new file mode 100644
@@ -0,0 +1,2196 @@
+From 697650caa97eaf7623924c75f9fcfec6dd423cd1 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 23 Apr 2025 17:57:11 +0200
+Subject: [PATCH] CVE-2025-4878 Initialize pointers where possible
+
+This is mostly mechanical change initializing all the pointers I was able to
+find with some grep and manual review of sources and examples.
+
+Used the following greps (which yield some false positives though):
+
+ git grep " \w* *\* *\w*;$"
+ git grep " ssh_session \w*;"
+ git grep " ssh_channel \w*;"
+ git grep " struct ssh_iterator \*\w*;"
+ git grep " ssh_bind \w*;"
+ git grep " ssh_key \w*;"
+ git grep " ssh_string \w*;"
+ git grep " ssh_buffer \w*;"
+ git grep " HMACCTX \w*;"
+ git grep " SHACTX \w*;"
+ grep -rinP '^(?!.*=)\s*(?:\w+\s+)*\w+\s*\*\s*\w+\s*;'
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+CVE: CVE-2025-4878
+
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1]
+
+Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
+---
+ doc/authentication.dox | 10 +++----
+ doc/command.dox | 2 +-
+ doc/forwarding.dox | 4 +--
+ doc/guided_tour.dox | 14 +++++-----
+ doc/shell.dox | 2 +-
+ examples/authentication.c | 12 ++++----
+ examples/connect_ssh.c | 2 +-
+ examples/exec.c | 4 +--
+ examples/knownhosts.c | 2 +-
+ examples/libssh_scp.c | 11 ++++----
+ examples/proxy.c | 18 ++++++------
+ examples/samplesshd-cb.c | 10 +++----
+ examples/samplesshd-kbdint.c | 16 +++++------
+ examples/scp_download.c | 4 +--
+ examples/senddata.c | 4 +--
+ examples/ssh_client.c | 8 +++---
+ examples/sshnetcat.c | 6 ++--
+ src/agent.c | 13 +++++----
+ src/auth.c | 7 +++--
+ src/bind.c | 9 +++---
+ src/buffer.c | 9 +++---
+ src/callbacks.c | 2 +-
+ src/chachapoly.c | 2 +-
+ src/channels.c | 53 ++++++++++++++++++------------------
+ src/client.c | 2 +-
+ src/config.c | 4 +--
+ src/connect.c | 4 +--
+ src/connector.c | 5 ++--
+ src/ecdh_crypto.c | 2 +-
+ src/ecdh_gcrypt.c | 10 +++----
+ src/gcrypt_missing.c | 2 +-
+ src/getpass.c | 4 +--
+ src/gssapi.c | 28 ++++++++++---------
+ src/kex.c | 2 +-
+ src/known_hosts.c | 38 +++++++++++++-------------
+ src/knownhosts.c | 14 +++++-----
+ src/legacy.c | 43 +++++++++++++++--------------
+ src/log.c | 2 +-
+ src/messages.c | 18 ++++++------
+ src/misc.c | 22 +++++++--------
+ src/options.c | 12 ++++----
+ src/packet.c | 4 +--
+ src/packet_crypt.c | 2 +-
+ src/pki.c | 48 ++++++++++++++++----------------
+ src/pki_container_openssh.c | 14 +++++-----
+ src/pki_ed25519.c | 6 ++--
+ src/pki_gcrypt.c | 2 +-
+ src/pki_mbedcrypto.c | 12 ++++----
+ src/poll.c | 8 +++---
+ src/server.c | 18 ++++++------
+ src/session.c | 4 +--
+ src/sftpserver.c | 12 ++++----
+ src/string.c | 6 ++--
+ src/threads/winlocks.c | 2 +-
+ src/wrapper.c | 2 +-
+ 55 files changed, 295 insertions(+), 281 deletions(-)
+
+diff --git a/doc/authentication.dox b/doc/authentication.dox
+index ec6f1936..a8fbd400 100644
+--- a/doc/authentication.dox
++++ b/doc/authentication.dox
+@@ -102,7 +102,7 @@ Here is a small example of password authentication:
+ @code
+ int authenticate_password(ssh_session session)
+ {
+- char *password;
++ char *password = NULL;
+ int rc;
+
+ password = getpass("Enter your password: ");
+@@ -215,7 +215,7 @@ int authenticate_kbdint(ssh_session session)
+ rc = ssh_userauth_kbdint(session, NULL, NULL);
+ while (rc == SSH_AUTH_INFO)
+ {
+- const char *name, *instruction;
++ const char *name = NULL, *instruction = NULL;
+ int nprompts, iprompt;
+
+ name = ssh_userauth_kbdint_getname(session);
+@@ -228,7 +228,7 @@ int authenticate_kbdint(ssh_session session)
+ printf("%s\n", instruction);
+ for (iprompt = 0; iprompt < nprompts; iprompt++)
+ {
+- const char *prompt;
++ const char *prompt = NULL;
+ char echo;
+
+ prompt = ssh_userauth_kbdint_getprompt(session, iprompt, &echo);
+@@ -248,7 +248,7 @@ int authenticate_kbdint(ssh_session session)
+ }
+ else
+ {
+- char *ptr;
++ char *ptr = NULL;
+
+ ptr = getpass(prompt);
+ if (ssh_userauth_kbdint_setanswer(session, iprompt, ptr) < 0)
+@@ -351,7 +351,7 @@ The following example shows how to retrieve and dispose the issue banner:
+ int display_banner(ssh_session session)
+ {
+ int rc;
+- char *banner;
++ char *banner = NULL;
+
+ /*
+ *** Does not work without calling ssh_userauth_none() first ***
+diff --git a/doc/command.dox b/doc/command.dox
+index 588151c6..e82748ce 100644
+--- a/doc/command.dox
++++ b/doc/command.dox
+@@ -22,7 +22,7 @@ a SSH session that uses this channel:
+ @code
+ int show_remote_files(ssh_session session)
+ {
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ int rc;
+
+ channel = ssh_channel_new(session);
+diff --git a/doc/forwarding.dox b/doc/forwarding.dox
+index bb93c7b1..1949660c 100644
+--- a/doc/forwarding.dox
++++ b/doc/forwarding.dox
+@@ -100,7 +100,7 @@ used to retrieve google's home page from the remote SSH server.
+ @code
+ int direct_forwarding(ssh_session session)
+ {
+- ssh_channel forwarding_channel;
++ ssh_channel forwarding_channel = NULL;
+ int rc;
+ char *http_get = "GET / HTTP/1.1\nHost: www.google.com\n\n";
+ int nbytes, nwritten;
+@@ -161,7 +161,7 @@ local libssh application, which handles them:
+ int web_server(ssh_session session)
+ {
+ int rc;
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ char buffer[256];
+ int nbytes, nwritten;
+ int port = 0;
+diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox
+index 2f1a9b8e..008ccb4e 100644
+--- a/doc/guided_tour.dox
++++ b/doc/guided_tour.dox
+@@ -79,7 +79,7 @@ Here is a small example of how to use it:
+
+ int main()
+ {
+- ssh_session my_ssh_session;
++ ssh_session my_ssh_session = NULL;
+ int verbosity = SSH_LOG_PROTOCOL;
+ int port = 22;
+
+@@ -126,7 +126,7 @@ Here's an example:
+
+ int main()
+ {
+- ssh_session my_ssh_session;
++ ssh_session my_ssh_session = NULL;
+ int rc;
+
+ my_ssh_session = ssh_new();
+@@ -190,8 +190,8 @@ int verify_knownhost(ssh_session session)
+ ssh_key srv_pubkey = NULL;
+ size_t hlen;
+ char buf[10];
+- char *hexa;
+- char *p;
++ char *hexa = NULL;
++ char *p = NULL;
+ int cmp;
+ int rc;
+
+@@ -317,9 +317,9 @@ The example below shows an authentication with password:
+
+ int main()
+ {
+- ssh_session my_ssh_session;
++ ssh_session my_ssh_session = NULL;
+ int rc;
+- char *password;
++ char *password = NULL;
+
+ // Open session and set options
+ my_ssh_session = ssh_new();
+@@ -380,7 +380,7 @@ The example below shows how to execute a remote command:
+ @code
+ int show_remote_processes(ssh_session session)
+ {
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ int rc;
+ char buffer[256];
+ int nbytes;
+diff --git a/doc/shell.dox b/doc/shell.dox
+index 0693bbcc..03b5a575 100644
+--- a/doc/shell.dox
++++ b/doc/shell.dox
+@@ -26,7 +26,7 @@ The code sample below achieves these tasks:
+ @code
+ int shell_session(ssh_session session)
+ {
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ int rc;
+
+ channel = ssh_channel_new(session);
+diff --git a/examples/authentication.c b/examples/authentication.c
+index 9e5b94c9..758666fc 100644
+--- a/examples/authentication.c
++++ b/examples/authentication.c
+@@ -30,8 +30,8 @@ int authenticate_kbdint(ssh_session session, const char *password)
+
+ err = ssh_userauth_kbdint(session, NULL, NULL);
+ while (err == SSH_AUTH_INFO) {
+- const char *instruction;
+- const char *name;
++ const char *instruction = NULL;
++ const char *name = NULL;
+ char buffer[128];
+ int i, n;
+
+@@ -48,8 +48,8 @@ int authenticate_kbdint(ssh_session session, const char *password)
+ }
+
+ for (i = 0; i < n; i++) {
+- const char *answer;
+- const char *prompt;
++ const char *answer = NULL;
++ const char *prompt = NULL;
+ char echo;
+
+ prompt = ssh_userauth_kbdint_getprompt(session, i, &echo);
+@@ -58,7 +58,7 @@ int authenticate_kbdint(ssh_session session, const char *password)
+ }
+
+ if (echo) {
+- char *p;
++ char *p = NULL;
+
+ printf("%s", prompt);
+
+@@ -110,7 +110,7 @@ int authenticate_console(ssh_session session)
+ int rc;
+ int method;
+ char password[128] = {0};
+- char *banner;
++ char *banner = NULL;
+
+ // Try to authenticate
+ rc = ssh_userauth_none(session, NULL);
+diff --git a/examples/connect_ssh.c b/examples/connect_ssh.c
+index c9e4ef6e..06094272 100644
+--- a/examples/connect_ssh.c
++++ b/examples/connect_ssh.c
+@@ -22,7 +22,7 @@ clients must be made or how a client should react.
