypto.c ++++ b/src/pki_crypto.c +@@ -2048,9 +2048,9 @@ ssh_string pki_publickey_to_blob(const ssh_key key) + * #if OPENSSL_VERSION_NUMBER >= 0x30000000L + */ + #if 0 +- const void *pubkey; ++ const void *pubkey = NULL; + size_t pubkey_len; +- OSSL_PARAM *params, *locate_param; ++ OSSL_PARAM *params = NULL, *locate_param = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + + type_s = ssh_string_from_char(pki_key_ecdsa_nid_to_char(key->ecdsa_nid)); +@@ -2308,7 +2308,7 @@ static ssh_string pki_ecdsa_signature_to_blob(const ssh_signature sig) + const unsigned char *raw_sig_data = NULL; + size_t raw_sig_len; + +- ECDSA_SIG *ecdsa_sig; ++ ECDSA_SIG *ecdsa_sig = NULL; + + int rc; + +@@ -2625,8 +2625,8 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey), + ECDSA_SIG *ecdsa_sig = NULL; + BIGNUM *pr = NULL, *ps = NULL; + +- ssh_string r; +- ssh_string s; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + + ssh_buffer buf = NULL; + uint32_t rlen; +diff --git a/src/pki_ed25519.c b/src/pki_ed25519.c +index 6a5a4a8a..0674fb63 100644 +--- a/src/pki_ed25519.c ++++ b/src/pki_ed25519.c +@@ -62,7 +62,7 @@ int pki_ed25519_sign(const ssh_key privkey, + size_t hlen) + { + int rc; +- uint8_t *buffer; ++ uint8_t *buffer = NULL; + uint64_t dlen = 0; + + buffer = malloc(hlen + ED25519_SIG_LEN); +@@ -104,8 +104,8 @@ int pki_ed25519_verify(const ssh_key pubkey, + size_t hlen) + { + uint64_t mlen = 0; +- uint8_t *buffer; +- uint8_t *buffer2; ++ uint8_t *buffer = NULL; ++ uint8_t *buffer2 = NULL; + int rc; + + if (pubkey == NULL || sig == NULL || +diff --git a/src/pki_ed25519_common.c b/src/pki_ed25519_common.c +index 15c9abef..2818a000 100644 +--- a/src/pki_ed25519_common.c ++++ b/src/pki_ed25519_common.c +@@ -213,7 +213,7 @@ int pki_ed25519_public_key_to_blob(ssh_buffer buffer, ssh_key key) + */ + ssh_string pki_ed25519_signature_to_blob(ssh_signature sig) + { +- ssh_string sig_blob; ++ ssh_string sig_blob = NULL; + int rc; + + #ifdef HAVE_OPENSSL_ED25519 +diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c +index 702b9b2b..be527c1c 100644 +--- a/src/pki_gcrypt.c ++++ b/src/pki_gcrypt.c +@@ -152,7 +152,7 @@ static ssh_string asn1_get_int(ssh_buffer buffer) { + + static ssh_string asn1_get_bit_string(ssh_buffer buffer) + { +- ssh_string str; ++ ssh_string str = NULL; + unsigned char type; + uint32_t size; + unsigned char unused, last, *p; +@@ -1882,9 +1882,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + case SSH_KEYTYPE_ECDSA_P521: + #ifdef HAVE_GCRYPT_ECC + { +- ssh_string R; +- ssh_string S; +- ssh_buffer b; ++ ssh_string R = NULL; ++ ssh_string S = NULL; ++ ssh_buffer b = NULL; + + b = ssh_buffer_new(); + if (b == NULL) { +@@ -2054,8 +2054,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + case SSH_KEYTYPE_SK_ECDSA: + #ifdef HAVE_GCRYPT_ECC + { /* build ecdsa siganature */ +- ssh_buffer b; +- ssh_string r, s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL, s = NULL; + uint32_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c +index 045bad50..1a57ab71 100644 +--- a/src/pki_mbedcrypto.c ++++ b/src/pki_mbedcrypto.c +@@ -1078,9 +1078,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { +- ssh_string r; +- ssh_string s; +- ssh_buffer b; ++ ssh_string r = NULL; ++ ssh_string s = NULL; ++ ssh_buffer b = NULL; + int rc; + + b = ssh_buffer_new(); +@@ -1234,9 +1234,9 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: + case SSH_KEYTYPE_SK_ECDSA: { +- ssh_buffer b; +- ssh_string r; +- ssh_string s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + size_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/poll.c b/src/poll.c +index 1246f456..ea336003 100644 +--- a/src/poll.c ++++ b/src/poll.c +@@ -553,8 +553,8 @@ void ssh_poll_ctx_free(ssh_poll_ctx ctx) + + static int ssh_poll_ctx_resize(ssh_poll_ctx ctx, size_t new_size) + { +- ssh_poll_handle *pollptrs; +- ssh_pollfd_t *pollfds; ++ ssh_poll_handle *pollptrs = NULL; ++ ssh_pollfd_t *pollfds = NULL; + + pollptrs = realloc(ctx->pollptrs, sizeof(ssh_poll_handle) * new_size); + if (pollptrs == NULL) { +@@ -839,7 +839,7 @@ ssh_event_add_fd(ssh_event event, socket_t fd, short events, + ssh_event_callback cb, void *userdata) + { + ssh_poll_handle p; +- struct ssh_event_fd_wrapper *pw; ++ struct ssh_event_fd_wrapper *pw = NULL; + + if(event == NULL || event->ctx == NULL || cb == NULL + || fd == SSH_INVALID_SOCKET) { +@@ -909,7 +909,7 @@ int ssh_event_add_session(ssh_event event, ssh_session session) + { + ssh_poll_handle p; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if(event == NULL || event->ctx == NULL || session == NULL) { +@@ -1056,7 +1056,7 @@ int ssh_event_remove_session(ssh_event event, ssh_session session) + register size_t i, used; + int rc = SSH_ERROR; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if (event == NULL || event->ctx == NULL || session == NULL) { +diff --git a/src/server.c b/src/server.c +index fb6b1190..f974fdfa 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -85,8 +85,8 @@ int server_set_kex(ssh_session session) + { + struct ssh_kex_struct *server = &session->next_crypto->server_kex; + int i, j, rc; +- const char *wanted, *allowed; +- char *kept; ++ const char *wanted = NULL, *allowed = NULL; ++ char *kept = NULL; + char hostkeys[128] = {0}; + enum ssh_keytypes_e keytype; + size_t len; +@@ -220,9 +220,10 @@ int ssh_server_init_kex(ssh_session session) { + return server_set_kex(session); + } + +-static int ssh_server_send_extensions(ssh_session session) { ++static int ssh_server_send_extensions(ssh_session session) ++{ + int rc; +- const char *hostkey_algorithms; ++ const char *hostkey_algorithms = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Sending SSH_MSG_EXT_INFO"); + +@@ -287,8 +288,8 @@ ssh_get_key_params(ssh_session session, + ssh_key *privkey, + enum ssh_digest_e *digest) + { +- ssh_key pubkey; +- ssh_string pubkey_blob; ++ ssh_key pubkey = NULL; ++ ssh_string pubkey_blob = NULL; + int rc; + + switch(session->srv.hostkey) { +@@ -717,7 +718,7 @@ static int ssh_message_service_request_reply_default(ssh_message msg) { + } + + int ssh_message_service_reply_success(ssh_message msg) { +- ssh_session session; ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1064,7 +1065,7 @@ int ssh_message_auth_reply_pk_ok(ssh_message msg, ssh_string algo, ssh_string pu + } + + int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) { +- ssh_string