From patchwork Tue Nov 11 06:55:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rajeshkumar Ramasamy X-Patchwork-Id: 74138 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 454EECCF9E3 for ; Tue, 11 Nov 2025 06:56:16 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.12173.1762844167588707095 for ; Mon, 10 Nov 2025 22:56:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=XUwoPz8i; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=3410ad4b76=rajeshkumar.ramasamy@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5AB5b2vn038181 for ; Tue, 11 Nov 2025 06:56:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=gVQ7qucULfNPsBf//KL0 k8/K5GCe3BCZ+kj1migN0OY=; b=XUwoPz8iTMjMvaqlfGIRt+93hbBcILP9wTT8 6bTPzhugVYvoRPp93dwKH+GJ75uxdBB96x/re60bZSlZFwXFQOM/nKweIcy/OLXz 39edDPIkEnfcZCHIInkU5EeqwOf63Muievl6wfORly/AmWnfbnaBpKd4jU0ymRZE 5prvs56j/rU4GkFqvsWf/WiqoB9Rz6PxLicq4Zutl8Juw1gyDvh0w9US3tdvW3fZ x5HfkAAhpPUdejxrrn+4o7zdEPZkacGuMAlGFdeoHt0FXw3uVzLn6SMQ/h006S4C fUQPoElM+uihr4g/TISRrrIGJ/w8feDrI4EnImz3flSmdMNdnw== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 4a9vu92wgw-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 11 Nov 2025 06:56:06 +0000 (GMT) Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.61; Mon, 10 Nov 2025 22:56:03 -0800 From: Rajeshkumar Ramasamy To: Subject: [oe][meta-oe][kirkstone][PATCH 1/2] libssh: fix CVE-2025-4878 Date: Tue, 11 Nov 2025 12:25:46 +0530 Message-ID: <20251111065547.2723539-1-rajeshkumar.ramasamy@windriver.com> X-Mailer: git-send-email 2.48.1 MIME-Version: 1.0 X-Originating-IP: [10.11.232.110] X-ClientProxiedBy: ala-exchng01.corp.ad.wrs.com (10.11.224.121) To ala-exchng01.corp.ad.wrs.com (10.11.224.121) X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTExMDA1MSBTYWx0ZWRfX2XCRz3qsUspJ Dt7V8aIwbkIMlKxBjS/2Omz8lTwuSAlRiiiB5VX/158ptBpwgsT99bSysmF+gESclm/f2y8bCIw bk63hjhu5JVUpZedELN9isAeOB+/lRyFVQVFsDy+oquHDS7BR10z+2VZNYnznYVDDaSTULissP2 a/2xB8pyKiy0NbUnA4CGBmDdKz1skKSe23iytHmN43ZaW7tCEkGL+369rw3/OH+M4/5Z/bTd4fk cO8CDn4euGPVADJHkpsuJDoQDanE7U9UbRwR5V8QhK5Im13apEeW1Po9Hl9PnuNuLKZYzfWXVaO SdhDhv7CYvwqwDZQI6ROSTdluMXzpjmkJE3/ZZjlHXzOv6NTbU+2j7nC57h+9B0yR9p5L4I4Dc1 2gcP8OLbr+PjnAr5caNnEQDqd8FBSw== X-Proofpoint-GUID: uVoHXGEzMBvVYytGUF4Uq2rLN1QJXcJL X-Proofpoint-ORIG-GUID: uVoHXGEzMBvVYytGUF4Uq2rLN1QJXcJL X-Authority-Analysis: v=2.4 cv=CMknnBrD c=1 sm=1 tr=0 ts=6912de06 cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=gmxlzscTznEA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=PYnjg3YJAAAA:8 a=nar8ntqeAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=_9gtbkrcAAAA:8 a=1XWaLZrsAAAA:8 a=l9wgHKbdPv7wUBevqzsA:9 a=RptMqvEBejqe73AKBt4K:22 a=FdTzh2GWekK77mhwV6Dw:22 a=mzAfeOUevkGYtpgvwSZb:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-11_01,2025-11-11_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 lowpriorityscore=0 bulkscore=0 spamscore=0 clxscore=1015 malwarescore=0 priorityscore=1501 phishscore=0 impostorscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510240001 definitions=main-2511110051 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 11 Nov 2025 06:56:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/121479 A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-4878 Upstream-patch: https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1 https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb Signed-off-by: Rajeshkumar Ramasamy --- .../libssh/libssh/CVE-2025-4878-1.patch | 2196 +++++++++++++++++ .../libssh/libssh/CVE-2025-4878-2.patch | 33 + .../recipes-support/libssh/libssh_0.8.9.bb | 2 + 3 files changed, 2231 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-1.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-2.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-1.patch new file mode 100644 index 0000000000..0131be0e01 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-1.patch @@ -0,0 +1,2196 @@ +From 697650caa97eaf7623924c75f9fcfec6dd423cd1 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 23 Apr 2025 17:57:11 +0200 +Subject: [PATCH] CVE-2025-4878 Initialize pointers where possible + +This is mostly mechanical change initializing all the pointers I was able to +find with some grep and manual review of sources and examples. + +Used the following greps (which yield some false positives though): + + git grep " \w* *\* *\w*;$" + git grep " ssh_session \w*;" + git grep " ssh_channel \w*;" + git grep " struct ssh_iterator \*\w*;" + git grep " ssh_bind \w*;" + git grep " ssh_key \w*;" + git grep " ssh_string \w*;" + git grep " ssh_buffer \w*;" + git grep " HMACCTX \w*;" + git grep " SHACTX \w*;" + grep -rinP '^(?!.*=)\s*(?:\w+\s+)*\w+\s*\*\s*\w+\s*;' + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +CVE: CVE-2025-4878 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1] + +Signed-off-by: Rajeshkumar Ramasamy +--- + doc/authentication.dox | 10 +++---- + doc/command.dox | 2 +- + doc/forwarding.dox | 4 +-- + doc/guided_tour.dox | 14 +++++----- + doc/shell.dox | 2 +- + examples/authentication.c | 12 ++++---- + examples/connect_ssh.c | 2 +- + examples/exec.c | 4 +-- + examples/knownhosts.c | 2 +- + examples/libssh_scp.c | 11 ++++---- + examples/proxy.c | 18 ++++++------ + examples/samplesshd-cb.c | 10 +++---- + examples/samplesshd-kbdint.c | 16 +++++------ + examples/scp_download.c | 4 +-- + examples/senddata.c | 4 +-- + examples/ssh_client.c | 8 +++--- + examples/sshnetcat.c | 6 ++-- + src/agent.c | 13 +++++---- + src/auth.c | 7 +++-- + src/bind.c | 9 +++--- + src/buffer.c | 9 +++--- + src/callbacks.c | 2 +- + src/chachapoly.c | 2 +- + src/channels.c | 53 ++++++++++++++++++------------------ + src/client.c | 2 +- + src/config.c | 4 +-- + src/connect.c | 4 +-- + src/connector.c | 5 ++-- + src/ecdh_crypto.c | 2 +- + src/ecdh_gcrypt.c | 10 +++---- + src/gcrypt_missing.c | 2 +- + src/getpass.c | 4 +-- + src/gssapi.c | 28 ++++++++++--------- + src/kex.c | 2 +- + src/known_hosts.c | 38 +++++++++++++------------- + src/knownhosts.c | 14 +++++----- + src/legacy.c | 43 +++++++++++++++-------------- + src/log.c | 2 +- + src/messages.c | 18 ++++++------ + src/misc.c | 22 +++++++-------- + src/options.c | 12 ++++---- + src/packet.c | 4 +-- + src/packet_crypt.c | 2 +- + src/pki.c | 48 ++++++++++++++++---------------- + src/pki_container_openssh.c | 14 +++++----- + src/pki_ed25519.c | 6 ++-- + src/pki_gcrypt.c | 2 +- + src/pki_mbedcrypto.c | 12 ++++---- + src/poll.c | 8 +++--- + src/server.c | 18 ++++++------ + src/session.c | 4 +-- + src/sftpserver.c | 12 ++++---- + src/string.c | 6 ++-- + src/threads/winlocks.c | 2 +- + src/wrapper.c | 2 +- + 55 files changed, 295 insertions(+), 281 deletions(-) + +diff --git a/doc/authentication.dox b/doc/authentication.dox +index ec6f1936..a8fbd400 100644 +--- a/doc/authentication.dox ++++ b/doc/authentication.dox +@@ -102,7 +102,7 @@ Here is a small example of password authentication: + @code + int authenticate_password(ssh_session session) + { +- char *password; ++ char *password = NULL; + int rc; + + password = getpass("Enter your password: "); +@@ -215,7 +215,7 @@ int authenticate_kbdint(ssh_session session) + rc = ssh_userauth_kbdint(session, NULL, NULL); + while (rc == SSH_AUTH_INFO) + { +- const char *name, *instruction; ++ const char *name = NULL, *instruction = NULL; + int nprompts, iprompt; + + name = ssh_userauth_kbdint_getname(session); +@@ -228,7 +228,7 @@ int authenticate_kbdint(ssh_session session) + printf("%s\n", instruction); + for (iprompt = 0; iprompt < nprompts; iprompt++) + { +- const char *prompt; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, iprompt, &echo); +@@ -248,7 +248,7 @@ int authenticate_kbdint(ssh_session session) + } + else + { +- char *ptr; ++ char *ptr = NULL; + + ptr = getpass(prompt); + if (ssh_userauth_kbdint_setanswer(session, iprompt, ptr) < 0) +@@ -351,7 +351,7 @@ The following example shows how to retrieve and dispose the issue banner: + int display_banner(ssh_session session) + { + int rc; +- char *banner; ++ char *banner = NULL; + + /* + *** Does not work without calling ssh_userauth_none() first *** +diff --git a/doc/command.dox b/doc/command.dox +index 588151c6..e82748ce 100644 +--- a/doc/command.dox ++++ b/doc/command.dox +@@ -22,7 +22,7 @@ a SSH session that uses this channel: + @code + int show_remote_files(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/doc/forwarding.dox b/doc/forwarding.dox +index bb93c7b1..1949660c 100644 +--- a/doc/forwarding.dox ++++ b/doc/forwarding.dox +@@ -100,7 +100,7 @@ used to retrieve google's home page from the remote SSH server. + @code + int direct_forwarding(ssh_session session) + { +- ssh_channel forwarding_channel; ++ ssh_channel forwarding_channel = NULL; + int rc; + char *http_get = "GET / HTTP/1.1\nHost: www.google.com\n\n"; + int nbytes, nwritten; +@@ -161,7 +161,7 @@ local libssh application, which handles them: + int web_server(ssh_session session) + { + int rc; +- ssh_channel channel; ++ ssh_channel channel = NULL; + char buffer[256]; + int nbytes, nwritten; + int port = 0; +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox +index 2f1a9b8e..008ccb4e 100644 +--- a/doc/guided_tour.dox ++++ b/doc/guided_tour.dox +@@ -79,7 +79,7 @@ Here is a small example of how to use it: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int verbosity = SSH_LOG_PROTOCOL; + int port = 22; + +@@ -126,7 +126,7 @@ Here's an example: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; + + my_ssh_session = ssh_new(); +@@ -190,8 +190,8 @@ int verify_knownhost(ssh_session session) + ssh_key srv_pubkey = NULL; + size_t hlen; + char buf[10]; +- char *hexa; +- char *p; ++ char *hexa = NULL; ++ char *p = NULL; + int cmp; + int rc; + +@@ -317,9 +317,9 @@ The example below shows an authentication with password: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; +- char *password; ++ char *password = NULL; + + // Open session and set options + my_ssh_session = ssh_new(); +@@ -380,7 +380,7 @@ The example below shows how to execute a remote command: + @code + int show_remote_processes(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + char buffer[256]; + int nbytes; +diff --git a/doc/shell.dox b/doc/shell.dox +index 0693bbcc..03b5a575 100644 +--- a/doc/shell.dox ++++ b/doc/shell.dox +@@ -26,7 +26,7 @@ The code sample below achieves these tasks: + @code + int shell_session(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/examples/authentication.c b/examples/authentication.c +index 9e5b94c9..758666fc 100644 +--- a/examples/authentication.c ++++ b/examples/authentication.c +@@ -30,8 +30,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + + err = ssh_userauth_kbdint(session, NULL, NULL); + while (err == SSH_AUTH_INFO) { +- const char *instruction; +- const char *name; ++ const char *instruction = NULL; ++ const char *name = NULL; + char buffer[128]; + int i, n; + +@@ -48,8 +48,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + for (i = 0; i < n; i++) { +- const char *answer; +- const char *prompt; ++ const char *answer = NULL; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, i, &echo); +@@ -58,7 +58,7 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + if (echo) { +- char *p; ++ char *p = NULL; + + printf("%s", prompt); + +@@ -110,7 +110,7 @@ int authenticate_console(ssh_session session) + int rc; + int method; + char password[128] = {0}; +- char *banner; ++ char *banner = NULL; + + // Try to authenticate + rc = ssh_userauth_none(session, NULL); +diff --git a/examples/connect_ssh.c b/examples/connect_ssh.c +index c9e4ef6e..06094272 100644 +--- a/examples/connect_ssh.c ++++ b/examples/connect_ssh.c +@@ -22,7 +22,7 @@ clients must be made or how a client should react. + #include + + ssh_session connect_ssh(const char *host, const char *user,int verbosity){ +- ssh_session session; ++ ssh_session session = NULL; + int auth=0; + + session=ssh_new(); +diff --git a/examples/exec.c b/examples/exec.c +index 4d5e0c1a..0db84688 100644 +--- a/examples/exec.c ++++ b/examples/exec.c +@@ -5,8 +5,8 @@ + #include "examples_common.h" + + int main(void) { +- ssh_session session; +- ssh_channel channel; ++ ssh_session session = NULL; ++ ssh_channel channel = NULL; + char buffer[256]; + int nbytes; + int rc; +diff --git a/examples/knownhosts.c b/examples/knownhosts.c +index 2c538dac..44fbbd01 100644 +--- a/examples/knownhosts.c ++++ b/examples/knownhosts.c +@@ -37,7 +37,7 @@ int verify_knownhost(ssh_session session){ + char buf[10]; + unsigned char *hash = NULL; + size_t hlen; +- ssh_key srv_pubkey; ++ ssh_key srv_pubkey = NULL; + int rc; + + rc = ssh_get_server_publickey(session, &srv_pubkey); +diff --git a/examples/libssh_scp.c b/examples/libssh_scp.c +index ff38b830..b0638525 100644 +--- a/examples/libssh_scp.c ++++ b/examples/libssh_scp.c +@@ -22,9 +22,9 @@ program. + #include + #include "examples_common.h" + +-static char **sources; ++static char **sources = NULL; + static int nsources; +-static char *destination; ++static char *destination = NULL; + static int verbosity = 0; + + struct location { +@@ -114,9 +114,10 @@ static void location_free(struct location *loc) + } + } + +-static struct location *parse_location(char *loc) { +- struct location *location; +- char *ptr; ++static struct location *parse_location(char *loc) ++{ ++ struct location *location = NULL; ++ char *ptr = NULL; + + location = malloc(sizeof(struct location)); + if (location == NULL) { +diff --git a/examples/proxy.c b/examples/proxy.c +index dcf4d0d7..baebc12f 100644 +--- a/examples/proxy.c ++++ b/examples/proxy.c +@@ -31,8 +31,8 @@ clients must be made or how a client should react. + static int authenticated=0; + static int tries = 0; + static int error = 0; +-static ssh_channel chan=NULL; +-static char *username; ++static ssh_channel chan = NULL; ++static char *username = NULL; + static ssh_gssapi_creds client_creds = NULL; + + static int auth_password(ssh_session session, const char *user, +@@ -212,11 +212,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; +- ssh_session client_session; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; ++ ssh_session client_session = NULL; + + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, +@@ -227,7 +228,7 @@ int main(int argc, char **argv){ + + char buf[2048]; + char host[128]=""; +- char *ptr; ++ char *ptr = NULL; + int i,r, rc; + + sshbind=ssh_bind_new(); +@@ -344,4 +345,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-cb.c b/examples/samplesshd-cb.c +index f93ab4b4..39efaf9a 100644 +--- a/examples/samplesshd-cb.c ++++ b/examples/samplesshd-cb.c +@@ -215,10 +215,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_password_function = auth_password, +@@ -303,4 +304,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-kbdint.c b/examples/samplesshd-kbdint.c +index 522aebd6..88f0458a 100644 +--- a/examples/samplesshd-kbdint.c ++++ b/examples/samplesshd-kbdint.c +@@ -183,8 +183,8 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-static const char *name; +-static const char *instruction; ++static const char *name = NULL; ++static const char *instruction = NULL; + static const char *prompts[2]; + static char echo[] = { 1, 0 }; + +@@ -288,11 +288,12 @@ static int authenticate(ssh_session session) { + return 0; + } + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_message message; +- ssh_channel chan=0; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_message