+ #include <stdio.h>
+
+ ssh_session connect_ssh(const char *host, const char *user,int verbosity){
+- ssh_session session;
++ ssh_session session = NULL;
+ int auth=0;
+
+ session=ssh_new();
+diff --git a/examples/exec.c b/examples/exec.c
+index 4d5e0c1a..0db84688 100644
+--- a/examples/exec.c
++++ b/examples/exec.c
+@@ -5,8 +5,8 @@
+ #include "examples_common.h"
+
+ int main(void) {
+- ssh_session session;
+- ssh_channel channel;
++ ssh_session session = NULL;
++ ssh_channel channel = NULL;
+ char buffer[256];
+ int nbytes;
+ int rc;
+diff --git a/examples/knownhosts.c b/examples/knownhosts.c
+index 2c538dac..44fbbd01 100644
+--- a/examples/knownhosts.c
++++ b/examples/knownhosts.c
+@@ -37,7 +37,7 @@ int verify_knownhost(ssh_session session){
+ char buf[10];
+ unsigned char *hash = NULL;
+ size_t hlen;
+- ssh_key srv_pubkey;
++ ssh_key srv_pubkey = NULL;
+ int rc;
+
+ rc = ssh_get_server_publickey(session, &srv_pubkey);
+diff --git a/examples/libssh_scp.c b/examples/libssh_scp.c
+index ff38b830..b0638525 100644
+--- a/examples/libssh_scp.c
++++ b/examples/libssh_scp.c
+@@ -22,9 +22,9 @@ program.
+ #include <libssh/libssh.h>
+ #include "examples_common.h"
+
+-static char **sources;
++static char **sources = NULL;
+ static int nsources;
+-static char *destination;
++static char *destination = NULL;
+ static int verbosity = 0;
+
+ struct location {
+@@ -114,9 +114,10 @@ static void location_free(struct location *loc)
+ }
+ }
+
+-static struct location *parse_location(char *loc) {
+- struct location *location;
+- char *ptr;
++static struct location *parse_location(char *loc)
++{
++ struct location *location = NULL;
++ char *ptr = NULL;
+
+ location = malloc(sizeof(struct location));
+ if (location == NULL) {
+diff --git a/examples/proxy.c b/examples/proxy.c
+index dcf4d0d7..baebc12f 100644
+--- a/examples/proxy.c
++++ b/examples/proxy.c
+@@ -31,8 +31,8 @@ clients must be made or how a client should react.
+ static int authenticated=0;
+ static int tries = 0;
+ static int error = 0;
+-static ssh_channel chan=NULL;
+-static char *username;
++static ssh_channel chan = NULL;
++static char *username = NULL;
+ static ssh_gssapi_creds client_creds = NULL;
+
+ static int auth_password(ssh_session session, const char *user,
+@@ -212,11 +212,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
+ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
+ #endif /* HAVE_ARGP_H */
+
+-int main(int argc, char **argv){
+- ssh_session session;
+- ssh_bind sshbind;
+- ssh_event mainloop;
+- ssh_session client_session;
++int main(int argc, char **argv)
++{
++ ssh_session session = NULL;
++ ssh_bind sshbind = NULL;
++ ssh_event mainloop = NULL;
++ ssh_session client_session = NULL;
+
+ struct ssh_server_callbacks_struct cb = {
+ .userdata = NULL,
+@@ -227,7 +228,7 @@ int main(int argc, char **argv){
+
+ char buf[2048];
+ char host[128]="";
+- char *ptr;
++ char *ptr = NULL;
+ int i,r, rc;
+
+ sshbind=ssh_bind_new();
+@@ -344,4 +345,3 @@ int main(int argc, char **argv){
+ ssh_finalize();
+ return 0;
+ }
+-
+diff --git a/examples/samplesshd-cb.c b/examples/samplesshd-cb.c
+index f93ab4b4..39efaf9a 100644
+--- a/examples/samplesshd-cb.c
++++ b/examples/samplesshd-cb.c
+@@ -215,10 +215,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
+ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
+ #endif /* HAVE_ARGP_H */
+
+-int main(int argc, char **argv){
+- ssh_session session;
+- ssh_bind sshbind;
+- ssh_event mainloop;
++int main(int argc, char **argv)
++{
++ ssh_session session = NULL;
++ ssh_bind sshbind = NULL;
++ ssh_event mainloop = NULL;
+ struct ssh_server_callbacks_struct cb = {
+ .userdata = NULL,
+ .auth_password_function = auth_password,
+@@ -303,4 +304,3 @@ int main(int argc, char **argv){
+ ssh_finalize();
+ return 0;
+ }
+-
+diff --git a/examples/samplesshd-kbdint.c b/examples/samplesshd-kbdint.c
+index 522aebd6..88f0458a 100644
+--- a/examples/samplesshd-kbdint.c
++++ b/examples/samplesshd-kbdint.c
+@@ -183,8 +183,8 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) {
+ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL};
+ #endif /* HAVE_ARGP_H */
+
+-static const char *name;
+-static const char *instruction;
++static const char *name = NULL;
++static const char *instruction = NULL;
+ static const char *prompts[2];
+ static char echo[] = { 1, 0 };
+
+@@ -288,11 +288,12 @@ static int authenticate(ssh_session session) {
+ return 0;
+ }
+
+-int main(int argc, char **argv){
+- ssh_session session;
+- ssh_bind sshbind;
+- ssh_message message;
+- ssh_channel chan=0;
++int main(int argc, char **argv)
++{
++ ssh_session session = NULL;
++ ssh_bind sshbind = NULL;
++ ssh_message message = NULL;
++ ssh_channel chan = NULL;
+ char buf[2048];
+ int auth=0;
+ int shell=0;
+@@ -422,4 +423,3 @@ int main(int argc, char **argv){
+ ssh_finalize();
+ return 0;
+ }
+-
+diff --git a/examples/scp_download.c b/examples/scp_download.c
+index 85ccf92b..eda67764 100644
+--- a/examples/scp_download.c
++++ b/examples/scp_download.c
+@@ -104,7 +104,7 @@ static int fetch_files(ssh_session session){
+ int size;
+ char buffer[16384];
+ int mode;
+- char *filename;
++ char *filename = NULL;
+ int r;
+ ssh_scp scp=ssh_scp_new(session, SSH_SCP_READ | SSH_SCP_RECURSIVE, "/tmp/libssh_tests/*");
+ if(ssh_scp_init(scp) != SSH_OK){
+@@ -163,7 +163,7 @@ static int fetch_files(ssh_session session){
+ }
+
+ int main(int argc, char **argv){
+- ssh_session session;
++ ssh_session session = NULL;
+ if(opts(argc,argv)<0)
+ return EXIT_FAILURE;
+ session=connect_ssh(host,NULL,verbosity);
+diff --git a/examples/senddata.c b/examples/senddata.c
+index 042b462b..1104acdc 100644
+--- a/examples/senddata.c
++++ b/examples/senddata.c
+@@ -6,7 +6,7 @@
+ #define LIMIT 0x100000000UL
+
+ int main(void) {
+- ssh_session session;
++ ssh_session session = NULL;
+ ssh_channel channel;
+ char buffer[1024*1024];
+ int rc;
+@@ -47,7 +47,7 @@ int main(void) {
+ if(total > LIMIT)
+ break;
+ }
+-
++
+ if (rc < 0) {
+ printf("error : %s\n",ssh_get_error(session));
+ ssh_channel_close(channel);
+diff --git a/examples/ssh_client.c b/examples/ssh_client.c
+index b0c5a7ff..db226d53 100644
+--- a/examples/ssh_client.c
++++ b/examples/ssh_client.c
+@@ -50,7 +50,7 @@ static struct termios terminal;
+
+ static char *pcap_file = NULL;
+
+-static char *proxycommand;
++static char *proxycommand = NULL;
+
+ static int auth_callback(const char *prompt,
+ char *buf,
+@@ -238,7 +238,7 @@ static void select_loop(ssh_session session,ssh_channel channel)
+
+ static void shell(ssh_session session)
+ {
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ struct termios terminal_local;
+ int interactive=isatty(0);
+ channel = ssh_channel_new(session);
+@@ -300,7 +300,7 @@ static void batch_shell(ssh_session session)
+ static int client(ssh_session session)
+ {
+ int auth = 0;
+- char *banner;
++ char *banner = NULL;
+ int state;
+
+ if (user) {
+@@ -378,7 +378,7 @@ static void cleanup_pcap(void)
+
+ int main(int argc, char **argv)
+ {
+- ssh_session session;
++ ssh_session session = NULL;
+
+ session = ssh_new();
+
+diff --git a/examples/sshnetcat.c b/examples/sshnetcat.c
+index 28fb2765..0665d004 100644
+--- a/examples/sshnetcat.c
++++ b/examples/sshnetcat.c
+@@ -34,7 +34,7 @@ clients must be made or how a client should react.