algo; ++ ssh_string algo = NULL; + ssh_string pubkey_blob = NULL; + int ret; + +diff --git a/src/session.c b/src/session.c +index eb63cdb1..46b00cd5 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -58,7 +58,7 @@ + */ + ssh_session ssh_new(void) + { +- ssh_session session; ++ ssh_session session = NULL; + char *id = NULL; + int rc; + +@@ -280,7 +280,7 @@ void ssh_free(ssh_session session) + + /* options */ + if (session->opts.identity) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity); + id != NULL; +@@ -291,7 +291,7 @@ void ssh_free(ssh_session session) + } + + if (session->opts.identity_non_exp) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity_non_exp); + id != NULL; +@@ -1150,7 +1150,7 @@ int ssh_get_publickey_hash(const ssh_key key, + unsigned char **hash, + size_t *hlen) + { +- ssh_string blob; ++ ssh_string blob = NULL; + unsigned char *h = NULL; + int rc; + +@@ -1162,7 +1162,7 @@ int ssh_get_publickey_hash(const ssh_key key, + switch (type) { + case SSH_PUBLICKEY_HASH_SHA1: + { +- SHACTX ctx; ++ SHACTX ctx = NULL; + + h = calloc(1, SHA_DIGEST_LEN); + if (h == NULL) { +@@ -1194,7 +1194,7 @@ int ssh_get_publickey_hash(const ssh_key key, + break; + case SSH_PUBLICKEY_HASH_SHA256: + { +- SHA256CTX ctx; ++ SHA256CTX ctx = NULL; + + h = calloc(1, SHA256_DIGEST_LEN); + if (h == NULL) { +@@ -1226,7 +1226,7 @@ int ssh_get_publickey_hash(const ssh_key key, + break; + case SSH_PUBLICKEY_HASH_MD5: + { +- MD5CTX ctx; ++ MD5CTX ctx = NULL; + + /* In FIPS mode, we cannot use MD5 */ + if (ssh_fips_mode()) { +diff --git a/src/sftpserver.c b/src/sftpserver.c +index b3349e16..528ef6f9 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -299,8 +299,8 @@ void sftp_client_message_free(sftp_client_message msg) { + + int sftp_reply_name(sftp_client_message msg, const char *name, + sftp_attributes attr) { +- ssh_buffer out; +- ssh_string file; ++ ssh_buffer out = NULL; ++ ssh_string file = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -369,7 +369,7 @@ int sftp_reply_attr(sftp_client_message msg, sftp_attributes attr) { + + int sftp_reply_names_add(sftp_client_message msg, const char *file, + const char *longname, sftp_attributes attr) { +- ssh_string name; ++ ssh_string name = NULL; + + name = ssh_string_from_char(file); + if (name == NULL) { +@@ -435,8 +435,8 @@ int sftp_reply_names(sftp_client_message msg) { + + int sftp_reply_status(sftp_client_message msg, uint32_t status, + const char *message) { +- ssh_buffer out; +- ssh_string s; ++ ssh_buffer out = NULL; ++ ssh_string s = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -492,7 +492,7 @@ int sftp_reply_data(sftp_client_message msg, const void *data, int len) { + * valid info (or worse). + */ + ssh_string sftp_handle_alloc(sftp_session sftp, void *info) { +- ssh_string ret; ++ ssh_string ret = NULL; + uint32_t val; + uint32_t i; + +diff --git a/src/string.c b/src/string.c +index 44403487..0ab9310c 100644 +--- a/src/string.c ++++ b/src/string.c +@@ -106,7 +106,7 @@ int ssh_string_fill(struct ssh_string_struct *s, const void *data, size_t len) { + * @note The null byte is not copied nor counted in the output string. + */ + struct ssh_string_struct *ssh_string_from_char(const char *what) { +- struct ssh_string_struct *ptr; ++ struct ssh_string_struct *ptr = NULL; + size_t len; + + if(what == NULL) { +@@ -180,7 +180,7 @@ const char *ssh_string_get_char(struct ssh_string_struct *s) + */ + char *ssh_string_to_char(struct ssh_string_struct *s) { + size_t len; +- char *new; ++ char *new = NULL; + + if (s == NULL) { + return NULL; +@@ -219,7 +219,7 @@ void ssh_string_free_char(char *s) { + * @return Newly allocated copy of the string, NULL on error. + */ + struct ssh_string_struct *ssh_string_copy(struct ssh_string_struct *s) { +- struct ssh_string_struct *new; ++ struct ssh_string_struct *new = NULL; + size_t len; + + if (s == NULL) { +diff --git a/src/threads/winlocks.c b/src/threads/winlocks.c +index da600418..e63635e7 100644 +--- a/src/threads/winlocks.c ++++ b/src/threads/winlocks.c +@@ -82,7 +82,7 @@ static struct ssh_threads_callbacks_struct ssh_threads_winlock = + + void ssh_mutex_lock(SSH_MUTEX *mutex) + { +- void *rc; ++ void *rc = NULL; + + CRITICAL_SECTION *mutex_tmp = NULL; + +diff --git a/src/wrapper.c b/src/wrapper.c +index f9727bcf..ecf6fbfe 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -152,7 +152,7 @@ static void cipher_free(struct ssh_cipher_struct *cipher) { + + struct ssh_crypto_struct *crypto_new(void) + { +- struct ssh_crypto_struct *crypto; ++ struct ssh_crypto_struct *crypto = NULL; + + crypto = malloc(sizeof(struct ssh_crypto_struct)); + if (crypto == NULL) { +-- +2.53.0 + + +From 5fa0eeef8c6e2cd28214b10ecbb40ae68a3903d8 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 28 Apr 2025 11:04:55 +0200 +Subject: [PATCH 2/2] CVE-2025-4878 legacy: Properly check return value to + avoid NULL pointer dereference + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +--- + src/legacy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/legacy.c b/src/legacy.c +index 7359040c..f73ef6cc 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -452,7 +452,7 @@ ssh_private_key privatekey_from_file(ssh_session session, + auth_fn, + auth_data, + &key); +- if (rc == SSH_ERROR) { ++ if (rc != SSH_OK) { + return NULL; + } + +-- +2.53.0 + diff --git a/CVE-2025-5351.patch b/CVE-2025-5351.patch new file mode 100644 index 0000000..6c06391 --- /dev/null +++ b/CVE-2025-5351.patch @@ -0,0 +1,27 @@ +From f9cbbd9359dc17a0388d7b7731546dedb0c34de5 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 6 May 2025 22:43:31 +0200 +Subject: [PATCH] CVE-2025-5351 pki_crypto: Avoid double-free on low-memory + conditions + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +--- + src/pki_crypto.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/pki_crypto.c b/src/pki_crypto.c +index b99a6e8c..bde19238 100644 +--- a/src/pki_crypto.c ++++ b/src/pki_crypto.c +@@ -2023,6 +2023,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key) + bignum_safe_free(bn); + bignum_safe_free(be); + OSSL_PARAM_free(params); ++ params = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + break; + } +-- +2.53.0 + diff --git a/CVE-2025-8114.patch b/CVE-2025-8114.patch new file mode 100644 index 0000000..79f886c --- /dev/null +++ b/CVE-2025-8114.patch @@ -0,0 +1,45 @@ +From 7a76f6e268e4293e64358f65d1c253de5c40f875 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 6 Aug 2025 15:17:59 +0200 +Subject: [PATCH] CVE-2025-8114: Fix NULL pointer dereference after allocation + failure + +Signed-off-by: Andreas Schneider +Reviewed-by: Jakub Jelen +(cherry picked from commit 53ac23ded4cb2c5463f6c4cd1525331bd578812d) +--- + src/kex.