message = NULL; ++ ssh_channel chan = NULL; + char buf[2048]; + int auth=0; + int shell=0; +@@ -422,4 +423,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/scp_download.c b/examples/scp_download.c +index 85ccf92b..eda67764 100644 +--- a/examples/scp_download.c ++++ b/examples/scp_download.c +@@ -104,7 +104,7 @@ static int fetch_files(ssh_session session){ + int size; + char buffer[16384]; + int mode; +- char *filename; ++ char *filename = NULL; + int r; + ssh_scp scp=ssh_scp_new(session, SSH_SCP_READ | SSH_SCP_RECURSIVE, "/tmp/libssh_tests/*"); + if(ssh_scp_init(scp) != SSH_OK){ +@@ -163,7 +163,7 @@ static int fetch_files(ssh_session session){ + } + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + if(opts(argc,argv)<0) + return EXIT_FAILURE; + session=connect_ssh(host,NULL,verbosity); +diff --git a/examples/senddata.c b/examples/senddata.c +index 042b462b..1104acdc 100644 +--- a/examples/senddata.c ++++ b/examples/senddata.c +@@ -6,7 +6,7 @@ + #define LIMIT 0x100000000UL + + int main(void) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_channel channel; + char buffer[1024*1024]; + int rc; +@@ -47,7 +47,7 @@ int main(void) { + if(total > LIMIT) + break; + } +- ++ + if (rc < 0) { + printf("error : %s\n",ssh_get_error(session)); + ssh_channel_close(channel); +diff --git a/examples/ssh_client.c b/examples/ssh_client.c +index b0c5a7ff..db226d53 100644 +--- a/examples/ssh_client.c ++++ b/examples/ssh_client.c +@@ -50,7 +50,7 @@ static struct termios terminal; + + static char *pcap_file = NULL; + +-static char *proxycommand; ++static char *proxycommand = NULL; + + static int auth_callback(const char *prompt, + char *buf, +@@ -238,7 +238,7 @@ static void select_loop(ssh_session session,ssh_channel channel) + + static void shell(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + struct termios terminal_local; + int interactive=isatty(0); + channel = ssh_channel_new(session); +@@ -300,7 +300,7 @@ static void batch_shell(ssh_session session) + static int client(ssh_session session) + { + int auth = 0; +- char *banner; ++ char *banner = NULL; + int state; + + if (user) { +@@ -378,7 +378,7 @@ static void cleanup_pcap(void) + + int main(int argc, char **argv) + { +- ssh_session session; ++ ssh_session session = NULL; + + session = ssh_new(); + +diff --git a/examples/sshnetcat.c b/examples/sshnetcat.c +index 28fb2765..0665d004 100644 +--- a/examples/sshnetcat.c ++++ b/examples/sshnetcat.c +@@ -34,7 +34,7 @@ clients must be made or how a client should react. + #include + + #include "examples_common.h" +-char *host; ++char *host = NULL; + const char *desthost="localhost"; + const char *port="22"; + +@@ -187,7 +187,7 @@ static void forwarding(ssh_session session){ + + static int client(ssh_session session){ + int auth=0; +- char *banner; ++ char *banner = NULL; + int state; + + if (ssh_options_set(session, SSH_OPTIONS_HOST ,host) < 0) +@@ -239,7 +239,7 @@ void cleanup_pcap(){ + #endif + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + + session = ssh_new(); + +diff --git a/src/agent.c b/src/agent.c +index 7704e8f1..cabe9b6b 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -418,8 +418,9 @@ ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session, + + /* caller has to free commment */ + ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session, +- char **comment) { +- struct ssh_key_struct *key; ++ char **comment) ++{ ++ struct ssh_key_struct *key = NULL; + struct ssh_string_struct *blob = NULL; + struct ssh_string_struct *tmp = NULL; + int rc; +@@ -488,10 +489,10 @@ ssh_string ssh_agent_sign_data(ssh_session session, + const ssh_key pubkey, + struct ssh_buffer_struct *data) + { +- ssh_buffer request; +- ssh_buffer reply; +- ssh_string key_blob; +- ssh_string sig_blob; ++ ssh_buffer request = NULL; ++ ssh_buffer reply = NULL; ++ ssh_string key_blob = NULL; ++ ssh_string sig_blob = NULL; + unsigned int type = 0; + unsigned int flags = 0; + uint32_t dlen; +diff --git a/src/auth.c b/src/auth.c +index 993e6dfe..531ab8bd 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -191,8 +191,9 @@ static int ssh_userauth_get_response(ssh_session session) { + * + * This banner should be shown to user prior to authentication + */ +-SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) { +- ssh_string banner; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) ++{ ++ ssh_string banner = NULL; + (void)type; + (void)user; + +@@ -1299,7 +1300,7 @@ int ssh_userauth_agent_pubkey(ssh_session session, + const char *username, + ssh_public_key publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + key = ssh_key_new(); +diff --git a/src/bind.c b/src/bind.c +index 63ef3a94..0cf8bea9 100644 +--- a/src/bind.c ++++ b/src/bind.c +@@ -73,7 +73,7 @@ + static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + int port) { + char port_c[6]; +- struct addrinfo *ai; ++ struct addrinfo *ai = NULL; + struct addrinfo hints; + int opt = 1; + socket_t s; +@@ -129,8 +129,9 @@ static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + return s; + } + +-ssh_bind ssh_bind_new(void) { +- ssh_bind ptr; ++ssh_bind ssh_bind_new(void) ++{ ++ ssh_bind ptr = NULL; + + ptr = malloc(sizeof(struct ssh_bind_struct)); + if (ptr == NULL) { +@@ -249,7 +250,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) { + } + + int ssh_bind_listen(ssh_bind sshbind) { +- const char *host; ++ const char *host = NULL; + socket_t fd; + int rc; + +diff --git a/src/buffer.c b/src/buffer.c +index da6e587f..50469e62 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -365,7 +365,8 @@ int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer, + */ + void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len) + { +- void *ptr; ++ void *ptr = NULL; ++ + buffer_verify(buffer); + + if (buffer->used + len < len) { +@@ -922,7 +923,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p; ++ const char *p = NULL; + union { + uint8_t byte; + uint16_t word; +@@ -931,7 +932,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + ssh_string string; + void *data; + } o; +- char *cstring; ++ char *cstring = NULL; + bignum b; + size_t len; + int count; +@@ -1086,7 +1087,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p, *last; ++ const char *p = NULL, *last = NULL; + union { + uint8_t *byte; + uint16_t *word; +diff --git a/src/callbacks.c b/src/callbacks.c +index 3ed2f11c..6bfed62a 100644 +--- a/src/callbacks.c ++++ b/src/callbacks.c +@@ -113,7 +113,7 @@ int ssh_add_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + + int ssh_remove_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (channel == NULL || channel->callbacks == NULL){ + return SSH_ERROR; +diff --git a/src/chachapoly.c b/src/chachapoly.c +index 904303ef..6a3aba18 100644 +--- a/src/chachapoly.c ++++ b/src/chachapoly.c +@@ -50,7 +50,7 @@ static int chacha20_set_encrypt_key(struct ssh_cipher_struct *cipher, + void *key, + void *IV) + { +- struct chacha20_poly1305_keysched *sched; ++ struct chacha20_poly1305_keysched *sched = NULL; + uint8_t *u8key = key; + (void)IV; + +diff --git a/src/channels.c b/src/channels.c +index b94016f1..ae2f55a5 100644 +--- a/src/channels.c ++++ b/src/channels.c +@@ -141,7 +141,7 @@ uint32_t ssh_channel_new_id(ssh_session session) { + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){ + uint32_t channelid=0; +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + (void)type; + (void)user; +@@ -202,7 +202,7 @@ error: + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ + +- ssh_channel channel; ++ ssh_channel channel = NULL; + char *error = NULL; + uint32_t code; + int rc; +@@ -343,7 +343,7 @@ end: + /* return channel with corresponding local id, or NULL if not found */ + ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id) { + struct ssh_iterator *it; +- ssh_channel channel; ++ ssh_channel channel = NULL; + + for (it = ssh_list_get_iterator(session->channels); it != NULL ; it=it->next) { + channel = ssh_iterator_value(ssh_channel, it); +@@ -423,7 +423,7 @@ error: + * unknown or the packet is invalid. + */ + static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t chan; + int rc; + +@@ -445,7 +445,7 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) { + } + + SSH_PACKET_CALLBACK(channel_rcv_change_window) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t bytes; + int rc; + (void)user; +@@ -584,7 +584,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){ + } + + SSH_PACKET_CALLBACK(channel_rcv_eof) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -611,8 +611,9 @@ SSH_PACKET_CALLBACK(channel_rcv_eof) { + return SSH_PACKET_USED; + } + +-SSH_PACKET_CALLBACK(channel_rcv_close) { +- ssh_channel channel; ++SSH_PACKET_CALLBACK(channel_rcv_close) ++{ ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -812,7 +813,7 @@ SSH_PACKET_CALLBACK(channel_rcv_request) { + */ + int channel_default_bufferize(ssh_channel channel, void *data, int len, + int is_stderr) { +- ssh_session session; ++ ssh_session session = NULL; + + if(channel == NULL) { + return -1; +@@ -946,7 +947,7 @@ int ssh_channel_open_auth_agent(ssh_channel channel){ + */ + int ssh_channel_open_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + ssh_string str = NULL; + int rc = SSH_ERROR; +@@ -1002,7 +1003,7 @@ error: + */ + void ssh_channel_free(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + + if (channel == NULL) { + return; +@@ -1100,7 +1101,7 @@ void ssh_channel_do_free(ssh_channel channel) + * @see ssh_channel_is_eof() + */ + int ssh_channel_send_eof(ssh_channel channel){ +- ssh_session session; ++ ssh_session session = NULL; + int rc = SSH_ERROR; + int err; + +@@ -1153,7 +1154,7 @@ error: + */ + int ssh_channel_close(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = 0; + + if(channel == NULL) { +@@ -1249,7 +1250,7 @@ static int channel_write_common(ssh_channel channel, + const void *data, + uint32_t len, int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t origlen = len; + size_t effectivelen; + size_t maxpacketlen; +@@ -1503,7 +1504,7 @@ void ssh_channel_set_blocking(ssh_channel channel, int blocking) { + * @brief handle a SSH_CHANNEL_SUCCESS packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_success){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1533,7 +1534,7 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_success){ + * @brief Handle a SSH_CHANNEL_FAILURE packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_failure){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1960,7 +1961,7 @@ static ssh_channel ssh_channel_accept(ssh_session session, int channeltype, + #endif + ssh_message msg = NULL; + ssh_channel channel = NULL; +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + int t; + + /* +@@ -2590,7 +2591,7 @@ error: + */ + int channel_read_buffer(ssh_channel channel, ssh_buffer buffer, uint32_t count, + int is_stderr) { +- ssh_session session; ++ ssh_session session = NULL; + char buffer_tmp[8192]; + int r; + uint32_t total=0; +@@ -2726,7 +2727,7 @@ int ssh_channel_read_timeout(ssh_channel channel, + int is_stderr, + int timeout_ms) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer stdbuf; + uint32_t len; + struct ssh_channel_read_termination_struct ctx; +@@ -2837,7 +2838,7 @@ int ssh_channel_read_timeout(ssh_channel channel, + */ + int ssh_channel_read_nonblocking(ssh_channel channel, void *dest, uint32_t count, + int is_stderr) { +- ssh_session session; ++ ssh_session session = NULL; + int to_read; + int rc; + int blocking; +@@ -2940,8 +2941,8 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr){ + * @see ssh_channel_is_eof() + */ + int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr){ +- ssh_session session; +- ssh_buffer stdbuf; ++ ssh_session session = NULL; ++ ssh_buffer stdbuf = NULL; + struct ssh_channel_read_termination_struct ctx; + int rc; + +@@ -3042,7 +3043,7 @@ int ssh_channel_get_exit_status(ssh_channel channel) { + */ + static int channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans, + ssh_channel *echans, ssh_channel *rout, ssh_channel *wout, ssh_channel *eout) { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int i; + int j = 0; + +@@ -3121,7 +3122,7 @@ static int count_ptrs(ssh_channel *ptrs) { + */ + int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans, + ssh_channel *exceptchans, struct timeval * timeout) { +- ssh_channel *rchans, *wchans, *echans; ++ ssh_channel *rchans = NULL, *wchans = NULL, *echans = NULL; + ssh_channel dummy = NULL; + ssh_event event = NULL; + int rc; +@@ -3305,7 +3306,7 @@ int ssh_channel_write_stderr(ssh_channel channel, const void *data, uint32_t len + */ + int ssh_channel_open_reverse_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +@@ -3368,7 +3369,7 @@ error: + */ + int ssh_channel_open_x11(ssh_channel channel, + const char *orig_addr, int orig_port) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +diff --git a/src/client.c b/src/client.c +index 1132c0a0..5ece34b8 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -656,7 +656,7 @@ int ssh_get_openssh_version(ssh_session session) { + * @param[in] session The SSH session to use. + */ + void ssh_disconnect(ssh_session session) { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + int rc; + + if (session == NULL) { +diff --git a/src/config.c b/src/config.c +index 7dd3ae8c..8bf2c1a8 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -229,7 +229,7 @@ static enum ssh_config_opcode_e ssh_config_get_opcode(char *keyword) { + } + + static void local_parse_file(ssh_session session, const char *filename, int *parsing, int seen[]) { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + +@@ -730,7 +730,7 @@ static int ssh_config_parse_line(ssh_session session, const char *line, + int ssh_config_parse_file(ssh_session session, const char *filename) { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + int parsing; + int seen[SOC_END - SOC_UNSUPPORTED] = {0}; + +diff --git a/src/connect.c b/src/connect.c +index d45be04b..a58bd4b0 100644 +--- a/src/connect.c ++++ b/src/connect.c +@@ -355,8 +355,8 @@ socket_t ssh_connect_host_nonblocking(ssh_session session, const char *host, + } + + if (bind_addr) { +- struct addrinfo *bind_ai; +- struct addrinfo *bind_itr; ++ struct addrinfo *bind_ai = NULL; ++ struct addrinfo *bind_itr = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Resolving %s", bind_addr); + +diff --git a/src/connector.c b/src/connector.c +index 0062785c..868ba1ec 100644 +--- a/src/connector.c ++++ b/src/connector.c +@@ -622,8 +622,9 @@ error: + return rc; + } + +-int ssh_connector_remove_event(ssh_connector connector) { +- ssh_session session; ++int ssh_connector_remove_event(ssh_connector connector) ++{ ++ ssh_session session = NULL; + + if (connector->in_poll != NULL) { + ssh_event_remove_poll(connector->event, connector->in_poll); +diff --git a/src/ecdh_crypto.c b/src/ecdh_crypto.c +index 7e5f0cc7..43d7fec2 100644 +--- a/src/ecdh_crypto.c ++++ b/src/ecdh_crypto.c +@@ -204,7 +204,7 @@ int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){ + const EC_POINT *ecdh_pubkey; + bignum_CTX ctx; + /* SSH host keys (rsa,dsa,ecdsa) */ +- ssh_key privkey; ++ ssh_key privkey = NULL; + ssh_string sig_blob = NULL; + ssh_string pubkey_blob = NULL; + int curve; +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index c1db7f5d..789b06b9 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -128,9 +128,9 @@ int