+ #include <fcntl.h>
+
+ #include "examples_common.h"
+-char *host;
++char *host = NULL;
+ const char *desthost="localhost";
+ const char *port="22";
+
+@@ -187,7 +187,7 @@ static void forwarding(ssh_session session){
+
+ static int client(ssh_session session){
+ int auth=0;
+- char *banner;
++ char *banner = NULL;
+ int state;
+
+ if (ssh_options_set(session, SSH_OPTIONS_HOST ,host) < 0)
+@@ -239,7 +239,7 @@ void cleanup_pcap(){
+ #endif
+
+ int main(int argc, char **argv){
+- ssh_session session;
++ ssh_session session = NULL;
+
+ session = ssh_new();
+
+diff --git a/src/agent.c b/src/agent.c
+index 7704e8f1..cabe9b6b 100644
+--- a/src/agent.c
++++ b/src/agent.c
+@@ -418,8 +418,9 @@ ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session,
+
+ /* caller has to free commment */
+ ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session,
+- char **comment) {
+- struct ssh_key_struct *key;
++ char **comment)
++{
++ struct ssh_key_struct *key = NULL;
+ struct ssh_string_struct *blob = NULL;
+ struct ssh_string_struct *tmp = NULL;
+ int rc;
+@@ -488,10 +489,10 @@ ssh_string ssh_agent_sign_data(ssh_session session,
+ const ssh_key pubkey,
+ struct ssh_buffer_struct *data)
+ {
+- ssh_buffer request;
+- ssh_buffer reply;
+- ssh_string key_blob;
+- ssh_string sig_blob;
++ ssh_buffer request = NULL;
++ ssh_buffer reply = NULL;
++ ssh_string key_blob = NULL;
++ ssh_string sig_blob = NULL;
+ unsigned int type = 0;
+ unsigned int flags = 0;
+ uint32_t dlen;
+diff --git a/src/auth.c b/src/auth.c
+index 993e6dfe..531ab8bd 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -191,8 +191,9 @@ static int ssh_userauth_get_response(ssh_session session) {
+ *
+ * This banner should be shown to user prior to authentication
+ */
+-SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) {
+- ssh_string banner;
++SSH_PACKET_CALLBACK(ssh_packet_userauth_banner)
++{
++ ssh_string banner = NULL;
+ (void)type;
+ (void)user;
+
+@@ -1299,7 +1300,7 @@ int ssh_userauth_agent_pubkey(ssh_session session,
+ const char *username,
+ ssh_public_key publickey)
+ {
+- ssh_key key;
++ ssh_key key = NULL;
+ int rc;
+
+ key = ssh_key_new();
+diff --git a/src/bind.c b/src/bind.c
+index 63ef3a94..0cf8bea9 100644
+--- a/src/bind.c
++++ b/src/bind.c
+@@ -73,7 +73,7 @@
+ static socket_t bind_socket(ssh_bind sshbind, const char *hostname,
+ int port) {
+ char port_c[6];
+- struct addrinfo *ai;
++ struct addrinfo *ai = NULL;
+ struct addrinfo hints;
+ int opt = 1;
+ socket_t s;
+@@ -129,8 +129,9 @@ static socket_t bind_socket(ssh_bind sshbind, const char *hostname,
+ return s;
+ }
+
+-ssh_bind ssh_bind_new(void) {
+- ssh_bind ptr;
++ssh_bind ssh_bind_new(void)
++{
++ ssh_bind ptr = NULL;
+
+ ptr = malloc(sizeof(struct ssh_bind_struct));
+ if (ptr == NULL) {
+@@ -249,7 +250,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) {
+ }
+
+ int ssh_bind_listen(ssh_bind sshbind) {
+- const char *host;
++ const char *host = NULL;
+ socket_t fd;
+ int rc;
+
+diff --git a/src/buffer.c b/src/buffer.c
+index da6e587f..50469e62 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -365,7 +365,8 @@ int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer,
+ */
+ void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len)
+ {
+- void *ptr;
++ void *ptr = NULL;
++
+ buffer_verify(buffer);
+
+ if (buffer->used + len < len) {
+@@ -922,7 +923,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
+ va_list ap)
+ {
+ int rc = SSH_ERROR;
+- const char *p;
++ const char *p = NULL;
+ union {
+ uint8_t byte;
+ uint16_t word;
+@@ -931,7 +932,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer,
+ ssh_string string;
+ void *data;
+ } o;
+- char *cstring;
++ char *cstring = NULL;
+ bignum b;
+ size_t len;
+ int count;
+@@ -1086,7 +1087,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
+ va_list ap)
+ {
+ int rc = SSH_ERROR;
+- const char *p, *last;
++ const char *p = NULL, *last = NULL;
+ union {
+ uint8_t *byte;
+ uint16_t *word;
+diff --git a/src/callbacks.c b/src/callbacks.c
+index 3ed2f11c..6bfed62a 100644
+--- a/src/callbacks.c
++++ b/src/callbacks.c
+@@ -113,7 +113,7 @@ int ssh_add_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb)
+
+ int ssh_remove_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb)
+ {
+- struct ssh_iterator *it;
++ struct ssh_iterator *it = NULL;
+
+ if (channel == NULL || channel->callbacks == NULL){
+ return SSH_ERROR;
+diff --git a/src/chachapoly.c b/src/chachapoly.c
+index 904303ef..6a3aba18 100644
+--- a/src/chachapoly.c
++++ b/src/chachapoly.c
+@@ -50,7 +50,7 @@ static int chacha20_set_encrypt_key(struct ssh_cipher_struct *cipher,
+ void *key,
+ void *IV)
+ {
+- struct chacha20_poly1305_keysched *sched;
++ struct chacha20_poly1305_keysched *sched = NULL;
+ uint8_t *u8key = key;
+ (void)IV;
+
+diff --git a/src/channels.c b/src/channels.c
+index b94016f1..ae2f55a5 100644
+--- a/src/channels.c
++++ b/src/channels.c
+@@ -141,7 +141,7 @@ uint32_t ssh_channel_new_id(ssh_session session) {
+ */
+ SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){
+ uint32_t channelid=0;
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ int rc;
+ (void)type;
+ (void)user;
+@@ -202,7 +202,7 @@ error:
+ */
+ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){
+
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ char *error = NULL;
+ uint32_t code;
+ int rc;
+@@ -343,7 +343,7 @@ end:
+ /* return channel with corresponding local id, or NULL if not found */
+ ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id) {
+ struct ssh_iterator *it;
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+
+ for (it = ssh_list_get_iterator(session->channels); it != NULL ; it=it->next) {
+ channel = ssh_iterator_value(ssh_channel, it);
+@@ -423,7 +423,7 @@ error:
+ * unknown or the packet is invalid.
+ */
+ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) {
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ uint32_t chan;
+ int rc;
+
+@@ -445,7 +445,7 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) {
+ }
+
+ SSH_PACKET_CALLBACK(channel_rcv_change_window) {
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ uint32_t bytes;
+ int rc;
+ (void)user;
+@@ -584,7 +584,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){
+ }
+
+ SSH_PACKET_CALLBACK(channel_rcv_eof) {
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ (void)user;
+ (void)type;
+
+@@ -611,8 +611,9 @@ SSH_PACKET_CALLBACK(channel_rcv_eof) {
+ return SSH_PACKET_USED;
+ }
+
+-SSH_PACKET_CALLBACK(channel_rcv_close) {
+- ssh_channel channel;
++SSH_PACKET_CALLBACK(channel_rcv_close)
++{
++ ssh_channel channel = NULL;
+ (void)user;
+ (void)type;
+
+@@ -812,7 +813,7 @@ SSH_PACKET_CALLBACK(channel_rcv_request) {
+ */
+ int channel_default_bufferize(ssh_channel channel, void *data, int len,
+ int is_stderr) {
+- ssh_session session;
++ ssh_session session = NULL;
+
+ if(channel == NULL) {
+ return -1;
+@@ -946,7 +947,7 @@ int ssh_channel_open_auth_agent(ssh_channel channel){
+ */
+ int ssh_channel_open_forward(ssh_channel channel, const char *remotehost,
+ int remoteport, const char *sourcehost, int localport) {
+- ssh_session session;
++ ssh_session session = NULL;
+ ssh_buffer payload = NULL;
+ ssh_string str = NULL;
+ int rc = SSH_ERROR;
+@@ -1002,7 +1003,7 @@ error:
+ */
+ void ssh_channel_free(ssh_channel channel)
+ {
+- ssh_session session;
++ ssh_session session = NULL;
+
+ if (channel == NULL) {
+ return;
+@@ -1100,7 +1101,7 @@ void ssh_channel_do_free(ssh_channel channel)
+ * @see ssh_channel_is_eof()
+ */
+ int ssh_channel_send_eof(ssh_channel channel){
+- ssh_session session;
++ ssh_session session = NULL;
+ int rc = SSH_ERROR;
+ int err;
+
+@@ -1153,7 +1154,7 @@ error:
+ */
+ int ssh_channel_close(ssh_channel channel)
+ {
+- ssh_session session;
++ ssh_session session = NULL;
+ int rc = 0;
+
+ if(channel == NULL) {
+@@ -1249,7 +1250,7 @@ static int channel_write_common(ssh_channel channel,
+ const void *data,
+ uint32_t len, int is_stderr)
+ {
+- ssh_session session;
++ ssh_session session = NULL;
+ uint32_t origlen = len;
+ size_t effectivelen;
+ size_t maxpacketlen;
+@@ -1503,7 +1504,7 @@ void ssh_channel_set_blocking(ssh_channel channel, int blocking) {
+ * @brief handle a SSH_CHANNEL_SUCCESS packet and set the channel state.
+ */
+ SSH_PACKET_CALLBACK(ssh_packet_channel_success){
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ (void)type;
+ (void)user;
+
+@@ -1533,7 +1534,7 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_success){
+ * @brief Handle a SSH_CHANNEL_FAILURE packet and set the channel state.