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/kex.c b/src/kex.c +index f71482fd..64aacb9e 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -1494,6 +1494,8 @@ int ssh_make_sessionid(ssh_session session) + ssh_log_hexdump("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf)); + #endif + ++ /* Set rc for the following switch statement in case we goto error. */ ++ rc = SSH_ERROR; + switch (session->next_crypto->kex_type) { + case SSH_KEX_DH_GROUP1_SHA1: + case SSH_KEX_DH_GROUP14_SHA1: +@@ -1553,6 +1555,7 @@ int ssh_make_sessionid(ssh_session session) + session->next_crypto->secret_hash); + break; + } ++ + /* During the first kex, secret hash and session ID are equal. However, after + * a key re-exchange, a new secret hash is calculated. This hash will not replace + * but complement existing session id. +@@ -1561,6 +1564,7 @@ int ssh_make_sessionid(ssh_session session) + session->next_crypto->session_id = malloc(session->next_crypto->digest_len); + if (session->next_crypto->session_id == NULL) { + ssh_set_error_oom(session); ++ rc = SSH_ERROR; + goto error; + } + memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash, +-- +2.53.0 + diff --git a/CVE-2025-8277.patch b/CVE-2025-8277.patch new file mode 100644 index 0000000..c23fed6 --- /dev/null +++ b/CVE-2025-8277.patch @@ -0,0 +1,184 @@ +From a55ed6b67033dace401dc42c312d7b3c0ec740a3 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 5 Aug 2025 18:42:31 +0200 +Subject: [PATCH 1/3] CVE-2025-8277: packet: Adjust packet filter to work when + DH-GEX is guessed wrongly + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit 4310a696f2d632c6742678077d703d9b9ff3bc0e) +--- + src/packet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/packet.c b/src/packet.c +index 891d120c..af9a55da 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -294,6 +294,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se + * or session_state == SSH_SESSION_STATE_INITIAL_KEX + * - dh_handshake_state == DH_STATE_INIT + * or dh_handshake_state == DH_STATE_INIT_SENT (re-exchange) ++ * or dh_handshake_state == DH_STATE_REQUEST_SENT (dh-gex) + * or dh_handshake_state == DH_STATE_FINISHED (re-exchange) + * + * Transitions: +@@ -313,6 +314,7 @@ static enum ssh_packet_filter_result_e ssh_packet_incoming_filter(ssh_session se + + if ((session->dh_handshake_state != DH_STATE_INIT) && + (session->dh_handshake_state != DH_STATE_INIT_SENT) && ++ (session->dh_handshake_state != DH_STATE_REQUEST_SENT) && + (session->dh_handshake_state != DH_STATE_FINISHED)) + { + rc = SSH_PACKET_DENIED; +-- +2.53.0 + + +From 00bdcdc96ca6e367a2a2dd05ff56ca9e6e516f45 Mon Sep 17 00:00:00 2001 +From: Francesco Rollo +Date: Thu, 24 Jul 2025 16:30:07 +0300 +Subject: [PATCH 2/3] CVE-2025-8277: Fix memory leak of unused ephemeral key + pair after client's wrong KEX guess + +Signed-off-by: Francesco Rollo +Reviewed-by: Andreas Schneider +(cherry picked from commit ccff22d3787c1355b3f0dcd09fe54d90acc55bf1) +--- + src/dh_crypto.c | 5 +++++ + src/dh_key.c | 5 +++++ + src/ecdh_crypto.c | 5 +++++ + src/ecdh_gcrypt.c | 6 ++++++ + src/ecdh_mbedcrypto.c | 6 ++++++ + 5 files changed, 27 insertions(+) + +diff --git a/src/dh_crypto.c b/src/dh_crypto.c +index 85249bfc..60f35912 100644 +--- a/src/dh_crypto.c ++++ b/src/dh_crypto.c +@@ -407,6 +407,11 @@ int ssh_dh_init_common(struct ssh_crypto_struct *crypto) + struct dh_ctx *ctx = NULL; + int rc; + ++ /* Cleanup any previously allocated dh_ctx */ ++ if (crypto->dh_ctx != NULL) { ++ ssh_dh_cleanup(crypto); ++ } ++ + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + return SSH_ERROR; +diff --git a/src/dh_key.c b/src/dh_key.c +index bda54b17..637b1b44 100644 +--- a/src/dh_key.c ++++ b/src/dh_key.c +@@ -237,6 +237,11 @@ int ssh_dh_init_common(struct ssh_crypto_struct *crypto) + struct dh_ctx *ctx = NULL; + int rc; + ++ /* Cleanup any previously allocated dh_ctx */ ++ if (crypto->dh_ctx != NULL) { ++ ssh_dh_cleanup(crypto); ++ } ++ + ctx = calloc(1, sizeof(*ctx)); + if (ctx == NULL) { + return SSH_ERROR; +diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c +index 178d9060..c61b6ce4 100644 +--- a/src/ecdh_crypto.c ++++ b/src/ecdh_crypto.c +@@ -219,6 +219,11 @@ int ssh_client_ecdh_init(ssh_session session){ + return SSH_ERROR; + } + ++ if (session->next_crypto->ecdh_privkey != NULL) { ++ EC_KEY_free(session->next_crypto->ecdh_privkey); ++ session->next_crypto->ecdh_privkey = NULL; ++ } ++ + session->next_crypto->ecdh_privkey = key; + session->next_crypto->ecdh_client_pubkey = client_pubkey; + +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index 722428c2..f49e8eb2 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -101,6 +101,12 @@ int ssh_client_ecdh_init(ssh_session session) + goto out; + } + ++ /* Free any previously allocated privkey */ ++ if (session->next_crypto->ecdh_privkey != NULL) { ++ gcry_sexp_release(session->next_crypto->ecdh_privkey); ++ session->next_crypto->ecdh_privkey = NULL; ++ } ++ + session->next_crypto->ecdh_privkey = key; + key = NULL; + session->next_crypto->ecdh_client_pubkey = client_pubkey; +diff --git a/src/ecdh_mbedcrypto.c b/src/ecdh_mbedcrypto.c +index 1d9c8f36..d31bfcc7 100644 +--- a/src/ecdh_mbedcrypto.c ++++ b/src/ecdh_mbedcrypto.c +@@ -70,6 +70,12 @@ int ssh_client_ecdh_init(ssh_session session) + return SSH_ERROR; + } + ++ /* Free any previously allocated privkey */ ++ if (session->next_crypto->ecdh_privkey != NULL) { ++ mbedtls_ecp_keypair_free(session->next_crypto->ecdh_privkey); ++ SAFE_FREE(session->next_crypto->ecdh_privkey); ++ } ++ + session->next_crypto->ecdh_privkey = malloc(sizeof(mbedtls_ecp_keypair)); + if (session->next_crypto->ecdh_privkey == NULL) { + return SSH_ERROR; +-- +2.53.0 + + +From 2bdddb2bd34cdd563de9227d74c5a21784c03d3d Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Aug 2025 11:10:38 +0200 +Subject: [PATCH 3/3] CVE-2025-8277: ecdh: Free previously allocated pubkeys + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit c9d95ab0c7a52b231bcec09afbea71944ed0d852) +--- + src/ecdh_crypto.c | 1 + + src/ecdh_gcrypt.