ecdh_build_k(ssh_session session) + #else + size_t k_len = 0; + enum ssh_key_exchange_e kex_type = session->next_crypto->kex_type; +- ssh_string s; ++ ssh_string s = NULL; + #endif +- ssh_string pubkey_raw; ++ ssh_string pubkey_raw = NULL; + gcry_sexp_t pubkey = NULL; + ssh_string privkey = NULL; + int rc = SSH_ERROR; +@@ -261,12 +261,12 @@ int ecdh_build_k(ssh_session session) + int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet) { + gpg_error_t err; + /* ECDH keys */ +- ssh_string q_c_string; +- ssh_string q_s_string; ++ ssh_string q_c_string = NULL; ++ ssh_string q_s_string = NULL; + gcry_sexp_t param = NULL; + gcry_sexp_t key = NULL; + /* SSH host keys (rsa,dsa,ecdsa) */ +- ssh_key privkey; ++ ssh_key privkey = NULL; + ssh_string sig_blob = NULL; + ssh_string pubkey_blob = NULL; + int rc = SSH_ERROR; +diff --git a/src/gcrypt_missing.c b/src/gcrypt_missing.c +index 80562317..60d6181c 100644 +--- a/src/gcrypt_missing.c ++++ b/src/gcrypt_missing.c +@@ -47,7 +47,7 @@ int ssh_gcry_dec2bn(bignum *bn, const char *data) { + + char *ssh_gcry_bn2dec(bignum bn) { + bignum bndup, num, ten; +- char *ret; ++ char *ret = NULL; + int count, count2; + int size, rsize; + char decnum; +diff --git a/src/getpass.c b/src/getpass.c +index 99627665..dceaf4dd 100644 +--- a/src/getpass.c ++++ b/src/getpass.c +@@ -45,7 +45,7 @@ + * @return 1 on success, 0 on error. + */ + static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) { +- char *tmp; ++ char *tmp = NULL; + char *ptr = NULL; + int ok = 0; + +@@ -77,7 +77,7 @@ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) { + } + + if (verify) { +- char *key_string; ++ char *key_string = NULL; + + key_string = calloc(1, len); + if (key_string == NULL) { +diff --git a/src/gssapi.c b/src/gssapi.c +index e1b37c76..8bbfc0c8 100644 +--- a/src/gssapi.c ++++ b/src/gssapi.c +@@ -190,7 +190,7 @@ int ssh_gssapi_handle_userauth(ssh_session session, const char *user, uint32_t n + gss_name_t server_name; /* local server fqdn */ + OM_uint32 maj_stat, min_stat; + size_t i; +- char *ptr; ++ char *ptr = NULL; + gss_OID_set supported; /* oids supported by server */ + gss_OID_set both_supported; /* oids supported by both client and server */ + gss_OID_set selected; /* oid selected for authentication */ +@@ -313,7 +313,7 @@ int ssh_gssapi_handle_userauth(ssh_session session, const char *user, uint32_t n + static char *ssh_gssapi_name_to_char(gss_name_t name){ + gss_buffer_desc buffer; + OM_uint32 maj_stat, min_stat; +- char *ptr; ++ char *ptr = NULL; + maj_stat = gss_display_name(&min_stat, name, &buffer, NULL); + ssh_gssapi_log_error(SSH_LOG_WARNING, + "converting name", +@@ -327,9 +327,10 @@ static char *ssh_gssapi_name_to_char(gss_name_t name){ + + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ +- ssh_string token; +- char *hexa; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server) ++{ ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + gss_name_t client_name = GSS_C_NO_NAME; +@@ -353,7 +354,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ + } + + if (ssh_callbacks_exists(session->server_callbacks, gssapi_accept_sec_ctx_function)){ +- ssh_string out_token=NULL; ++ ssh_string out_token = NULL; + rc = session->server_callbacks->gssapi_accept_sec_ctx_function(session, + token, &out_token, session->server_callbacks->userdata); + if (rc == SSH_ERROR){ +@@ -457,7 +458,7 @@ static ssh_buffer ssh_gssapi_build_mic(ssh_session session){ + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_mic) + { +- ssh_string mic_token; ++ ssh_string mic_token = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER; + gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER; +@@ -616,7 +617,7 @@ static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids) + gss_name_t client_id = GSS_C_NO_NAME; + gss_OID oid; + unsigned int i; +- char *ptr; ++ char *ptr = NULL; + int ret; + + if (session->gssapi->client.client_deleg_creds == NULL) { +@@ -789,11 +790,11 @@ static gss_OID ssh_gssapi_oid_from_string(ssh_string oid_s){ + } + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){ +- ssh_string oid_s; ++ ssh_string oid_s = NULL; + gss_uint32 maj_stat, min_stat; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; +- char *hexa; ++ char *hexa = NULL; + (void)type; + (void)user; + +@@ -899,9 +900,10 @@ static int ssh_gssapi_send_mic(ssh_session session){ + return ssh_packet_send(session); + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){ +- ssh_string token; +- char *hexa; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client) ++{ ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + (void)user; +diff --git a/src/kex.c b/src/kex.c +index c100d908..35272b14 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -765,7 +765,7 @@ char *ssh_client_select_hostkeys(ssh_session session) + int ssh_set_client_kex(ssh_session session) + { + struct ssh_kex_struct *client= &session->next_crypto->client_kex; +- const char *wanted; ++ const char *wanted = NULL; + int ok; + int i; + +diff --git a/src/known_hosts.c b/src/known_hosts.c +index 407e1de5..dddfd8a5 100644 +--- a/src/known_hosts.c ++++ b/src/known_hosts.c +@@ -98,8 +98,8 @@ static void tokens_free(char **tokens) { + static char **ssh_get_knownhost_line(FILE **file, const char *filename, + const char **found_type) { + char buffer[4096] = {0}; +- char *ptr; +- char **tokens; ++ char *ptr = NULL; ++ char **tokens = NULL; + + if(*file == NULL){ + *file = fopen(filename,"r"); +@@ -165,7 +165,7 @@ static char **ssh_get_knownhost_line(FILE **file, const char *filename, + static int check_public_key(ssh_session session, char **tokens) { + ssh_string pubkey_blob = NULL; + ssh_buffer pubkey_buffer; +- char *pubkey_64; ++ char *pubkey_64 = NULL; + int rc; + + /* ssh-dss or ssh-rsa */ +@@ -221,11 +221,11 @@ static int match_hashed_host(const char *host, const char *sourcehash) + * hash := HMAC_SHA1(key=salt,data=host) + */ + unsigned char buffer[256] = {0}; +- ssh_buffer salt; +- ssh_buffer hash; +- HMACCTX mac; +- char *source; +- char *b64hash; ++ ssh_buffer salt = NULL; ++ ssh_buffer hash = NULL; ++ HMACCTX mac = NULL; ++ char *source = NULL; ++ char *b64hash = NULL; + int match; + unsigned int size; + +@@ -308,12 +308,12 @@ static int match_hashed_host(const char *host, const char *sourcehash) + int ssh_is_server_known(ssh_session session) { + FILE *file = NULL; + char **tokens; +- char *host; +- char *hostport; +- const char *type; ++ char *host = NULL; ++ char *hostport = NULL; ++ const char *type = NULL; + int match; + int i=0; +- char * files[3]; ++ char * files[3] = {0}; + int ret = SSH_SERVER_NOT_KNOWN; + + if (session->opts.knownhosts == NULL) { +@@ -445,11 +445,11 @@ int ssh_is_server_known(ssh_session session) { + */ + char * ssh_dump_knownhost(ssh_session session) { + ssh_key server_pubkey = NULL; +- char *host; +- char *hostport; ++ char *host = NULL; ++ char *hostport = NULL; + size_t len = 4096; +- char *buffer; +- char *b64_key; ++ char *buffer = NULL; ++ char *b64_key = NULL; + int rc; + + if (session->opts.host == NULL) { +@@ -513,9 +513,9 @@ char * ssh_dump_knownhost(ssh_session session) { + * @brief This function is deprecated + */ + int ssh_write_knownhost(ssh_session session) { +- FILE *file; +- char *buffer; +- char *dir; ++ FILE *file = NULL; ++ char *buffer = NULL; ++ char *dir = NULL; + + if (session->opts.knownhosts == NULL) { + if (ssh_options_apply(session) < 0) { +diff --git a/src/knownhosts.c b/src/knownhosts.c +index 3ea22970..2abdb4b6 100644 +--- a/src/knownhosts.c ++++ b/src/knownhosts.c +@@ -55,7 +55,7 @@ static int hash_hostname(const char *name, + unsigned char **hash, + unsigned int *hash_size) + { +- HMACCTX mac_ctx; ++ HMACCTX mac_ctx = NULL; + + mac_ctx = hmac_init(salt, salt_size, SSH_HMAC_SHA1); + if (mac_ctx == NULL) { +@@ -70,8 +70,8 @@ static int hash_hostname(const char *name, + + static int match_hashed_hostname(const char *host, const char *hashed_host) + { +- char *hashed; +- char *b64_hash; ++ char *hashed = NULL; ++ char *b64_hash = NULL; + ssh_buffer salt = NULL; + ssh_buffer hash = NULL; + unsigned char hashed_buf[256] = {0}; +@@ -195,7 +195,7 @@ static int ssh_known_hosts_read_entries(const char *match, + char line[8192]; + size_t lineno = 0; + size_t len = 0; +- FILE *fp; ++ FILE *fp = NULL; + int rc; + + fp = fopen(filename, "r"); +@@ -253,8 +253,8 @@ error: + + static char *ssh_session_get_host_port(ssh_session session) + { +- char *host_port; +- char *host; ++ char *host_port = NULL; ++ char *host = NULL; + + if (session->opts.host == NULL) { + ssh_set_error(session, +@@ -410,7 +410,7 @@ int ssh_known_hosts_parse_line(const char *hostname, + { + struct ssh_knownhosts_entry *e = NULL; + char *known_host = NULL; +- char *p; ++ char *p = NULL; + enum ssh_keytypes_e key_type; + int match = 0; + int rc = SSH_OK; +diff --git a/src/legacy.c b/src/legacy.c +index c35ec337..b1c8e150 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -48,7 +48,7 @@ int ssh_auth_list(ssh_session session) { + int ssh_userauth_offer_pubkey(ssh_session session, const char *username, + int type, ssh_string publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -70,7 +70,7 @@ int ssh_userauth_pubkey(ssh_session session, + ssh_string publickey, + ssh_private_key privatekey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) publickey; /* unused */ +@@ -373,10 +373,11 @@ void publickey_free(ssh_public_key key) { + SAFE_FREE(key); + } + +-ssh_public_key publickey_from_privatekey(ssh_private_key prv) { +- struct ssh_public_key_struct *p; +- ssh_key privkey; +- ssh_key pubkey; ++ssh_public_key publickey_from_privatekey(ssh_private_key prv) ++{ ++ struct ssh_public_key_struct *p = NULL; ++ ssh_key privkey = NULL; ++ ssh_key pubkey = NULL; + int rc; + + privkey = ssh_key_new(); +@@ -410,8 +411,8 @@ ssh_private_key privatekey_from_file(ssh_session session, + const char *passphrase) { + ssh_auth_callback auth_fn = NULL; + void *auth_data = NULL; +- ssh_private_key privkey; +- ssh_key key; ++ ssh_private_key privkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -476,7 +477,7 @@ void privatekey_free(ssh_private_key prv) { + + ssh_string publickey_from_file(ssh_session session, const char *filename, + int *type) { +- ssh_key key; ++ ssh_key key = NULL; + ssh_string key_str = NULL; + int rc; + +@@ -509,9 +510,10 @@ int ssh_type_from_name(const char *name) { + return ssh_key_type_from_name(name); + } + +-ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { +- struct ssh_public_key_struct *pubkey; +- ssh_key key; ++ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) ++{ ++ struct ssh_public_key_struct *pubkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) session; /* unused */ +@@ -540,9 +542,10 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { + return pubkey; + } + +-ssh_string publickey_to_string(ssh_public_key pubkey) { +- ssh_key key; +- ssh_string key_blob; ++ssh_string publickey_to_string(ssh_public_key pubkey) ++{ ++ ssh_key key = NULL; ++ ssh_string key_blob = NULL; + int rc; + + key = ssh_key_new(); +@@ -573,11 +576,11 @@ int ssh_publickey_to_file(ssh_session session, + ssh_string pubkey, + int type) + { +- FILE *fp; +- char *user; ++ FILE *fp = NULL; ++ char *user = NULL; + char buffer[1024]; + char host[256]; +- unsigned char *pubkey_64; ++ unsigned char *pubkey_64 = NULL; + size_t len; + int rc; + if(session==NULL) +@@ -640,9 +643,9 @@ int ssh_try_publickey_from_file(ssh_session session, + const char *keyfile, + ssh_string *publickey, + int *type) { +- char *pubkey_file; ++ char *pubkey_file = NULL; + size_t len; +- ssh_string pubkey_string; ++ ssh_string pubkey_string = NULL; + int pubkey_type; + + if (session == NULL || keyfile == NULL || publickey == NULL || type == NULL) { +diff --git a/src/log.c b/src/log.c +index a8664b16..b26ed8be 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -40,7 +40,7 @@ + + static LIBSSH_THREAD int ssh_log_level; + static LIBSSH_THREAD ssh_logging_callback ssh_log_cb; +-static LIBSSH_THREAD void *ssh_log_userdata; ++static LIBSSH_THREAD void *ssh_log_userdata = NULL; + + /** + * @defgroup libssh_log The SSH logging functions. +diff --git a/src/messages.c b/src/messages.c +index 400b8e9b..a0e185bb 100644 +--- a/src/messages.c ++++ b/src/messages.c +@@ -452,7 +452,7 @@ void ssh_message_queue(ssh_session session, ssh_message message){ + */ + ssh_message ssh_message_pop_head(ssh_session session){ + ssh_message msg=NULL; +- struct ssh_iterator *i; ++ struct ssh_iterator *i = NULL; + if(session->ssh_message_list == NULL) + return NULL; + i=ssh_list_get_iterator(session->ssh_message_list); +@@ -466,7 +466,7 @@ ssh_message ssh_message_pop_head(ssh_session session){ + /* Returns 1 if there is a message available */ + static int ssh_message_termination(void *s){ + ssh_session session = s; +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + if(session->session_state == SSH_SESSION_STATE_ERROR) + return 1; + it = ssh_list_get_iterator(session->ssh_message_list); +@@ -658,7 +658,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, + struct ssh_crypto_struct *crypto = + session->current_crypto ? session->current_crypto : + session->next_crypto; +- ssh_buffer buffer; ++ ssh_buffer buffer = NULL; + ssh_string str=NULL; + int rc; + +@@ -867,9 +867,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ + #ifdef WITH_GSSAPI + if (strcmp(method, "gssapi-with-mic") == 0) { + uint32_t n_oid; +- ssh_string *oids; +- ssh_string oid; +- char *hexa; ++ ssh_string *oids = NULL; ++ ssh_string oid = NULL; ++ char *hexa = NULL; + int i; + ssh_buffer_get_u32(packet, &n_oid); + n_oid=ntohl(n_oid); +@@ -953,7 +953,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + uint32_t nanswers; + uint32_t i; +- ssh_string tmp; ++ ssh_string tmp = NULL; + int rc; + + ssh_message msg = NULL; +@@ -1175,7 +1175,7 @@ end: + } + + int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan) { +- ssh_session session; ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1216,7 +1216,7 @@ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_c + + + ssh_channel ssh_message_channel_request_open_reply_accept(ssh_message msg) { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int rc; + + if (msg == NULL) { +diff --git a/src/misc.c b/src/misc.c +index 9842b7f4..3601ffb5 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -334,7 +334,7 @@ int ssh_is_ipaddr(const char *str) { + #endif /* _WIN32 */ + + char *ssh_lowercase(const char* str) { +- char *new, *p; ++ char *new = NULL, *p = NULL; + + if (str == NULL) { + return NULL; +@@ -407,7 +407,7 @@ struct ssh_list *ssh_list_new(void) { + } + + void ssh_list_free(struct ssh_list *list){ +- struct ssh_iterator *ptr,*next; ++ struct ssh_iterator *ptr = NULL, *next = NULL; + if(!list) + return; + ptr=list->root; +@@ -426,7 +426,7 @@ struct ssh_iterator *ssh_list_get_iterator(const struct ssh_list *list){ + } + + struct ssh_iterator *ssh_list_find(const struct ssh_list *list, void *value){ +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + for(it = ssh_list_get_iterator(list); it != NULL ;it=it->next) + if(it->data==value) + return it; +@@ -496,7 +496,7 @@ int ssh_list_prepend(struct ssh_list *list, const void *data){ + } + + void ssh_list_remove(struct ssh_list *list, struct ssh_iterator *iterator){ +- struct ssh_iterator *ptr,*prev; ++ struct ssh_iterator *ptr = NULL, *prev = NULL; + prev=NULL; + ptr=list->root; + while(ptr && ptr != iterator){ +@@ -616,7 +616,7 @@ char *ssh_dirname (const char *path) { + */ + char *ssh_basename (const char *path) { + char *new = NULL; +- const char *s; ++ const char *s = NULL; + size_t len; + + if (path == NULL || *path == '\0') { +@@ -685,8 +685,8 @@ int ssh_mkdir(const char *pathname, mode_t mode) { + * @return The expanded directory, NULL on error. + */ + char *ssh_path_expand_tilde(const char *d) { +- char *h = NULL, *r; +- const char *p; ++ char *h = NULL, *r = NULL; ++ const char *p = NULL; + size_t ld; + size_t lh = 0; + +@@ -701,7 +701,7 @@ char *ssh_path_expand_tilde(const char *d) { + #ifdef _WIN32 + return strdup(d); + #else +- struct passwd *pw; ++ struct passwd *pw = NULL; + size_t s = p - d; + char u[128]; + +@@ -757,7 +757,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { + char host[NI_MAXHOST]; + char buf[MAX_BUF_SIZE]; + char *r, *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -867,8 +867,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) { + */ + int ssh_analyze_banner(ssh_session session, int server) + { +- const char *banner; +- const char *openssh; ++ const char *banner = NULL; ++ const char *openssh = NULL; + + if (server) { + banner = session->clientbanner; +diff --git a/src/options.c b/src/options.c +index 5f9d3c26..6d0f111a 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -63,7 +63,7 @@ + * @see ssh_session_connect() + */ + int ssh_options_copy(ssh_session src, ssh_session *dest) { +- ssh_session new; ++ ssh_session new = NULL; + int i; + + if (src == NULL || dest == NULL) { +@@ -399,8 +399,8 @@ int ssh_options_set_algo(ssh_session session, + */ + int ssh_options_set(ssh_session session, enum ssh_options_e type, + const void *value) { +- const char *v; +- char *p, *q; ++ const char *v = NULL; ++ char *p = NULL, *q = NULL; + long int i; + unsigned int u; + int rc; +@@ -987,7 +987,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) { + */ + int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + { +- char* src = NULL; ++ char *src = NULL; + + if (session == NULL) { + return SSH_ERROR; +@@ -1248,7 +1248,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv) + * @see ssh_options_set_host() + */ + int ssh_options_parse_config(ssh_session session, const char *filename) { +- char *expanded_filename; ++ char *expanded_filename = NULL; + int r; + + if (session == NULL) { +@@ -1292,7 +1292,7 @@ out: + + int ssh_options_apply(ssh_session session) { + struct ssh_iterator *it; +- char *tmp; ++ char *tmp = NULL; + int rc; + + if (session->opts.sshdir == NULL) { +diff --git a/src/packet.c b/src/packet.c +index 8025a7ff..aa0535e9 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -1218,8 +1218,8 @@ error: + static void ssh_packet_socket_controlflow_callback(int code, void *userdata) + { + ssh_session session = userdata; +- struct ssh_iterator *it; +- ssh_channel channel; ++ struct ssh_iterator *it = NULL; ++ ssh_channel channel = NULL; + + if (code == SSH_SOCKET_FLOW_WRITEWONTBLOCK) { + SSH_LOG(SSH_LOG_TRACE, "sending channel_write_wontblock callback"); +diff --git a/src/packet_crypt.c b/src/packet_crypt.c +index ba1d4af9..63eb6443 100644 +--- a/src/packet_crypt.c ++++ b/src/packet_crypt.c +@@ -205,7 +205,7 @@ int ssh_packet_hmac_verify(ssh_session session, + enum ssh_hmac_e type) + { + unsigned char hmacbuf[DIGEST_MAX_LEN] = {0}; +- HMACCTX ctx; ++ HMACCTX ctx = NULL; + unsigned int len; + uint32_t seq; + +diff --git a/src/pki.c b/src/pki.c +index 620ac1dd..4c4380ee 100644 +--- a/src/pki.c ++++ b/src/pki.c +@@ -283,7 +283,7 @@ static enum ssh_digest_e ssh_key_hash_from_name(const char *name) + */ + int ssh_key_algorithm_allowed(ssh_session session, const char *type) + { +- const char *allowed_list; ++ const char *allowed_list = NULL; + + allowed_list = session->opts.pubkey_accepted_types; + if (allowed_list == NULL) { +@@ -480,7 +480,7 @@ int ssh_key_cmp(const ssh_key k1, + + ssh_signature ssh_signature_new(void) + { +- struct ssh_signature_struct *sig; ++ struct ssh_signature_struct *sig = NULL; + + sig = malloc(sizeof(struct ssh_signature_struct)); + if (sig == NULL) { +@@ -561,7 +561,7 @@ int ssh_pki_import_privkey_base64(const char *b64_key, + void *auth_data, + ssh_key *pkey) + { +- ssh_key key; ++ ssh_key key = NULL; + int cmp; + + if (b64_key == NULL || pkey == NULL) { +@@ -681,8 +681,8 @@ int ssh_pki_import_privkey_file(const char *filename, + void *auth_data, + ssh_key *pkey) { + struct stat sb; +- char *key_buf; +- FILE *file; ++ char *key_buf = NULL; ++ FILE *file = NULL; + off_t size; + int rc; + +@@ -820,8 +820,8 @@ int ssh_pki_export_privkey_file(const ssh_key privkey, + + /* temporary function to migrate seemlessly to ssh_key */ + ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) { +- ssh_public_key pub; +- ssh_key tmp; ++ ssh_public_key pub = NULL; ++ ssh_key tmp = NULL; + + if(key == NULL) { + return NULL; +@@ -853,7 +853,7 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) { + } + + ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key) { +- ssh_private_key privkey; ++ ssh_private_key privkey = NULL; + + privkey = malloc(sizeof(struct ssh_private_key_struct)); + if (privkey == NULL) { +@@ -1190,9 +1190,9 @@ fail: + static int pki_import_cert_buffer(ssh_buffer buffer, + enum ssh_keytypes_e type, + ssh_key *pkey) { +- ssh_buffer cert; +- ssh_string type_s; +- ssh_key key; ++ ssh_buffer cert = NULL; ++ ssh_string type_s = NULL; ++ ssh_key key = NULL; + int rc; + + key = ssh_key_new(); +@@ -1615,7 +1615,7 @@ error: + int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + ssh_key *pkey) + { +- ssh_key pubkey; ++ ssh_key pubkey = NULL; + + if (privkey == NULL || !ssh_key_is_private(privkey)) { + return SSH_ERROR; +@@ -1653,7 +1653,7 @@ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + int ssh_pki_export_pubkey_blob(const ssh_key key, + ssh_string *pblob) + { +- ssh_string blob; ++ ssh_string blob = NULL; + + if (key == NULL) { + return SSH_OK; +@@ -1683,8 +1683,8 @@ int ssh_pki_export_pubkey_blob(const ssh_key key, + int ssh_pki_export_pubkey_base64(const ssh_key key, + char **b64_key) + { +- ssh_string key_blob; +- unsigned char *b64; ++ ssh_string key_blob = NULL; ++ unsigned char *b64 = NULL; + + if (key == NULL || b64_key == NULL) { + return SSH_ERROR; +@@ -1711,9 +1711,9 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + { + char key_buf[4096]; + char host[256]; +- char *b64_key; +- char *user; +- FILE *fp; ++ char *b64_key = NULL; ++ char *user = NULL; ++ FILE *fp = NULL; + int rc; + + if (key == NULL || filename == NULL || *filename == '\0') { +@@ -1774,7 +1774,7 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + * @returns SSH_OK on success, SSH_ERROR otherwise. + **/ + int ssh_pki_copy_cert_to_privkey(const ssh_key certkey, ssh_key privkey) { +- ssh_buffer cert_buffer; ++ ssh_buffer cert_buffer = NULL; + int rc; + + if (certkey == NULL || privkey == NULL) { +@@ -1809,7 +1809,7 @@ int ssh_pki_export_signature_blob(const ssh_signature sig, + ssh_string *sig_blob) + { + ssh_buffer buf = NULL; +- ssh_string str; ++ ssh_string str = NULL; + int rc; + + if (sig == NULL || sig_blob == NULL) { +@@ -1869,7 +1869,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, + enum ssh_keytypes_e type; + enum ssh_digest_e hash_type; + ssh_string algorithm = NULL, blob = NULL; +- ssh_buffer buf; ++ ssh_buffer buf = NULL; + const char *alg = NULL; + int rc; + +@@ -2143,9 +2143,9 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session, + struct ssh_buffer_struct *buf, + const ssh_key pubkey) { + struct ssh_crypto_struct *crypto; +- ssh_string session_id; +- ssh_string sig_blob; +- ssh_buffer