+ */
+ SSH_PACKET_CALLBACK(ssh_packet_channel_failure){
+- ssh_channel channel;
++ ssh_channel channel = NULL;
+ (void)type;
+ (void)user;
+
+@@ -1960,7 +1961,7 @@ static ssh_channel ssh_channel_accept(ssh_session session, int channeltype,
+ #endif
+ ssh_message msg = NULL;
+ ssh_channel channel = NULL;
+- struct ssh_iterator *iterator;
++ struct ssh_iterator *iterator = NULL;
+ int t;
+
+ /*
+@@ -2590,7 +2591,7 @@ error:
+ */
+ int channel_read_buffer(ssh_channel channel, ssh_buffer buffer, uint32_t count,
+ int is_stderr) {
+- ssh_session session;
++ ssh_session session = NULL;
+ char buffer_tmp[8192];
+ int r;
+ uint32_t total=0;
+@@ -2726,7 +2727,7 @@ int ssh_channel_read_timeout(ssh_channel channel,
+ int is_stderr,
+ int timeout_ms)
+ {
+- ssh_session session;
++ ssh_session session = NULL;
+ ssh_buffer stdbuf;
+ uint32_t len;
+ struct ssh_channel_read_termination_struct ctx;
+@@ -2837,7 +2838,7 @@ int ssh_channel_read_timeout(ssh_channel channel,
+ */
+ int ssh_channel_read_nonblocking(ssh_channel channel, void *dest, uint32_t count,
+ int is_stderr) {
+- ssh_session session;
++ ssh_session session = NULL;
+ int to_read;
+ int rc;
+ int blocking;
+@@ -2940,8 +2941,8 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr){
+ * @see ssh_channel_is_eof()
+ */
+ int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr){
+- ssh_session session;
+- ssh_buffer stdbuf;
++ ssh_session session = NULL;
++ ssh_buffer stdbuf = NULL;
+ struct ssh_channel_read_termination_struct ctx;
+ int rc;
+
+@@ -3042,7 +3043,7 @@ int ssh_channel_get_exit_status(ssh_channel channel) {
+ */
+ static int channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans,
+ ssh_channel *echans, ssh_channel *rout, ssh_channel *wout, ssh_channel *eout) {
+- ssh_channel chan;
++ ssh_channel chan = NULL;
+ int i;
+ int j = 0;
+
+@@ -3121,7 +3122,7 @@ static int count_ptrs(ssh_channel *ptrs) {
+ */
+ int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans,
+ ssh_channel *exceptchans, struct timeval * timeout) {
+- ssh_channel *rchans, *wchans, *echans;
++ ssh_channel *rchans = NULL, *wchans = NULL, *echans = NULL;
+ ssh_channel dummy = NULL;
+ ssh_event event = NULL;
+ int rc;
+@@ -3305,7 +3306,7 @@ int ssh_channel_write_stderr(ssh_channel channel, const void *data, uint32_t len
+ */
+ int ssh_channel_open_reverse_forward(ssh_channel channel, const char *remotehost,
+ int remoteport, const char *sourcehost, int localport) {
+- ssh_session session;
++ ssh_session session = NULL;
+ ssh_buffer payload = NULL;
+ int rc = SSH_ERROR;
+
+@@ -3368,7 +3369,7 @@ error:
+ */
+ int ssh_channel_open_x11(ssh_channel channel,
+ const char *orig_addr, int orig_port) {
+- ssh_session session;
++ ssh_session session = NULL;
+ ssh_buffer payload = NULL;
+ int rc = SSH_ERROR;
+
+diff --git a/src/client.c b/src/client.c
+index 1132c0a0..5ece34b8 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -656,7 +656,7 @@ int ssh_get_openssh_version(ssh_session session) {
+ * @param[in] session The SSH session to use.
+ */
+ void ssh_disconnect(ssh_session session) {
+- struct ssh_iterator *it;
++ struct ssh_iterator *it = NULL;
+ int rc;
+
+ if (session == NULL) {
+diff --git a/src/config.c b/src/config.c
+index 7dd3ae8c..8bf2c1a8 100644
+--- a/src/config.c
++++ b/src/config.c
+@@ -229,7 +229,7 @@ static enum ssh_config_opcode_e ssh_config_get_opcode(char *keyword) {
+ }
+
+ static void local_parse_file(ssh_session session, const char *filename, int *parsing, int seen[]) {
+- FILE *f;
++ FILE *f = NULL;
+ char line[MAX_LINE_SIZE] = {0};
+ unsigned int count = 0;
+
+@@ -730,7 +730,7 @@ static int ssh_config_parse_line(ssh_session session, const char *line,
+ int ssh_config_parse_file(ssh_session session, const char *filename) {
+ char line[MAX_LINE_SIZE] = {0};
+ unsigned int count = 0;
+- FILE *f;
++ FILE *f = NULL;
+ int parsing;
+ int seen[SOC_END - SOC_UNSUPPORTED] = {0};
+
+diff --git a/src/connect.c b/src/connect.c
+index d45be04b..a58bd4b0 100644
+--- a/src/connect.c
++++ b/src/connect.c
+@@ -355,8 +355,8 @@ socket_t ssh_connect_host_nonblocking(ssh_session session, const char *host,
+ }
+
+ if (bind_addr) {
+- struct addrinfo *bind_ai;
+- struct addrinfo *bind_itr;
++ struct addrinfo *bind_ai = NULL;
++ struct addrinfo *bind_itr = NULL;
+
+ SSH_LOG(SSH_LOG_PACKET, "Resolving %s", bind_addr);
+
+diff --git a/src/connector.c b/src/connector.c
+index 0062785c..868ba1ec 100644
+--- a/src/connector.c
++++ b/src/connector.c
+@@ -622,8 +622,9 @@ error:
+ return rc;
+ }
+
+-int ssh_connector_remove_event(ssh_connector connector) {
+- ssh_session session;
++int ssh_connector_remove_event(ssh_connector connector)
++{
++ ssh_session session = NULL;
+
+ if (connector->in_poll != NULL) {
+ ssh_event_remove_poll(connector->event, connector->in_poll);
+diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c
+index 7e5f0cc7..43d7fec2 100644
+--- a/src/ecdh_crypto.c
++++ b/src/ecdh_crypto.c
+@@ -204,7 +204,7 @@ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){
+ const EC_POINT *ecdh_pubkey;
+ bignum_CTX ctx;
+ /* SSH host keys (rsa,dsa,ecdsa) */
+- ssh_key privkey;
++ ssh_key privkey = NULL;
+ ssh_string sig_blob = NULL;
+ ssh_string pubkey_blob = NULL;
+ int curve;
+diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c
+index c1db7f5d..789b06b9 100644
+--- a/src/ecdh_gcrypt.c
++++ b/src/ecdh_gcrypt.c
+@@ -128,9 +128,9 @@ int ecdh_build_k(ssh_session session)
+ #else
+ size_t k_len = 0;
+ enum ssh_key_exchange_e kex_type = session->next_crypto->kex_type;
+- ssh_string s;
++ ssh_string s = NULL;
+ #endif
+- ssh_string pubkey_raw;
++ ssh_string pubkey_raw = NULL;
+ gcry_sexp_t pubkey = NULL;
+ ssh_string privkey = NULL;
+ int rc = SSH_ERROR;
+@@ -261,12 +261,12 @@ int ecdh_build_k(ssh_session session)
+ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet) {
+ gpg_error_t err;
+ /* ECDH keys */
+- ssh_string q_c_string;
+- ssh_string q_s_string;
++ ssh_string q_c_string = NULL;
++ ssh_string q_s_string = NULL;
+ gcry_sexp_t param = NULL;
+ gcry_sexp_t key = NULL;
+ /* SSH host keys (rsa,dsa,ecdsa) */
+- ssh_key privkey;
++ ssh_key privkey = NULL;
+ ssh_string sig_blob = NULL;
+ ssh_string pubkey_blob = NULL;
+ int rc = SSH_ERROR;
+diff --git a/src/gcrypt_missing.c b/src/gcrypt_missing.c
+index 80562317..60d6181c 100644
+--- a/src/gcrypt_missing.c
++++ b/src/gcrypt_missing.c
+@@ -47,7 +47,7 @@ int ssh_gcry_dec2bn(bignum *bn, const char *data) {
+
+ char *ssh_gcry_bn2dec(bignum bn) {
+ bignum bndup, num, ten;
+- char *ret;
++ char *ret = NULL;
+ int count, count2;
+ int size, rsize;
+ char decnum;
+diff --git a/src/getpass.c b/src/getpass.c
+index 99627665..dceaf4dd 100644
+--- a/src/getpass.c
++++ b/src/getpass.c
+@@ -45,7 +45,7 @@
+ * @return 1 on success, 0 on error.