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c +index c61b6ce4..5694b083 100644 +--- a/src/ecdh_crypto.c ++++ b/src/ecdh_crypto.c +@@ -223,6 +223,7 @@ int ssh_client_ecdh_init(ssh_session session){ + EC_KEY_free(session->next_crypto->ecdh_privkey); + session->next_crypto->ecdh_privkey = NULL; + } ++ SSH_STRING_FREE(session->next_crypto->ecdh_client_pubkey); + + session->next_crypto->ecdh_privkey = key; + session->next_crypto->ecdh_client_pubkey = client_pubkey; +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index f49e8eb2..ee5350cd 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -106,9 +106,10 @@ int ssh_client_ecdh_init(ssh_session session) + gcry_sexp_release(session->next_crypto->ecdh_privkey); + session->next_crypto->ecdh_privkey = NULL; + } +- + session->next_crypto->ecdh_privkey = key; + key = NULL; ++ ++ SSH_STRING_FREE(session->next_crypto->ecdh_client_pubkey); + session->next_crypto->ecdh_client_pubkey = client_pubkey; + client_pubkey = NULL; + +-- +2.53.0 + diff --git a/CVE-2026-0964.patch b/CVE-2026-0964.patch new file mode 100644 index 0000000..b32916c --- /dev/null +++ b/CVE-2026-0964.patch @@ -0,0 +1,42 @@ +From 5be2d4950b4030da2f95299e12905ea9e51dbedf Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 22 Dec 2025 19:16:44 +0100 +Subject: [PATCH] CVE-2026-0964 scp: Reject invalid paths received through scp + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit daa80818f89347b4d80b0c5b80659f9a9e55e8cc) +--- + src/scp.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/scp.c b/src/scp.c +index 04eb4f1b..a33af16b 100644 +--- a/src/scp.c ++++ b/src/scp.c +@@ -848,6 +848,22 @@ int ssh_scp_pull_request(ssh_scp scp) + size = strtoull(tmp, NULL, 10); + p++; + name = strdup(p); ++ /* Catch invalid name: ++ * - empty ones ++ * - containing any forward slash -- directory traversal handled ++ * differently ++ * - special names "." and ".." referring to the current and parent ++ * directories -- they are not expected either ++ */ ++ if (name == NULL || name[0] == '\0' || strchr(name, '/') || ++ strcmp(name, ".") == 0 || strcmp(name, "..") == 0) { ++ ssh_set_error(scp->session, ++ SSH_FATAL, ++ "Received invalid filename: %s", ++ name == NULL ? "" : name); ++ SAFE_FREE(name); ++ goto error; ++ } + SAFE_FREE(scp->request_name); + scp->request_name = name; + if (buffer[0] == 'C') { +-- +2.53.0 + diff --git a/CVE-2026-0965.patch b/CVE-2026-0965.patch new file mode 100644 index 0000000..9c177a0 --- /dev/null +++ b/CVE-2026-0965.patch @@ -0,0 +1,273 @@ +From 63079a26261b5ea6736fcdf68077135e7f2c991d Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 11 Dec 2025 17:33:19 +0100 +Subject: [PATCH] CVE-2026-0965 config: Do not attempt to read non-regular and + too large configuration files + +Changes also the reading of known_hosts to use the new helper function + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit a5eb30dbfd8f3526b2d04bd9f0a3803b665f5798) +--- + include/libssh/misc.h | 4 ++ + include/libssh/priv.h | 3 ++ + src/bind_config.c | 4 +- + src/config.c | 5 ++- + src/dh-gex.c | 4 +- + src/known_hosts.c | 2 +- + src/knownhosts.c | 2 +- + src/misc.c | 74 ++++++++++++++++++++++++++++++++ + tests/unittests/torture_config.c | 19 ++++++++ + 9 files changed, 109 insertions(+), 8 deletions(-) + +diff --git a/include/libssh/misc.h b/include/libssh/misc.h +index 47a423f2..3452251d 100644 +--- a/include/libssh/misc.h ++++ b/include/libssh/misc.h +@@ -21,6 +21,8 @@ + #ifndef MISC_H_ + #define MISC_H_ + ++#include ++ + /* in misc.c */ + /* gets the user home dir. */ + char *ssh_get_user_home_dir(void); +@@ -102,4 +104,6 @@ char *ssh_strreplace(const char *src, const char *pattern, const char *repl); + + int ssh_check_hostname_syntax(const char *hostname); + ++FILE *ssh_strict_fopen(const char *filename, size_t max_file_size); ++ + #endif /* MISC_H_ */ +diff --git a/include/libssh/priv.h b/include/libssh/priv.h +index bab761b0..876ea4ed 100644 +--- a/include/libssh/priv.h ++++ b/include/libssh/priv.h +@@ -434,4 +434,7 @@ bool is_ssh_initialized(void); + #define SSH_ERRNO_MSG_MAX 1024 + char *ssh_strerror(int err_num, char *buf, size_t buflen); + ++/** The default maximum file size for a configuration file */ ++#define SSH_MAX_CONFIG_FILE_SIZE 16 * 1024 * 1024 ++ + #endif /* _LIBSSH_PRIV_H */ +diff --git a/src/bind_config.c b/src/bind_config.c +index 9e4a7fd4..c12f1003 100644 +--- a/src/bind_config.c ++++ b/src/bind_config.c +@@ -212,7 +212,7 @@ local_parse_file(ssh_bind bind, + return; + } + +- f = fopen(filename, "r"); ++ f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (f == NULL) { + SSH_LOG(SSH_LOG_RARE, "Cannot find file %s to load", + filename); +@@ -636,7 +636,7 @@ int ssh_bind_config_parse_file(ssh_bind bind, const char *filename) + * option to be redefined later by another file. */ + uint8_t seen[BIND_CFG_MAX] = {0}; + +- f = fopen(filename, "r"); ++ f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (f == NULL) { + return 0; + } +diff --git a/src/config.c b/src/config.c +index 94b70d58..bf349812 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -215,7 +215,7 @@ local_parse_file(ssh_session session, + return; + } + +- f = fopen(filename, "r"); ++ f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (f == NULL) { + SSH_LOG(SSH_LOG_RARE, "Cannot find file %s to load", + filename); +@@ -1205,8 +1205,9 @@ int ssh_config_parse_file(ssh_session session, const char *filename) + int parsing, rv; + bool global = 0; + +- f = fopen(filename, "r"); ++ f = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (f == NULL) { ++ /* The underlying function logs the reasons */ + return 0; + } + +diff --git a/src/dh-gex.c b/src/dh-gex.c +index b022f09e..81219586 100644 +--- a/src/dh-gex.c ++++ b/src/dh-gex.c +@@ -520,9 +520,9 @@ static int ssh_retrieve_dhgroup(char *moduli_file, + } + + if (moduli_file != NULL) +- moduli = fopen(moduli_file, "r"); ++ moduli = ssh_strict_fopen(moduli_file, SSH_MAX_CONFIG_FILE_SIZE); + else +- moduli = fopen(MODULI_FILE, "r"); ++ moduli = ssh_strict_fopen(MODULI_FILE, SSH_MAX_CONFIG_FILE_SIZE); + + if (moduli == NULL) { + char err_msg[SSH_ERRNO_MSG_MAX] = {0}; +diff --git a/src/known_hosts.c b/src/known_hosts.c +index f660a6f3..ba2ae4d5 