+ */
+ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) {
+- char *tmp;
++ char *tmp = NULL;
+ char *ptr = NULL;
+ int ok = 0;
+
+@@ -77,7 +77,7 @@ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) {
+ }
+
+ if (verify) {
+- char *key_string;
++ char *key_string = NULL;
+
+ key_string = calloc(1, len);
+ if (key_string == NULL) {
+diff --git a/src/gssapi.c b/src/gssapi.c
+index e1b37c76..8bbfc0c8 100644
+--- a/src/gssapi.c
++++ b/src/gssapi.c
+@@ -190,7 +190,7 @@ int ssh_gssapi_handle_userauth(ssh_session session, const char *user, uint32_t n
+ gss_name_t server_name; /* local server fqdn */
+ OM_uint32 maj_stat, min_stat;
+ size_t i;
+- char *ptr;
++ char *ptr = NULL;
+ gss_OID_set supported; /* oids supported by server */
+ gss_OID_set both_supported; /* oids supported by both client and server */
+ gss_OID_set selected; /* oid selected for authentication */
+@@ -313,7 +313,7 @@ int ssh_gssapi_handle_userauth(ssh_session session, const char *user, uint32_t n
+ static char *ssh_gssapi_name_to_char(gss_name_t name){
+ gss_buffer_desc buffer;
+ OM_uint32 maj_stat, min_stat;
+- char *ptr;
++ char *ptr = NULL;
+ maj_stat = gss_display_name(&min_stat, name, &buffer, NULL);
+ ssh_gssapi_log_error(SSH_LOG_WARNING,
+ "converting name",
+@@ -327,9 +327,10 @@ static char *ssh_gssapi_name_to_char(gss_name_t name){
+
+ }
+
+-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){
+- ssh_string token;
+- char *hexa;
++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server)
++{
++ ssh_string token = NULL;
++ char *hexa = NULL;
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER;
+ gss_name_t client_name = GSS_C_NO_NAME;
+@@ -353,7 +354,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){
+ }
+
+ if (ssh_callbacks_exists(session->server_callbacks, gssapi_accept_sec_ctx_function)){
+- ssh_string out_token=NULL;
++ ssh_string out_token = NULL;
+ rc = session->server_callbacks->gssapi_accept_sec_ctx_function(session,
+ token, &out_token, session->server_callbacks->userdata);
+ if (rc == SSH_ERROR){
+@@ -457,7 +458,7 @@ static ssh_buffer ssh_gssapi_build_mic(ssh_session session){
+
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_mic)
+ {
+- ssh_string mic_token;
++ ssh_string mic_token = NULL;
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER;
+@@ -616,7 +617,7 @@ static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids)
+ gss_name_t client_id = GSS_C_NO_NAME;
+ gss_OID oid;
+ unsigned int i;
+- char *ptr;
++ char *ptr = NULL;
+ int ret;
+
+ if (session->gssapi->client.client_deleg_creds == NULL) {
+@@ -789,11 +790,11 @@ static gss_OID ssh_gssapi_oid_from_string(ssh_string oid_s){
+ }
+
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){
+- ssh_string oid_s;
++ ssh_string oid_s = NULL;
+ gss_uint32 maj_stat, min_stat;
+ gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
+- char *hexa;
++ char *hexa = NULL;
+ (void)type;
+ (void)user;
+
+@@ -899,9 +900,10 @@ static int ssh_gssapi_send_mic(ssh_session session){
+ return ssh_packet_send(session);
+ }
+
+-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){
+- ssh_string token;
+- char *hexa;
++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client)
++{
++ ssh_string token = NULL;
++ char *hexa = NULL;
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER;
+ (void)user;
+diff --git a/src/kex.c b/src/kex.c
+index c100d908..35272b14 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -765,7 +765,7 @@ char *ssh_client_select_hostkeys(ssh_session session)
+ int ssh_set_client_kex(ssh_session session)
+ {
+ struct ssh_kex_struct *client= &session->next_crypto->client_kex;
+- const char *wanted;
++ const char *wanted = NULL;
+ int ok;
+ int i;
+
+diff --git a/src/known_hosts.c b/src/known_hosts.c
+index 407e1de5..dddfd8a5 100644
+--- a/src/known_hosts.c
++++ b/src/known_hosts.c
+@@ -98,8 +98,8 @@ static void tokens_free(char **tokens) {
+ static char **ssh_get_knownhost_line(FILE **file, const char *filename,
+ const char **found_type) {
+ char buffer[4096] = {0};
+- char *ptr;
+- char **tokens;
++ char *ptr = NULL;
++ char **tokens = NULL;
+
+ if(*file == NULL){
+ *file = fopen(filename,"r");
+@@ -165,7 +165,7 @@ static char **ssh_get_knownhost_line(FILE **file, const char *filename,
+ static int check_public_key(ssh_session session, char **tokens) {
+ ssh_string pubkey_blob = NULL;
+ ssh_buffer pubkey_buffer;
+- char *pubkey_64;
++ char *pubkey_64 = NULL;
+ int rc;
+
+ /* ssh-dss or ssh-rsa */
+@@ -221,11 +221,11 @@ static int match_hashed_host(const char *host, const char *sourcehash)
+ * hash := HMAC_SHA1(key=salt,data=host)
+ */
+ unsigned char buffer[256] = {0};
+- ssh_buffer salt;
+- ssh_buffer hash;
+- HMACCTX mac;
+- char *source;
+- char *b64hash;
++ ssh_buffer salt = NULL;
++ ssh_buffer hash = NULL;
++ HMACCTX mac = NULL;
++ char *source = NULL;
++ char *b64hash = NULL;
+ int match;
+ unsigned int size;
+
+@@ -308,12 +308,12 @@ static int match_hashed_host(const char *host, const char *sourcehash)
+ int ssh_is_server_known(ssh_session session) {
+ FILE *file = NULL;
+ char **tokens;
+- char *host;
+- char *hostport;
+- const char *type;
++ char *host = NULL;
++ char *hostport = NULL;
++ const char *type = NULL;
+ int match;
+ int i=0;
+- char * files[3];
++ char * files[3] = {0};
+ int ret = SSH_SERVER_NOT_KNOWN;
+
+ if (session->opts.knownhosts == NULL) {
+@@ -445,11 +445,11 @@ int ssh_is_server_known(ssh_session session) {
+ */
+ char * ssh_dump_knownhost(ssh_session session) {
+ ssh_key server_pubkey = NULL;
+- char *host;
+- char *hostport;
++ char *host = NULL;
++ char *hostport = NULL;
+ size_t len = 4096;
+- char *buffer;
+- char *b64_key;
++ char *buffer = NULL;
++ char *b64_key = NULL;
+ int rc;
+
+ if (session->opts.host == NULL) {
+@@ -513,9 +513,9 @@ char * ssh_dump_knownhost(ssh_session session) {
+ * @brief This function is deprecated
+ */
+ int ssh_write_knownhost(ssh_session session) {
+- FILE *file;
+- char *buffer;
+- char *dir;
++ FILE *file = NULL;
++ char *buffer = NULL;
++ char *dir = NULL;
+
+ if (session->opts.knownhosts == NULL) {
+ if (ssh_options_apply(session) < 0) {
+diff --git a/src/knownhosts.c b/src/knownhosts.c
+index 3ea22970..2abdb4b6 100644
+--- a/src/knownhosts.c
++++ b/src/knownhosts.c
+@@ -55,7 +55,7 @@ static int hash_hostname(const char *name,
+ unsigned char **hash,
+ unsigned int *hash_size)
+ {
+- HMACCTX mac_ctx;
++ HMACCTX mac_ctx = NULL;
+
+ mac_ctx = hmac_init(salt, salt_size, SSH_HMAC_SHA1);
+ if (mac_ctx == NULL) {
+@@ -70,8 +70,8 @@ static int hash_hostname(const char *name,
+
+ static int match_hashed_hostname(const char *host, const char *hashed_host)
+ {
+- char *hashed;
+- char *b64_hash;
++ char *hashed = NULL;
++ char *b64_hash = NULL;
+ ssh_buffer salt = NULL;
+ ssh_buffer hash = NULL;
+ unsigned char hashed_buf[256] = {0};
+@@ -195,7 +195,7 @@ static int ssh_known_hosts_read_entries(const char *match,
+ char line[8192];
+ size_t lineno = 0;
+ size_t len = 0;
+- FILE *fp;
++ FILE *fp = NULL;
+ int rc;
+
+ fp = fopen(filename, "r");
+@@ -253,8 +253,8 @@ error:
+
+ static char *ssh_session_get_host_port(ssh_session session)
+ {
+- char *host_port;
+- char *host;
++ char *host_port = NULL;
++ char *host = NULL;
+
+ if (session->opts.host == NULL) {
+ ssh_set_error(session,
+@@ -410,7 +410,7 @@ int ssh_known_hosts_parse_line(const char *hostname,
+ {
+ struct ssh_knownhosts_entry *e = NULL;
+ char *known_host = NULL;
+- char *p;
++ char *p = NULL;
+ enum ssh_keytypes_e key_type;
+ int match = 0;
+ int rc = SSH_OK;
+diff --git a/src/legacy.c b/src/legacy.c
+index c35ec337..b1c8e150 100644
+--- a/src/legacy.c
++++ b/src/legacy.c
+@@ -48,7 +48,7 @@ int ssh_auth_list(ssh_session session) {
+ int ssh_userauth_offer_pubkey(ssh_session session, const char *username,
+ int type, ssh_string publickey)
+ {
+- ssh_key key;
++ ssh_key key = NULL;
+ int rc;
+
+ (void) type; /* unused */
+@@ -70,7 +70,7 @@ int ssh_userauth_pubkey(ssh_session session,
+ ssh_string publickey,
+ ssh_private_key privatekey)
+ {
+- ssh_key key;
++ ssh_key key = NULL;
+ int rc;
+
+ (void) publickey; /* unused */
+@@ -373,10 +373,11 @@ void publickey_free(ssh_public_key key) {
+ SAFE_FREE(key);
+ }
+
+-ssh_public_key publickey_from_privatekey(ssh_private_key prv) {
+- struct ssh_public_key_struct *p;
+- ssh_key privkey;
+- ssh_key pubkey;
++ssh_public_key publickey_from_privatekey(ssh_private_key prv)
++{
++ struct ssh_public_key_struct *p = NULL;
++ ssh_key privkey = NULL;
++ ssh_key pubkey = NULL;
+ int rc;
+
+ privkey = ssh_key_new();
+@@ -410,8 +411,8 @@ ssh_private_key privatekey_from_file(ssh_session session,
+ const char *passphrase) {
+ ssh_auth_callback auth_fn = NULL;
+ void *auth_data = NULL;
+- ssh_private_key privkey;
+- ssh_key key;
++ ssh_private_key privkey = NULL;
++ ssh_key key = NULL;
+ int rc;
+
+ (void) type; /* unused */
+@@ -476,7 +477,7 @@ void privatekey_free(ssh_private_key prv) {
+
+ ssh_string publickey_from_file(ssh_session session, const char *filename,
+ int *type) {
+- ssh_key key;
++ ssh_key key = NULL;
+ ssh_string key_str = NULL;
+ int rc;
+
+@@ -509,9 +510,10 @@ int ssh_type_from_name(const char *name) {
+ return ssh_key_type_from_name(name);
+ }
+
+-ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) {
+- struct ssh_public_key_struct *pubkey;
+- ssh_key key;
++ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s)
++{
++ struct ssh_public_key_struct *pubkey = NULL;
++ ssh_key key = NULL;
+ int rc;
+
+ (void) session; /* unused */
+@@ -540,9 +542,10 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) {
+ return pubkey;
+ }
+
+-ssh_string publickey_to_string(ssh_public_key pubkey) {
+- ssh_key key;
+- ssh_string key_blob;
++ssh_string publickey_to_string(ssh_public_key pubkey)
++{
++ ssh_key key = NULL;
++ ssh_string key_blob = NULL;
+ int rc;
+
+ key = ssh_key_new();
+@@ -573,11 +576,11 @@ int ssh_publickey_to_file(ssh_session session,
+ ssh_string pubkey,
+ int type)
+ {
+- FILE *fp;
+- char *user;
++ FILE *fp = NULL;
++ char *user = NULL;
+ char buffer[1024];
+ char host[256];
+- unsigned char *pubkey_64;
++ unsigned char *pubkey_64 = NULL;
+ size_t len;
+ int rc;
+ if(session==NULL)
+@@ -640,9 +643,9 @@ int ssh_try_publickey_from_file(ssh_session session,
+ const char *keyfile,
+ ssh_string *publickey,
+ int *type) {
+- char *pubkey_file;
++ char *pubkey_file = NULL;
+ size_t len;
+- ssh_string pubkey_string;
++ ssh_string pubkey_string = NULL;
+ int pubkey_type;
+
+ if (session == NULL || keyfile == NULL || publickey == NULL || type == NULL) {
+diff --git a/src/log.c b/src/log.c
+index a8664b16..b26ed8be 100644
+--- a/src/log.c
++++ b/src/log.c
+@@ -40,7 +40,7 @@
+
+ static LIBSSH_THREAD int ssh_log_level;
+ static LIBSSH_THREAD ssh_logging_callback ssh_log_cb;
+-static LIBSSH_THREAD void *ssh_log_userdata;
++static LIBSSH_THREAD void *ssh_log_userdata = NULL;
+
+ /**
+ * @defgroup libssh_log The SSH logging functions.
+diff --git a/src/messages.c b/src/messages.c
+index 400b8e9b..a0e185bb 100644
+--- a/src/messages.c
++++ b/src/messages.c
+@@ -452,7 +452,7 @@ void ssh_message_queue(ssh_session session, ssh_message message){
+ */
+ ssh_message ssh_message_pop_head(ssh_session session){
+ ssh_message msg=NULL;
+- struct ssh_iterator *i;
++ struct ssh_iterator *i = NULL;
+ if(session->ssh_message_list == NULL)
+ return NULL;
+ i=ssh_list_get_iterator(session->ssh_message_list);
+@@ -466,7 +466,7 @@ ssh_message ssh_message_pop_head(ssh_session session){
+ /* Returns 1 if there is a message available */
+ static int ssh_message_termination(void *s){
+ ssh_session session = s;
+- struct ssh_iterator *it;
++ struct ssh_iterator *it = NULL;
+ if(session->session_state == SSH_SESSION_STATE_ERROR)
+ return 1;
+ it = ssh_list_get_iterator(session->ssh_message_list);
+@@ -658,7 +658,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session,
+ struct ssh_crypto_struct *crypto =
+ session->current_crypto ? session->current_crypto :
+ session->next_crypto;
+- ssh_buffer buffer;
++ ssh_buffer buffer = NULL;
+ ssh_string str=NULL;
+ int rc;
+
+@@ -867,9 +867,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
+ #ifdef WITH_GSSAPI
+ if (strcmp(method, "gssapi-with-mic") == 0) {
+ uint32_t n_oid;
+- ssh_string *oids;
+- ssh_string oid;
+- char *hexa;
++ ssh_string *oids = NULL;
++ ssh_string oid = NULL;
++ char *hexa = NULL;
+ int i;
+ ssh_buffer_get_u32(packet, &n_oid);
+ n_oid=ntohl(n_oid);
+@@ -953,7 +953,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
+ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){
+ uint32_t nanswers;
+ uint32_t i;
+- ssh_string tmp;
++ ssh_string tmp = NULL;
+ int rc;
+
+ ssh_message msg = NULL;
+@@ -1175,7 +1175,7 @@ end:
+ }
+
+ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan) {
+- ssh_session session;
++ ssh_session session = NULL;
+ int rc;
+
+ if (msg == NULL) {
+@@ -1216,7 +1216,7 @@ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_c
+
+
+ ssh_channel ssh_message_channel_request_open_reply_accept(ssh_message msg) {
+- ssh_channel chan;
++ ssh_channel chan = NULL;
+ int rc;
+
+ if (msg == NULL) {
+diff --git a/src/misc.c b/src/misc.c
+index 9842b7f4..3601ffb5 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -334,7 +334,7 @@ int ssh_is_ipaddr(const char *str) {
+ #endif /* _WIN32 */
+
+ char *ssh_lowercase(const char* str) {
+- char *new, *p;
++ char *new = NULL, *p = NULL;
+
+ if (str == NULL) {
+ return NULL;
+@@ -407,7 +407,7 @@ struct ssh_list *ssh_list_new(void) {
+ }
+
+ void ssh_list_free(struct ssh_list *list){
+- struct ssh_iterator *ptr,*next;
++ struct ssh_iterator *ptr = NULL, *next = NULL;
+ if(!list)
+ return;
+ ptr=list->root;
+@@ -426,7 +426,7 @@ struct ssh_iterator *ssh_list_get_iterator(const struct ssh_list *list){
+ }
+
+ struct ssh_iterator *ssh_list_find(const struct ssh_list *list, void *value){
+- struct ssh_iterator *it;
++ struct ssh_iterator *it = NULL;
+ for(it = ssh_list_get_iterator(list); it != NULL ;it=it->next)
+ if(it->data==value)
+ return it;
+@@ -496,7 +496,7 @@ int ssh_list_prepend(struct ssh_list *list, const void *data){
+ }
+
+ void ssh_list_remove(struct ssh_list *list, struct ssh_iterator *iterator){
+- struct ssh_iterator *ptr,*prev;
++ struct ssh_iterator *ptr = NULL, *prev = NULL;
+ prev=NULL;
+ ptr=list->root;
+ while(ptr && ptr != iterator){
+@@ -616,7 +616,7 @@ char *ssh_dirname (const char *path) {
+ */
+ char *ssh_basename (const char *path) {
+ char *new = NULL;
+- const char *s;
++ const char *s = NULL;
+ size_t len;
+
+ if (path == NULL || *path == '\0') {
+@@ -685,8 +685,8 @@ int ssh_mkdir(const char *pathname, mode_t mode) {
+ * @return The expanded directory, NULL on error.
+ */
+ char *ssh_path_expand_tilde(const char *d) {
+- char *h = NULL, *r;
+- const char *p;
++ char *h = NULL, *r = NULL;
++ const char *p = NULL;
+ size_t ld;
+ size_t lh = 0;
+
+@@ -701,7 +701,7 @@ char *ssh_path_expand_tilde(const char *d) {
+ #ifdef _WIN32
+ return strdup(d);
+ #else
+- struct passwd *pw;
++ struct passwd *pw = NULL;
+ size_t s = p - d;
+ char u[128];
+
+@@ -757,7 +757,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) {
+ char host[NI_MAXHOST];
+ char buf[MAX_BUF_SIZE];
+ char *r, *x = NULL;
+- const char *p;
++ const char *p = NULL;
+ size_t i, l;
+
+ r = ssh_path_expand_tilde(s);
+@@ -867,8 +867,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) {
+ */
+ int ssh_analyze_banner(ssh_session session, int server)
+ {
+- const char *banner;
+- const char *openssh;
++ const char *banner = NULL;
++ const char *openssh = NULL;
+
+ if (server) {
+ banner = session->clientbanner;
+diff --git a/src/options.c b/src/options.c
+index 5f9d3c26..6d0f111a 100644
+--- a/src/options.c
++++ b/src/options.c
+@@ -63,7 +63,7 @@
+ * @see ssh_session_connect()
+ */
+ int ssh_options_copy(ssh_session src, ssh_session *dest) {
+- ssh_session new;
++ ssh_session new = NULL;
+ int i;
+
+ if (src == NULL || dest == NULL) {
+@@ -399,8 +399,8 @@ int ssh_options_set_algo(ssh_session session,
+ */
+ int ssh_options_set(ssh_session session, enum ssh_options_e type,
+ const void *value) {
+- const char *v;
+- char *p, *q;
++ const char *v = NULL;
++ char *p = NULL, *q = NULL;
+ long int i;
+ unsigned int u;
+ int rc;
+@@ -987,7 +987,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) {
+ */
+ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value)
+ {
+- char* src = NULL;
++ char *src = NULL;
+
+ if (session == NULL) {
+ return SSH_ERROR;
+@@ -1248,7 +1248,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv)
+ * @see ssh_options_set_host()
+ */
+ int ssh_options_parse_config(ssh_session session, const char *filename) {
+- char *expanded_filename;
++ char *expanded_filename = NULL;
+ int r;
+
+ if (session == NULL) {
+@@ -1292,7 +1292,7 @@ out:
+
+ int ssh_options_apply(ssh_session session) {
+ struct ssh_iterator *it;
+- char *tmp;
++ char *tmp = NULL;
+ int rc;
+
+ if (session->opts.sshdir == NULL) {
+diff --git a/src/packet.c b/src/packet.c
+index 8025a7ff..aa0535e9 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -1218,8 +1218,8 @@ error:
+ static void ssh_packet_socket_controlflow_callback(int code, void *userdata)
+ {
+ ssh_session session = userdata;
+- struct ssh_iterator *it;
+- ssh_channel channel;
++ struct ssh_iterator *it = NULL;
++ ssh_channel channel = NULL;
+
+ if (code == SSH_SOCKET_FLOW_WRITEWONTBLOCK) {
+ SSH_LOG(SSH_LOG_TRACE, "sending channel_write_wontblock callback");
+diff --git a/src/packet_crypt.c b/src/packet_crypt.c
+index ba1d4af9..63eb6443 100644
+--- a/src/packet_crypt.c
++++ b/src/packet_crypt.c
+@@ -205,7 +205,7 @@ int ssh_packet_hmac_verify(ssh_session session,
+ enum ssh_hmac_e type)
+ {
+ unsigned char hmacbuf[DIGEST_MAX_LEN] = {0};
+- HMACCTX ctx;
++ HMACCTX ctx = NULL;
+ unsigned int len;
+ uint32_t seq;
+
+diff --git a/src/pki.c b/src/pki.c
+index 620ac1dd..4c4380ee 100644
+--- a/src/pki.c
++++ b/src/pki.c
+@@ -283,7 +283,7 @@ static enum ssh_digest_e ssh_key_hash_from_name(const char *name)
+ */
+ int ssh_key_algorithm_allowed(ssh_session session, const char *type)
+ {
+- const char *allowed_list;
++ const char *allowed_list = NULL;
+
+ allowed_list = session->opts.pubkey_accepted_types;
+ if (allowed_list == NULL) {
+@@ -480,7 +480,7 @@ int ssh_key_cmp(const ssh_key k1,
+
+ ssh_signature ssh_signature_new(void)
+ {
+- struct ssh_signature_struct *sig;
++ struct ssh_signature_struct *sig = NULL;
+