100644 +--- a/src/known_hosts.c ++++ b/src/known_hosts.c +@@ -83,7 +83,7 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + struct ssh_tokens_st *tokens = NULL; + + if (*file == NULL) { +- *file = fopen(filename,"r"); ++ *file = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (*file == NULL) { + return NULL; + } +diff --git a/src/knownhosts.c b/src/knownhosts.c +index 62777ad2..e4865ac2 100644 +--- a/src/knownhosts.c ++++ b/src/knownhosts.c +@@ -232,7 +232,7 @@ static int ssh_known_hosts_read_entries(const char *match, + FILE *fp = NULL; + int rc; + +- fp = fopen(filename, "r"); ++ fp = ssh_strict_fopen(filename, SSH_MAX_CONFIG_FILE_SIZE); + if (fp == NULL) { + char err_msg[SSH_ERRNO_MSG_MAX] = {0}; + SSH_LOG(SSH_LOG_TRACE, "Failed to open the known_hosts file '%s': %s", +diff --git a/src/misc.c b/src/misc.c +index 7bb431b6..6607775e 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -37,6 +37,7 @@ + #endif /* _WIN32 */ + + #include ++#include + #include + #include + #include +@@ -2074,4 +2075,77 @@ int ssh_check_hostname_syntax(const char *hostname) + return SSH_OK; + } + ++/** ++ * @internal ++ * ++ * @brief Safely open a file containing some configuration. ++ * ++ * Runs checks if the file can be used as some configuration file (is regular ++ * file and is not too large). If so, returns the opened file (for reading). ++ * Otherwise logs error and returns `NULL`. ++ * ++ * @param filename The path to the file to open. ++ * @param max_file_size Maximum file size that is accepted. ++ * ++ * @returns the opened file or `NULL` on error. ++ */ ++FILE *ssh_strict_fopen(const char *filename, size_t max_file_size) ++{ ++ FILE *f = NULL; ++ struct stat sb; ++ char err_msg[SSH_ERRNO_MSG_MAX] = {0}; ++ int r, fd; ++ ++ /* open first to avoid TOCTOU */ ++ fd = open(filename, O_RDONLY); ++ if (fd == -1) { ++ SSH_LOG(SSH_LOG_TRACE, ++ "Failed to open a file %s for reading: %s", ++ filename, ++ ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX)); ++ return NULL; ++ } ++ ++ /* Check the file is sensible for a configuration file */ ++ r = fstat(fd, &sb); ++ if (r != 0) { ++ SSH_LOG(SSH_LOG_TRACE, ++ "Failed to stat %s: %s", ++ filename, ++ ssh_strerror(errno, err_msg, SSH_ERRNO_MSG_MAX)); ++ close(fd); ++ return NULL; ++ } ++ if ((sb.st_mode & S_IFMT) != S_IFREG) { ++ SSH_LOG(SSH_LOG_TRACE, ++ "The file %s is not a regular file: skipping", ++ filename); ++ close(fd); ++ return NULL; ++ } ++ ++ if ((size_t)sb.st_size > max_file_size) { ++ SSH_LOG(SSH_LOG_TRACE, ++ "The file %s is too large (%jd MB > %zu MB): skipping", ++ filename, ++ (intmax_t)sb.st_size / 1024 / 1024, ++ max_file_size / 1024 / 1024); ++ close(fd); ++ return NULL; ++ } ++ ++ f = fdopen(fd, "r"); ++ if (f == NULL) { ++ SSH_LOG(SSH_LOG_TRACE, ++ "Failed to open a file %s for reading: %s", ++ filename, ++ ssh_strerror(r, err_msg, SSH_ERRNO_MSG_MAX)); ++ close(fd); ++ return NULL; ++ } ++ ++ /* the flcose() will close also the underlying fd */ ++ return f; ++} ++ + /** @} */ +diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c +index 995a5213..70ecfb95 100644 +--- a/tests/unittests/torture_config.c ++++ b/tests/unittests/torture_config.c +@@ -2237,6 +2237,23 @@ static void torture_config_parse_uri(void **state) + SAFE_FREE(hostname); + } + ++/* Invalid configuration files ++ */ ++static void torture_config_invalid(void **state) ++{ ++ ssh_session session = *state; ++ ++ ssh_options_set(session, SSH_OPTIONS_HOST, "Bar"); ++ ++ /* non-regular file -- ignored (or missing on non-unix) so OK */ ++ _parse_config(session, "/dev/random", NULL, SSH_OK); ++ ++#ifndef _WIN32 ++ /* huge file -- ignored (or missing on non-unix) so OK */ ++ _parse_config(session, "/proc/kcore", NULL, SSH_OK); ++#endif ++} ++ + int torture_run_tests(void) + { + int rc; +@@ -2323,6 +2340,8 @@ int torture_run_tests(void) + setup_no_sshdir, teardown), + cmocka_unit_test_setup_teardown(torture_config_parse_uri, + setup, teardown), ++ cmocka_unit_test_setup_teardown(torture_config_invalid, ++ setup, teardown), + }; + + +-- +2.53.0 + diff --git a/CVE-2026-0966.patch b/CVE-2026-0966.patch new file mode 100644 index 0000000..d99525c --- /dev/null +++ b/CVE-2026-0966.patch @@ -0,0 +1,100 @@ +From e868036a8e496e36cf986e000e050974cc30a0ae Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 8 Jan 2026 12:09:50 +0100 +Subject: [PATCH 1/2] CVE-2026-0966 misc: Avoid heap buffer underflow in + ssh_get_hexa +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jakub Jelen +Reviewed-by: Pavol Žáčik +(cherry picked from commit 417a095e6749a1f3635e02332061edad3c6a3401) +--- + src/misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/misc.c b/src/misc.c +index 6607775e..0cca373a 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -452,7 +452,7 @@ char *ssh_get_hexa(const unsigned char *what, size_t len) + size_t i; + size_t hlen = len * 3; + +- if (len > (UINT_MAX - 1) / 3) { ++ if (what == NULL || len < 1 || len > (UINT_MAX - 1) / 3) { + return NULL; + } + +-- +2.53.0 + + +From c112289ce14ef29f173d87b6cc507f066d6ca751 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 8 Jan 2026 12:10:16 +0100 +Subject: [PATCH 2/2] CVE-2026-0966 tests: Test coverage for ssh_get_hexa +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Jakub Jelen +Reviewed-by: Pavol Žáčik +(cherry picked from commit 9be83584a56580da5a2f41e47137056dc0249b52) +--- + tests/unittests/torture_misc.