+ sig = malloc(sizeof(struct ssh_signature_struct));
+ if (sig == NULL) {
+@@ -561,7 +561,7 @@ int ssh_pki_import_privkey_base64(const char *b64_key,
+ void *auth_data,
+ ssh_key *pkey)
+ {
+- ssh_key key;
++ ssh_key key = NULL;
+ int cmp;
+
+ if (b64_key == NULL || pkey == NULL) {
+@@ -681,8 +681,8 @@ int ssh_pki_import_privkey_file(const char *filename,
+ void *auth_data,
+ ssh_key *pkey) {
+ struct stat sb;
+- char *key_buf;
+- FILE *file;
++ char *key_buf = NULL;
++ FILE *file = NULL;
+ off_t size;
+ int rc;
+
+@@ -820,8 +820,8 @@ int ssh_pki_export_privkey_file(const ssh_key privkey,
+
+ /* temporary function to migrate seemlessly to ssh_key */
+ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) {
+- ssh_public_key pub;
+- ssh_key tmp;
++ ssh_public_key pub = NULL;
++ ssh_key tmp = NULL;
+
+ if(key == NULL) {
+ return NULL;
+@@ -853,7 +853,7 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) {
+ }
+
+ ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key) {
+- ssh_private_key privkey;
++ ssh_private_key privkey = NULL;
+
+ privkey = malloc(sizeof(struct ssh_private_key_struct));
+ if (privkey == NULL) {
+@@ -1190,9 +1190,9 @@ fail:
+ static int pki_import_cert_buffer(ssh_buffer buffer,
+ enum ssh_keytypes_e type,
+ ssh_key *pkey) {
+- ssh_buffer cert;
+- ssh_string type_s;
+- ssh_key key;
++ ssh_buffer cert = NULL;
++ ssh_string type_s = NULL;
++ ssh_key key = NULL;
+ int rc;
+
+ key = ssh_key_new();
+@@ -1615,7 +1615,7 @@ error:
+ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey,
+ ssh_key *pkey)
+ {
+- ssh_key pubkey;
++ ssh_key pubkey = NULL;
+
+ if (privkey == NULL || !ssh_key_is_private(privkey)) {
+ return SSH_ERROR;
+@@ -1653,7 +1653,7 @@ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey,
+ int ssh_pki_export_pubkey_blob(const ssh_key key,
+ ssh_string *pblob)
+ {
+- ssh_string blob;
++ ssh_string blob = NULL;
+
+ if (key == NULL) {
+ return SSH_OK;
+@@ -1683,8 +1683,8 @@ int ssh_pki_export_pubkey_blob(const ssh_key key,
+ int ssh_pki_export_pubkey_base64(const ssh_key key,
+ char **b64_key)
+ {
+- ssh_string key_blob;
+- unsigned char *b64;
++ ssh_string key_blob = NULL;
++ unsigned char *b64 = NULL;
+
+ if (key == NULL || b64_key == NULL) {
+ return SSH_ERROR;
+@@ -1711,9 +1711,9 @@ int ssh_pki_export_pubkey_file(const ssh_key key,
+ {
+ char key_buf[4096];
+ char host[256];
+- char *b64_key;
+- char *user;
+- FILE *fp;
++ char *b64_key = NULL;
++ char *user = NULL;
++ FILE *fp = NULL;
+ int rc;
+
+ if (key == NULL || filename == NULL || *filename == '\0') {
+@@ -1774,7 +1774,7 @@ int ssh_pki_export_pubkey_file(const ssh_key key,
+ * @returns SSH_OK on success, SSH_ERROR otherwise.
+ **/
+ int ssh_pki_copy_cert_to_privkey(const ssh_key certkey, ssh_key privkey) {
+- ssh_buffer cert_buffer;
++ ssh_buffer cert_buffer = NULL;
+ int rc;
+
+ if (certkey == NULL || privkey == NULL) {
+@@ -1809,7 +1809,7 @@ int ssh_pki_export_signature_blob(const ssh_signature sig,
+ ssh_string *sig_blob)
+ {
+ ssh_buffer buf = NULL;
+- ssh_string str;
++ ssh_string str = NULL;
+ int rc;
+
+ if (sig == NULL || sig_blob == NULL) {
+@@ -1869,7 +1869,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
+ enum ssh_keytypes_e type;
+ enum ssh_digest_e hash_type;
+ ssh_string algorithm = NULL, blob = NULL;
+- ssh_buffer buf;
++ ssh_buffer buf = NULL;
+ const char *alg = NULL;
+ int rc;
+
+@@ -2143,9 +2143,9 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session,
+ struct ssh_buffer_struct *buf,
+ const ssh_key pubkey) {
+ struct ssh_crypto_struct *crypto;
+- ssh_string session_id;
+- ssh_string sig_blob;
+- ssh_buffer sig_buf;
++ ssh_string session_id = NULL;
++ ssh_string sig_blob = NULL;
++ ssh_buffer sig_buf = NULL;
+ int rc;
+
+ if (session->current_crypto) {
+diff --git a/src/pki_container_openssh.c b/src/pki_container_openssh.c
+index 3ef54f83..6e473899 100644
+--- a/src/pki_container_openssh.c
++++ b/src/pki_container_openssh.c
+@@ -234,12 +234,12 @@ ssh_pki_openssh_import(const char *text_key,
+ bool private)
+ {
+ const char *ptr=text_key;
+- const char *end;
+- char *base64;
++ const char *end = NULL;
++ char *base64 = NULL;
+ int cmp;
+ int rc;
+ int i;
+- ssh_buffer buffer = NULL, privkey_buffer=NULL;
++ ssh_buffer buffer = NULL, privkey_buffer = NULL;
+ char *magic = NULL, *ciphername = NULL, *kdfname = NULL;
+ uint32_t nkeys = 0, checkint1 = 0, checkint2 = 0xFFFF;
+ ssh_string kdfoptions = NULL;
+@@ -535,14 +535,14 @@ ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey,
+ {
+ ssh_buffer buffer;
+ ssh_string str = NULL;
+- ssh_string pubkey_s=NULL;
++ ssh_string pubkey_s = NULL;
+ ssh_buffer privkey_buffer = NULL;
+ uint32_t rnd;
+ uint32_t rounds = 16;
+- ssh_string salt=NULL;
+- ssh_string kdf_options=NULL;
++ ssh_string salt = NULL;
++ ssh_string kdf_options = NULL;
+ int to_encrypt=0;
+- unsigned char *b64;
++ unsigned char *b64 = NULL;
+ uint32_t str_len, len;
+ uint8_t padding = 1;
+ int ok;
+diff --git a/src/pki_ed25519.c b/src/pki_ed25519.c
+index 981a74b6..c9f07386 100644
+--- a/src/pki_ed25519.c
++++ b/src/pki_ed25519.c
+@@ -84,7 +84,7 @@ int pki_ed25519_sign(const ssh_key privkey,
+ size_t hlen)
+ {
+ int rc;
+- uint8_t *buffer;
++ uint8_t *buffer = NULL;
+ unsigned long long dlen = 0;
+
+ buffer = malloc(hlen + ED25519_SIG_LEN);
+@@ -126,8 +126,8 @@ int pki_ed25519_verify(const ssh_key pubkey,
+ size_t hlen)
+ {
+ unsigned long long mlen = 0;
+- uint8_t *buffer;
+- uint8_t *buffer2;
++ uint8_t *buffer = NULL;
++ uint8_t *buffer2 = NULL;
+ int rc;
+
+ if (pubkey == NULL || sig == NULL ||
+diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
+index cf9ac781..6c1cb537 100644
+--- a/src/pki_gcrypt.c
++++ b/src/pki_gcrypt.c
+@@ -152,7 +152,7 @@ static ssh_string asn1_get_int(ssh_buffer buffer) {
+
+ static ssh_string asn1_get_bit_string(ssh_buffer buffer)
+ {
+- ssh_string str;
++ ssh_string str = NULL;
+ unsigned char type;
+ uint32_t size;
+ unsigned char unused, last, *p;
+diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c
+index 57a4ffae..abf36f4e 100644
+--- a/src/pki_mbedcrypto.c
++++ b/src/pki_mbedcrypto.c
+@@ -774,9 +774,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
+ sig_blob = ssh_string_copy(sig->rsa_sig);
+ break;
+ case SSH_KEYTYPE_ECDSA: {
+- ssh_string r;
+- ssh_string s;
+- ssh_buffer b;
++ ssh_string r = NULL;
++ ssh_string s = NULL;
++ ssh_buffer b = NULL;
+ int rc;
+
+ b = ssh_buffer_new();
+@@ -923,9 +923,9 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
+ sig->type_c = ssh_key_signature_to_char(type, hash_type);
+ break;
+ case SSH_KEYTYPE_ECDSA: {
+- ssh_buffer b;
+- ssh_string r;
+- ssh_string s;
++ ssh_buffer b = NULL;
++ ssh_string r = NULL;
++ ssh_string s = NULL;
+ size_t rlen;
+
+ b = ssh_buffer_new();
+diff --git a/src/poll.c b/src/poll.c
+index 0ee8db20..cbeff3df 100644
+--- a/src/poll.c
++++ b/src/poll.c
+@@ -468,8 +468,8 @@ void ssh_poll_ctx_free(ssh_poll_ctx ctx) {
+ }
+
+ static int ssh_poll_ctx_resize(ssh_poll_ctx ctx, size_t new_size) {
+- ssh_poll_handle *pollptrs;
+- ssh_pollfd_t *pollfds;
++ ssh_poll_handle *pollptrs = NULL;
++ ssh_pollfd_t *pollfds = NULL;
+
+ pollptrs = realloc(ctx->pollptrs, sizeof(ssh_poll_handle) * new_size);
+ if (pollptrs == NULL) {
+@@ -741,7 +741,7 @@ static int ssh_event_fd_wrapper_callback(ssh_poll_handle p, socket_t fd, int rev
+ int ssh_event_add_fd(ssh_event event, socket_t fd, short events,
+ ssh_event_callback cb, void *userdata) {
+ ssh_poll_handle p;
+- struct ssh_event_fd_wrapper *pw;
++ struct ssh_event_fd_wrapper *pw = NULL;
+
+ if(event == NULL || event->ctx == NULL || cb == NULL
+ || fd == SSH_INVALID_SOCKET) {
+@@ -810,7 +810,7 @@ void ssh_event_remove_poll(ssh_event event, ssh_poll_handle p)
+ int ssh_event_add_session(ssh_event event, ssh_session session) {
+ ssh_poll_handle p;
+ #ifdef WITH_SERVER
+- struct ssh_iterator *iterator;
++ struct ssh_iterator *iterator = NULL;
+ #endif
+
+ if(event == NULL || event->ctx == NULL || session == NULL) {
+diff --git a/src/server.c b/src/server.c
+index f3d24a7b..90677441 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -85,7 +85,7 @@ static int dh_handshake_server(ssh_session session);
+ static int server_set_kex(ssh_session session) {
+ struct ssh_kex_struct *server = &session->next_crypto->server_kex;
+ int i, j, rc;
+- const char *wanted;
++ const char *wanted = NULL;
+ char hostkeys[128] = {0};
+ enum ssh_keytypes_e keytype;
+ size_t len;
+@@ -204,9 +204,10 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){
+ return SSH_OK;
+ }
+
+-static int ssh_server_send_extensions(ssh_session session) {
++static int ssh_server_send_extensions(ssh_session session)
++{
+ int rc;
+- const char *hostkey_algorithms;
++ const char *hostkey_algorithms = NULL;
+
+ SSH_LOG(SSH_LOG_PACKET, "Sending SSH_MSG_EXT_INFO");
+ /*
+@@ -289,8 +290,8 @@ error:
+ }
+
+ int ssh_get_key_params(ssh_session session, ssh_key *privkey){
+- ssh_key pubkey;
+- ssh_string pubkey_blob;
++ ssh_key pubkey = NULL;
++ ssh_string pubkey_blob = NULL;
+ int rc;
+
+ switch(session->srv.hostkey) {
+@@ -780,8 +781,9 @@ static int ssh_message_service_request_reply_default(ssh_message msg) {
+ return ssh_message_service_reply_success(msg);
+ }
+
+-int ssh_message_service_reply_success(ssh_message msg) {
+- ssh_session session;
++int ssh_message_service_reply_success(ssh_message msg)
++{
++ ssh_session session = NULL;
+ int rc;
+
+ if (msg == NULL) {
+@@ -1111,7 +1113,7 @@ int ssh_message_auth_reply_pk_ok(ssh_message msg, ssh_string algo, ssh_string pu
+ }
+
+ int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) {
+- ssh_string algo;
++ ssh_string algo = NULL;
+ ssh_string pubkey_blob = NULL;
+ int ret;
+
+diff --git a/src/session.c b/src/session.c
+index 3953fe76..daa30fe2 100644
+--- a/src/session.c
++++ b/src/session.c
+@@ -56,7 +56,7 @@
+ * @returns A new ssh_session pointer, NULL on error.
+ */
+ ssh_session ssh_new(void) {
+- ssh_session session;
++ ssh_session session = NULL;
+ char *id = NULL;
+ int rc;
+
+@@ -252,7 +252,7 @@ void ssh_free(ssh_session session) {
+
+ /* options */
+ if (session->opts.identity) {
+- char *id;
++ char *id = NULL;
+
+ for (id = ssh_list_pop_head(char *, session->opts.identity);
+ id != NULL;
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index dee51534..4a15d032 100644
+--- a/src/sftpserver.c
++++ b/src/sftpserver.c
+@@ -291,8 +291,8 @@ void sftp_client_message_free(sftp_client_message msg) {
+
+ int sftp_reply_name(sftp_client_message msg, const char *name,
+ sftp_attributes attr) {
+- ssh_buffer out;
+- ssh_string file;
++ ssh_buffer out = NULL;
++ ssh_string file = NULL;
+
+ out = ssh_buffer_new();
+ if (out == NULL) {
+@@ -361,7 +361,7 @@ int sftp_reply_attr(sftp_client_message msg, sftp_attributes attr) {
+
+ int sftp_reply_names_add(sftp_client_message msg, const char *file,
+ const char *longname, sftp_attributes attr) {
+- ssh_string name;
++ ssh_string name = NULL;
+
+ name = ssh_string_from_char(file);
+ if (name == NULL) {
+@@ -427,8 +427,8 @@ int sftp_reply_names(sftp_client_message msg) {
+
+ int sftp_reply_status(sftp_client_message msg, uint32_t status,
+ const char *message) {
+- ssh_buffer out;
+- ssh_string s;
++ ssh_buffer out = NULL;
++ ssh_string s = NULL;
+
+ out = ssh_buffer_new();
+ if (out == NULL) {
+@@ -484,7 +484,7 @@ int sftp_reply_data(sftp_client_message msg, const void *data, int len) {
+ * valid info (or worse).
+ */
+ ssh_string sftp_handle_alloc(sftp_session sftp, void *info) {
+- ssh_string ret;
++ ssh_string ret = NULL;
+ uint32_t val;
+ int i;
+
+diff --git a/src/string.c b/src/string.c
+index acd3cf48..3e044374 100644
+--- a/src/string.c
++++ b/src/string.c
+@@ -106,7 +106,7 @@ int ssh_string_fill(struct ssh_string_struct *s, const void *data, size_t len) {
+ * @note The nul byte is not copied nor counted in the ouput string.
+ */
+ struct ssh_string_struct *ssh_string_from_char(const char *what) {
+- struct ssh_string_struct *ptr;
++ struct ssh_string_struct *ptr = NULL;
+ size_t len;
+
+ if(what == NULL) {
+@@ -180,7 +180,7 @@ const char *ssh_string_get_char(struct ssh_string_struct *s)
+ */
+ char *ssh_string_to_char(struct ssh_string_struct *s) {
+ size_t len;
+- char *new;
++ char *new = NULL;
+
+ if (s == NULL) {
+ return NULL;
+@@ -219,7 +219,7 @@ void ssh_string_free_char(char *s) {
+ * @return Newly allocated copy of the string, NULL on error.
+ */
+ struct ssh_string_struct *ssh_string_copy(struct ssh_string_struct *s) {
+- struct ssh_string_struct *new;
++ struct ssh_string_struct *new = NULL;
+ size_t len;
+
+ if (s == NULL) {
+diff --git a/src/threads/winlocks.c b/src/threads/winlocks.c
+index a1799531..c1bf1011 100644
+--- a/src/threads/winlocks.c
++++ b/src/threads/winlocks.c
+@@ -81,7 +81,7 @@ static struct ssh_threads_callbacks_struct ssh_threads_winlock =
+
+ void ssh_mutex_lock(SSH_MUTEX *mutex)
+ {
+- void *rc;
++ void *rc = NULL;
+
+ CRITICAL_SECTION *mutex_tmp = NULL;
+
+diff --git a/src/wrapper.c b/src/wrapper.c
+index e580e1cc..6e15d54e 100644
+--- a/src/wrapper.c
++++ b/src/wrapper.c
+@@ -133,7 +133,7 @@ static void cipher_free(struct ssh_cipher_struct *cipher) {
+ }
+
+ struct ssh_crypto_struct *crypto_new(void) {
+- struct ssh_crypto_struct *crypto;
++ struct ssh_crypto_struct *crypto = NULL;
+
+ crypto = malloc(sizeof(struct ssh_crypto_struct));
+ if (crypto == NULL) {
+--
+2.35.5
+
new file mode 100644
@@ -0,0 +1,33 @@
+From b35ee876adc92a208d47194772e99f9c71e0bedb Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 28 Apr 2025 11:04:55 +0200
+Subject: [PATCH] CVE-2025-4878 legacy: Properly check return value to avoid
+ NULL pointer dereference
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+
+CVE: CVE-2025-4878
+
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb]
+
+Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
+---
+ src/legacy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/legacy.c b/src/legacy.c
+index b1c8e150..ecbaf039 100644
+--- a/src/legacy.c
++++ b/src/legacy.c
+@@ -428,7 +428,7 @@ ssh_private_key privatekey_from_file(ssh_session session,
+ auth_fn,
+ auth_data,
+ &key);
+- if (rc == SSH_ERROR) {
++ if (rc != SSH_OK) {
+ return NULL;
+ }
+
+--
+2.48.1
@@ -22,6 +22,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable
file://run-ptest \
file://CVE-2025-5318.patch \
file://CVE-2025-4877.patch \
+ file://CVE-2025-4878-1.patch \
+ file://CVE-2025-4878-2.patch \
"
SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"
A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-4878 Upstream-patch: https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1 https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com> --- .../libssh/libssh/CVE-2025-4878-1.patch | 2196 +++++++++++++++++ .../libssh/libssh/CVE-2025-4878-2.patch | 33 + .../recipes-support/libssh/libssh_0.8.9.bb | 2 + 3 files changed, 2231 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-1.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-2.patch