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/tests/unittests/torture_misc.c b/tests/unittests/torture_misc.c +index 77166759..4470c358 100644 +--- a/tests/unittests/torture_misc.c ++++ b/tests/unittests/torture_misc.c +@@ -877,6 +877,36 @@ static void torture_ssh_is_ipaddr(void **state) { + assert_int_equal(rc, 0); + } + ++static void torture_ssh_get_hexa(void **state) ++{ ++ const unsigned char *bin = NULL; ++ char *hex = NULL; ++ ++ (void)state; ++ ++ /* Null pointer should not crash */ ++ bin = NULL; ++ hex = ssh_get_hexa(bin, 0); ++ assert_null(hex); ++ ++ /* Null pointer should not crash regardless the length */ ++ bin = NULL; ++ hex = ssh_get_hexa(bin, 99); ++ assert_null(hex); ++ ++ /* Zero length input is not much useful. Just expect NULL too */ ++ bin = (const unsigned char *)""; ++ hex = ssh_get_hexa(bin, 0); ++ assert_null(hex); ++ ++ /* Valid inputs */ ++ bin = (const unsigned char *)"\x00\xFF"; ++ hex = ssh_get_hexa(bin, 2); ++ assert_non_null(hex); ++ assert_string_equal(hex, "00:ff"); ++ ssh_string_free_char(hex); ++} ++ + int torture_run_tests(void) { + int rc; + struct CMUnitTest tests[] = { +@@ -903,6 +933,7 @@ int torture_run_tests(void) { + cmocka_unit_test(torture_ssh_strerror), + cmocka_unit_test(torture_ssh_check_hostname_syntax), + cmocka_unit_test(torture_ssh_is_ipaddr), ++ cmocka_unit_test(torture_ssh_get_hexa), + }; + + ssh_init(); +-- +2.53.0 + diff --git a/CVE-2026-0967.patch b/CVE-2026-0967.patch new file mode 100644 index 0000000..3a80530 --- /dev/null +++ b/CVE-2026-0967.patch @@ -0,0 +1,357 @@ +From a56c4837c9e6db6cfb7e136b0e8b8d90dbc329ea Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 17 Dec 2025 18:48:34 +0100 +Subject: [PATCH] CVE-2026-0967 match: Avoid recursive matching (ReDoS) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The specially crafted patterns (from configuration files) could cause +exhaustive search or timeouts. + +Previous attempts to fix this by limiting recursion to depth 16 avoided +stack overflow, but not timeouts. This is due to the backtracking, +which caused the exponential time complexity O(N^16) of existing algorithm. + +This is code comes from the same function from OpenSSH, where this code +originates from, which is not having this issue (due to not limiting the number +of recursion), but will also easily exhaust stack due to unbound recursion: + +https://github.com/openssh/openssh-portable/commit/05bcd0cadf160fd4826a2284afa7cba6ec432633 + +This is an attempt to simplify the algorithm by preventing the backtracking +to previous wildcard, which should keep the same behavior for existing inputs +while reducing the complexity to linear O(N*M). + +This fixes the long-term issue we had with fuzzing as well as recently reported +security issue by Kang Yang. + +Signed-off-by: Jakub Jelen +Reviewed-by: Pavol Žáčik +(cherry picked from commit a411de5ce806e3ea24d088774b2f7584d6590b5f) +--- + src/match.c | 111 +++++++++++++---------------- + tests/unittests/torture_config.c | 116 +++++++++++++++++++++++-------- + 2 files changed, 135 insertions(+), 92 deletions(-) + +diff --git a/src/match.c b/src/match.c +index 3e58f733..896d87cb 100644 +--- a/src/match.c ++++ b/src/match.c +@@ -43,85 +43,70 @@ + + #include "libssh/priv.h" + +-#define MAX_MATCH_RECURSION 16 +- +-/* +- * Returns true if the given string matches the pattern (which may contain ? +- * and * as wildcards), and zero if it does not match. ++/** ++ * @brief Compare a string with a pattern containing wildcards `*` and `?` ++ * ++ * This function is an iterative replacement for the previously recursive ++ * implementation to avoid exponential complexity (DoS) with specific patterns. ++ * ++ * @param[in] s The string to match. ++ * @param[in] pattern The pattern to match against. ++ * ++ * @return 1 if the pattern matches, 0 otherwise. + */ +-static int match_pattern(const char *s, const char *pattern, size_t limit) ++static int match_pattern(const char *s, const char *pattern) + { +- bool had_asterisk = false; ++ const char *s_star = NULL; /* Position in s when last `*` was met */ ++ const char *p_star = NULL; /* Position in pattern after last `*` */ + +- if (s == NULL || pattern == NULL || limit <= 0) { ++ if (s == NULL || pattern == NULL) { + return 0; + } + +- for (;;) { +- /* If at end of pattern, accept if also at end of string. */ +- if (*pattern == '\0') { +- return (*s == '\0'); +- } +- +- /* Skip all the asterisks and adjacent question marks */ +- while (*pattern == '*' || (had_asterisk && *pattern == '?')) { +- if (*pattern == '*') { +- had_asterisk = true; +- } ++ while (*s) { ++ /* Case 1: Exact match or '?' wildcard */ ++ if (*pattern == *s || *pattern == '?') { ++ s++; + pattern++; ++ continue; + } + +- if (had_asterisk) { +- /* If at end of pattern, accept immediately. */ +- if (!*pattern) +- return 1; +- +- /* If next character in pattern is known, optimize. */ +- if (*pattern != '?') { +- /* +- * Look instances of the next character in +- * pattern, and try to match starting from +- * those. +- */ +- for (; *s; s++) +- if (*s == *pattern && match_pattern(s + 1, pattern + 1, limit - 1)) { +- return 1; +- } +- /* Failed. */ +- return 0; +- } +- /* +- * Move ahead one character at a time and try to +- * match at each position. ++ /* Case 2: '*' wildcard */ ++ if (*pattern == '*') { ++ /* Record the position of the star and the current string position. ++ * We optimistically assume * matches 0 characters first. + */ +- for (; *s; s++) { +- if (match_pattern(s, pattern, limit - 1)) { +- return 1; +- } +- } +- /* Failed. */ +- return 0; +- } +- /* +- * There must be at least one more character in the string. +- * If we are at the end, fail. +- */ +- if (!*s) { +- return 0; ++ p_star = ++pattern; ++ s_star = s; ++ continue; + } + +- /* Check if the next character of the string is acceptable. */ +- if (*pattern != '?' && *pattern != *s) { +- return 0; ++ /* Case 3: Mismatch */ ++ if (p_star) { ++ /* If we have seen a star previously, backtrack. ++ * We restore the pattern to just after the star, ++ * but advance the string position (consume one more char for the ++ * star). ++ * No need to backtrack to previous stars as any match of the last ++ * star could be eaten the same way by the previous star. ++ */ ++ pattern = p_star; ++ s = ++s_star; ++ continue; + } + +- /* Move to the next character, both in string and in pattern. */ +- s++; ++ /* Case 4: Mismatch and no star to backtrack to */ ++ return 0; ++ } ++ ++ /* Handle trailing stars in the pattern ++ * (e.g., pattern "abc*" matching "abc") */ ++ while (*pattern == '*') { + pattern++; + } + +- /* NOTREACHED */ +- return 0; ++ /* If we reached the end of the pattern, it's a match */ ++ return (*pattern == '\0'); + } + + /* +@@ -172,7 +157,7 @@ int match_pattern_list(const char *string, const char *pattern, + sub[subi] = '\0'; + + /* Try to match the subpattern against the string. */ +- if (match_pattern(string, sub, MAX_MATCH_RECURSION)) { ++ if (match_pattern(string, sub)) { + if (negated) { + return -1; /* Negative */ + } else { +diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c +index 70ecfb95..6dc59e48 100644 +--- a/tests/unittests/torture_config.c ++++ b/tests/unittests/torture_config.c +@@ -1996,80 +1996,138 @@ static void torture_config_match_pattern(void **state) + (void) state; + + /* Simple test "a" matches "a" */ +- rv = match_pattern("a", "a", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "a"); + assert_int_equal(rv, 1); + + /* Simple test "a" does not match "b" */ +- rv = match_pattern("a", "b", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "b"); + assert_int_equal(rv, 0); + + /* NULL arguments are correctly handled */ +- rv = match_pattern("a", NULL, MAX_MATCH_RECURSION); ++ rv = match_pattern("a", NULL); + assert_int_equal(rv, 0); +- rv = match_pattern(NULL, "a", MAX_MATCH_RECURSION); ++ rv = match_pattern(NULL, "a"); + assert_int_equal(rv, 0); + + /* Simple wildcard ? is handled in pattern */ +- rv = match_pattern("a", "?", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "?"); + assert_int_equal(rv, 1); +- rv = match_pattern("aa", "?", MAX_MATCH_RECURSION); ++ rv = match_pattern("aa", "?"); + assert_int_equal(rv, 0); + /* Wildcard in search string */ +- rv = match_pattern("?", "a", MAX_MATCH_RECURSION); ++ rv = match_pattern("?", "a"); + assert_int_equal(rv, 0); +- rv = match_pattern("?", "?", MAX_MATCH_RECURSION); ++ rv = match_pattern("?", "?"); + assert_int_equal(rv, 1); + + /* Simple wildcard * is handled in pattern */ +- rv = match_pattern("a", "*", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "*"); + assert_int_equal(rv, 1); +- rv = match_pattern("aa", "*", MAX_MATCH_RECURSION); ++ rv = match_pattern("aa", "*"); + assert_int_equal(rv, 1); + /* Wildcard in search string */ +- rv = match_pattern("*", "a", MAX_MATCH_RECURSION); ++ rv = match_pattern("*", "a"); + assert_int_equal(rv, 0); +- rv = match_pattern("*", "*", MAX_MATCH_RECURSION); ++ rv = match_pattern("*", "*"); + assert_int_equal(rv, 1); + + /* More complicated patterns */ +- rv = match_pattern("a", "*a", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "*a"); + assert_int_equal(rv, 1); +- rv = match_pattern("a", "a*", MAX_MATCH_RECURSION); ++ rv = match_pattern("a", "a*"); + assert_int_equal(rv, 1); +- rv = match_pattern("abababc", "*abc", MAX_MATCH_RECURSION); ++ rv = match_pattern("abababc", "*abc"); + assert_int_equal(rv, 1); +- rv = match_pattern("ababababca", "*abc", MAX_MATCH_RECURSION); ++ rv = match_pattern("ababababca", "*abc"); + assert_int_equal(rv, 0); +- rv = match_pattern("ababababca", "*abc*", MAX_MATCH_RECURSION); ++ rv = match_pattern("ababababca", "*abc*"); + assert_int_equal(rv, 1); + + /* Multiple wildcards in row */ +- rv = match_pattern("aa", "??", MAX_MATCH_RECURSION); ++ rv = match_pattern("aa", "??"); + assert_int_equal(rv, 1); +- rv = match_pattern("bba", "??a", MAX_MATCH_RECURSION); ++ rv = match_pattern("bba", "??a"); + assert_int_equal(rv, 1); +- rv = match_pattern("aaa", "**a", MAX_MATCH_RECURSION); ++ rv = match_pattern("aaa", "**a"); + assert_int_equal(rv, 1); +- rv = match_pattern("bbb", "**a", MAX_MATCH_RECURSION); ++ rv = match_pattern("bbb", "**a"); + assert_int_equal(rv, 0); + + /* Consecutive asterisks do not make sense and do not need to recurse */ +- rv = match_pattern("hostname", "**********pattern", 5); ++ rv = match_pattern("hostname", "**********pattern"); + assert_int_equal(rv, 0); +- rv = match_pattern("hostname", "pattern**********", 5); ++ rv = match_pattern("hostname", "pattern**********"); + assert_int_equal(rv, 0); +- rv = match_pattern("pattern", "***********pattern", 5); ++ rv = match_pattern("pattern", "***********pattern"); + assert_int_equal(rv, 1); +- rv = match_pattern("pattern", "pattern***********", 5); ++ rv = match_pattern("pattern", "pattern***********"); + assert_int_equal(rv, 1); + +- /* Limit the maximum recursion */ +- rv = match_pattern("hostname", "*p*a*t*t*e*r*n*", 5); ++ rv = match_pattern("hostname", "*p*a*t*t*e*r*n*"); + assert_int_equal(rv, 0); +- /* Too much recursion */ +- rv = match_pattern("pattern", "*p*a*t*t*e*r*n*", 5); ++ rv = match_pattern("pattern", "*p*a*t*t*e*r*n*"); ++ assert_int_equal(rv, 1); ++ ++ /* Regular Expression Denial of Service */ ++ rv = match_pattern("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", ++ "*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a"); ++ assert_int_equal(rv, 1); ++ rv = match_pattern("ababababababababababababababababababababab", ++ "*a*b*a*b*a*b*a*b*a*b*a*b*a*b*a*b"); ++ assert_int_equal(rv, 1); ++ ++ /* A lot of backtracking */ ++ rv = match_pattern("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax", ++ "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*ax"); ++ assert_int_equal(rv, 1); ++ ++ /* Test backtracking: *a matches first 'a', fails on 'b', must backtrack */ ++ rv = match_pattern("axaxaxb", "*a*b"); ++ assert_int_equal(rv, 1); ++ ++ /* Test greedy consumption with suffix */ ++ rv = match_pattern("foo_bar_baz_bar", "*bar"); ++ assert_int_equal(rv, 1); ++ ++ /* Test exact suffix requirement (ensure no partial match acceptance) */ ++ rv = match_pattern("foobar_extra", "*bar"); ++ assert_int_equal(rv, 0); ++ ++ /* Test multiple distinct wildcards */ ++ rv = match_pattern("a_very_long_string_with_a_pattern", "*long*pattern"); ++ assert_int_equal(rv, 1); ++ ++ /* ? inside a * sequence */ ++ rv = match_pattern("abcdefg", "a*c?e*g"); ++ assert_int_equal(rv, 1); ++ ++ /* Consecutive mixed wildcards */ ++ rv = match_pattern("abc", "*?c"); ++ assert_int_equal(rv, 1); ++ ++ /* ? at the very end after * */ ++ rv = match_pattern("abc", "ab?"); ++ assert_int_equal(rv, 1); ++ rv = match_pattern("abc", "ab*?"); ++ assert_int_equal(rv, 1); ++ ++ /* Consecutive stars should be collapsed or handled gracefully */ ++ rv = match_pattern("abc", "a**c"); ++ assert_int_equal(rv, 1); ++ rv = match_pattern("abc", "***"); ++ assert_int_equal(rv, 1); ++ ++ /* Empty string handling */ ++ rv = match_pattern("", "*"); ++ assert_int_equal(rv, 1); ++ rv = match_pattern("", "?"); + assert_int_equal(rv, 0); ++ rv = match_pattern("", ""); ++ assert_int_equal(rv, 1); + ++ /* Pattern longer than string */ ++ rv = match_pattern("short", "short_but_longer"); ++ assert_int_equal(rv, 0); + } + + /* Identity file can be specified multiple times in the configuration +-- +2.53.0 + diff --git a/CVE-2026-0968.patch b/CVE-2026-0968.patch new file mode 100644 index 0000000..609345f --- /dev/null +++ b/CVE-2026-0968.patch @@ -0,0 +1,184 @@ +From 7d08a51ec529edc5ccf7978d403ec4ef151e82a7 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 22 Dec 2025 20:59:11 +0100 +Subject: [PATCH 1/2] CVE-2026-0968: sftp: Sanitize input handling in + sftp_parse_longname() + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit 20856f44c146468c830da61dcbbbaa8ce71e390b) +--- + src/sftp.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/sftp.c b/src/sftp.c +index 60e591f0..70f9ed15 100644 +--- a/src/sftp.c ++++ b/src/sftp.c +@@ -1289,13 +1289,18 @@ static char *sftp_parse_longname(const char *longname, + const char *p, *q; + size_t len, field = 0; + ++ if (longname == NULL || longname_field < SFTP_LONGNAME_PERM || ++ longname_field > SFTP_LONGNAME_NAME) { ++ return NULL; ++ } ++ + p = longname; + /* Find the beginning of the field which is specified by sftp_longname_field_e. */ +- while(field != longname_field) { ++ while(*p != '\0' && field != longname_field) { + if(isspace(*p)) { + field++; + p++; +- while(*p && isspace(*p)) { ++ while(*p != '\0' && isspace(*p)) { + p++; + } + } else { +@@ -1303,8 +1308,13 @@ static char *sftp_parse_longname(const char *longname, + } + } + ++ /* If we reached NULL before we got our field fail */ ++ if (field != longname_field) { ++ return NULL; ++ } ++ + q = p; +- while (! isspace(*q)) { ++ while (*q != '\0' && !isspace(*q)) { + q++; + } + +-- +2.53.0 + + +From ccedc7907ebe2c1a977b739b85034953de582fb3 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 22 Dec 2025 21:00:03 +0100 +Subject: [PATCH 2/2] CVE-2026-0968 tests: Reproducer for invalid longname data + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider +(cherry picked from commit 90a5d8f47399e8db61b56793cd21476ff6a528e0) +--- + tests/unittests/CMakeLists.txt | 7 +++ + tests/unittests/torture_unit_sftp.c | 86 +++++++++++++++++++++++++++++ + 2 files changed, 93 insertions(+) + create mode 100644 tests/unittests/torture_unit_sftp.c + +diff --git a/tests/unittests/CMakeLists.txt b/tests/unittests/CMakeLists.txt +index 28458d49..658f14bc 100644 +--- a/tests/unittests/CMakeLists.txt ++++ b/tests/unittests/CMakeLists.txt +@@ -95,6 +95,13 @@ if (UNIX AND NOT WIN32) + endif (WITH_SERVER) + endif (UNIX AND NOT WIN32) + ++if (WITH_SFTP) ++ set(LIBSSH_UNIT_TESTS ++ ${LIBSSH_UNIT_TESTS} ++ torture_unit_sftp ++ ) ++endif (WITH_SFTP) ++ + foreach(_UNIT_TEST ${LIBSSH_UNIT_TESTS}) + add_cmocka_test(${_UNIT_TEST} + SOURCES ${_UNIT_TEST}.c +diff --git a/tests/unittests/torture_unit_sftp.c b/tests/unittests/torture_unit_sftp.c +new file mode 100644 +index 00000000..8cdaba8e +--- /dev/null ++++ b/tests/unittests/torture_unit_sftp.c +@@ -0,0 +1,86 @@ ++#include "config.h" ++ ++#include "sftp.c" ++#include "torture.h" ++ ++#define LIBSSH_STATIC ++ ++static void test_sftp_parse_longname(void **state) ++{ ++ const char *lname = NULL; ++ char *value = NULL; ++ ++ /* state not used */ ++ (void)state; ++ ++ /* Valid example from SFTP draft, page 18: ++ * https://datatracker.ietf.org/doc/draft-spaghetti-sshm-filexfer/ ++ */ ++ lname = "-rwxr-xr-x 1 mjos staff 348911 Mar 25 14:29 t-filexfer"; ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); ++ assert_string_equal(value, "-rwxr-xr-x"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_OWNER); ++ assert_string_equal(value, "mjos"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_GROUP); ++ assert_string_equal(value, "staff"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_SIZE); ++ assert_string_equal(value, "348911"); ++ free(value); ++ /* This function is broken further as the date contains space which breaks ++ * the parsing altogether */ ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_DATE); ++ assert_string_equal(value, "Mar"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_TIME); ++ assert_string_equal(value, "25"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); ++ assert_string_equal(value, "14:29"); ++ free(value); ++} ++ ++static void test_sftp_parse_longname_invalid(void **state) ++{ ++ const char *lname = NULL; ++ char *value = NULL; ++ ++ /* state not used */ ++ (void)state; ++ ++ /* Invalid inputs should not crash ++ */ ++ lname = NULL; ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); ++ assert_null(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); ++ assert_null(value); ++ ++ lname = ""; ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); ++ assert_string_equal(value, ""); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); ++ assert_null(value); ++ ++ lname = "-rwxr-xr-x 1"; ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_PERM); ++ assert_string_equal(value, "-rwxr-xr-x"); ++ free(value); ++ value = sftp_parse_longname(lname, SFTP_LONGNAME_NAME); ++ assert_null(value); ++} ++ ++int torture_run_tests(void) ++{ ++ int rc; ++ const struct CMUnitTest tests[] = { ++ cmocka_unit_test(test_sftp_parse_longname), ++ cmocka_unit_test(test_sftp_parse_longname_invalid), ++ }; ++ ++ rc = cmocka_run_group_tests(tests, NULL, NULL); ++ return rc; ++} +-- +2.53.0 + diff --git a/libssh.spec b/libssh.spec index 9bacb40..31d8bf8 100644 --- a/libssh.spec +++ b/libssh.spec @@ -1,6 +1,6 @@ Name: libssh Version: 0.10.4 -Release: 17%{?dist} +Release: 18%{?dist} Summary: A library implementing the SSH protocol License: LGPLv2+ URL: http://www.libssh.org @@ -58,6 +58,16 @@ Patch16: escape-brackets-in-proxycommand.patch Patch17: CVE-2025-5318.patch Patch18: CVE-2025-5987.patch Patch19: workaround-sshd-failure-rate-limiting.patch +Patch20: CVE-2025-4877.patch +Patch21: CVE-2025-4878.patch +Patch22: CVE-2025-5351.patch +Patch23: CVE-2025-8114.patch +Patch24: CVE-2025-8277.patch +Patch25: CVE-2026-0964.patch +Patch26: CVE-2026-0965.patch +Patch27: CVE-2026-0966.patch +Patch28: CVE-2026-0967.patch +Patch29: CVE-2026-0968.patch %description The ssh library was designed to be used by programmers needing a working SSH @@ -150,6 +160,19 @@ popd %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/libssh/libssh_server.config %changelog +* Fri Feb 13 2026 Pavol Žáčik - 0.10.4-18 +- Resolves: RHEL-150661 +- Resolves: CVE-2025-4877 +- Resolves: CVE-2025-4878 +- Resolves: CVE-2025-5351 +- Resolves: CVE-2025-8114 +- Resolves: CVE-2025-8277 +- Resolves: CVE-2026-0964 +- Resolves: CVE-2026-0965 +- Resolves: CVE-2026-0966 +- Resolves: CVE-2026-0967 +- Resolves: CVE-2026-0968 + * Fri Dec 12 2025 Pavol Žáčik - 0.10.4-17 - Bump spec to resolve build tagging issues