sig_buf; ++ ssh_string session_id = NULL; ++ ssh_string sig_blob = NULL; ++ ssh_buffer sig_buf = NULL; + int rc; + + if (session->current_crypto) { +diff --git a/src/pki_container_openssh.c b/src/pki_container_openssh.c +index 3ef54f83..6e473899 100644 +--- a/src/pki_container_openssh.c ++++ b/src/pki_container_openssh.c +@@ -234,12 +234,12 @@ ssh_pki_openssh_import(const char *text_key, + bool private) + { + const char *ptr=text_key; +- const char *end; +- char *base64; ++ const char *end = NULL; ++ char *base64 = NULL; + int cmp; + int rc; + int i; +- ssh_buffer buffer = NULL, privkey_buffer=NULL; ++ ssh_buffer buffer = NULL, privkey_buffer = NULL; + char *magic = NULL, *ciphername = NULL, *kdfname = NULL; + uint32_t nkeys = 0, checkint1 = 0, checkint2 = 0xFFFF; + ssh_string kdfoptions = NULL; +@@ -535,14 +535,14 @@ ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey, + { + ssh_buffer buffer; + ssh_string str = NULL; +- ssh_string pubkey_s=NULL; ++ ssh_string pubkey_s = NULL; + ssh_buffer privkey_buffer = NULL; + uint32_t rnd; + uint32_t rounds = 16; +- ssh_string salt=NULL; +- ssh_string kdf_options=NULL; ++ ssh_string salt = NULL; ++ ssh_string kdf_options = NULL; + int to_encrypt=0; +- unsigned char *b64; ++ unsigned char *b64 = NULL; + uint32_t str_len, len; + uint8_t padding = 1; + int ok; +diff --git a/src/pki_ed25519.c b/src/pki_ed25519.c +index 981a74b6..c9f07386 100644 +--- a/src/pki_ed25519.c ++++ b/src/pki_ed25519.c +@@ -84,7 +84,7 @@ int pki_ed25519_sign(const ssh_key privkey, + size_t hlen) + { + int rc; +- uint8_t *buffer; ++ uint8_t *buffer = NULL; + unsigned long long dlen = 0; + + buffer = malloc(hlen + ED25519_SIG_LEN); +@@ -126,8 +126,8 @@ int pki_ed25519_verify(const ssh_key pubkey, + size_t hlen) + { + unsigned long long mlen = 0; +- uint8_t *buffer; +- uint8_t *buffer2; ++ uint8_t *buffer = NULL; ++ uint8_t *buffer2 = NULL; + int rc; + + if (pubkey == NULL || sig == NULL || +diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c +index cf9ac781..6c1cb537 100644 +--- a/src/pki_gcrypt.c ++++ b/src/pki_gcrypt.c +@@ -152,7 +152,7 @@ static ssh_string asn1_get_int(ssh_buffer buffer) { + + static ssh_string asn1_get_bit_string(ssh_buffer buffer) + { +- ssh_string str; ++ ssh_string str = NULL; + unsigned char type; + uint32_t size; + unsigned char unused, last, *p; +diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c +index 57a4ffae..abf36f4e 100644 +--- a/src/pki_mbedcrypto.c ++++ b/src/pki_mbedcrypto.c +@@ -774,9 +774,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + sig_blob = ssh_string_copy(sig->rsa_sig); + break; + case SSH_KEYTYPE_ECDSA: { +- ssh_string r; +- ssh_string s; +- ssh_buffer b; ++ ssh_string r = NULL; ++ ssh_string s = NULL; ++ ssh_buffer b = NULL; + int rc; + + b = ssh_buffer_new(); +@@ -923,9 +923,9 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + sig->type_c = ssh_key_signature_to_char(type, hash_type); + break; + case SSH_KEYTYPE_ECDSA: { +- ssh_buffer b; +- ssh_string r; +- ssh_string s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + size_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/poll.c b/src/poll.c +index 0ee8db20..cbeff3df 100644 +--- a/src/poll.c ++++ b/src/poll.c +@@ -468,8 +468,8 @@ void ssh_poll_ctx_free(ssh_poll_ctx ctx) { + } + + static int ssh_poll_ctx_resize(ssh_poll_ctx ctx, size_t new_size) { +- ssh_poll_handle *pollptrs; +- ssh_pollfd_t *pollfds; ++ ssh_poll_handle *pollptrs = NULL; ++ ssh_pollfd_t *pollfds = NULL; + + pollptrs = realloc(ctx->pollptrs, sizeof(ssh_poll_handle) * new_size); + if (pollptrs == NULL) { +@@ -741,7 +741,7 @@ static int ssh_event_fd_wrapper_callback(ssh_poll_handle p, socket_t fd, int rev + int ssh_event_add_fd(ssh_event event, socket_t fd, short events, + ssh_event_callback cb, void *userdata) { + ssh_poll_handle p; +- struct ssh_event_fd_wrapper *pw; ++ struct ssh_event_fd_wrapper *pw = NULL; + + if(event == NULL || event->ctx == NULL || cb == NULL + || fd == SSH_INVALID_SOCKET) { +@@ -810,7 +810,7 @@ void ssh_event_remove_poll(ssh_event event, ssh_poll_handle p) + int ssh_event_add_session(ssh_event event, ssh_session session) { + ssh_poll_handle p; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if(event == NULL || event->ctx == NULL || session == NULL) { +diff --git a/src/server.c b/src/server.c +index f3d24a7b..90677441 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -85,7 +85,7 @@ static int dh_handshake_server(ssh_session session); + static int server_set_kex(ssh_session session) { + struct ssh_kex_struct *server = &session->next_crypto->server_kex; + int i, j, rc; +- const char *wanted; ++ const char *wanted = NULL; + char hostkeys[128] = {0}; + enum ssh_keytypes_e keytype; + size_t len; +@@ -204,9 +204,10 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){ + return SSH_OK; + } + +-static int ssh_server_send_extensions(ssh_session session) { ++static int ssh_server_send_extensions(ssh_session session) ++{ + int rc; +- const char *hostkey_algorithms; ++ const char *hostkey_algorithms = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Sending SSH_MSG_EXT_INFO"); + /* +@@ -289,8 +290,8 @@ error: + } + + int ssh_get_key_params(ssh_session session, ssh_key *privkey){ +- ssh_key pubkey; +- ssh_string pubkey_blob; ++ ssh_key pubkey = NULL; ++ ssh_string pubkey_blob = NULL; + int rc; + + switch(session->srv.hostkey) { +@@ -780,8 +781,9 @@ static int ssh_message_service_request_reply_default(ssh_message msg) { + return ssh_message_service_reply_success(msg); + } + +-int ssh_message_service_reply_success(ssh_message msg) { +- ssh_session session; ++int ssh_message_service_reply_success(ssh_message msg) ++{ ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1111,7 +1113,7 @@ int ssh_message_auth_reply_pk_ok(ssh_message msg, ssh_string algo, ssh_string pu + } + + int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) { +- ssh_string algo; ++ ssh_string algo = NULL; + ssh_string pubkey_blob = NULL; + int ret; + +diff --git a/src/session.c b/src/session.c +index 3953fe76..daa30fe2 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -56,7 +56,7 @@ + * @returns A new ssh_session pointer, NULL on error. + */ + ssh_session ssh_new(void) { +- ssh_session session; ++ ssh_session session = NULL; + char *id = NULL; + int rc; + +@@ -252,7 +252,7 @@ void ssh_free(ssh_session session) { + + /* options */ + if (session->opts.identity) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity); + id != NULL; +diff --git a/src/sftpserver.c b/src/sftpserver.c +index dee51534..4a15d032 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -291,8 +291,8 @@ void sftp_client_message_free(sftp_client_message msg) { + + int sftp_reply_name(sftp_client_message msg, const char *name, + sftp_attributes attr) { +- ssh_buffer out; +- ssh_string file; ++ ssh_buffer out = NULL; ++ ssh_string file = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -361,7 +361,7 @@ int sftp_reply_attr(sftp_client_message msg, sftp_attributes attr) { + + int sftp_reply_names_add(sftp_client_message msg, const char *file, + const char *longname, sftp_attributes attr) { +- ssh_string name; ++ ssh_string name = NULL; + + name = ssh_string_from_char(file); + if (name == NULL) { +@@ -427,8 +427,8 @@ int sftp_reply_names(sftp_client_message msg) { + + int sftp_reply_status(sftp_client_message msg, uint32_t status, + const char *message) { +- ssh_buffer out; +- ssh_string s; ++ ssh_buffer out = NULL; ++ ssh_string s = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -484,7 +484,7 @@ int sftp_reply_data(sftp_client_message msg, const void *data, int len) { + * valid info (or worse). + */ + ssh_string sftp_handle_alloc(sftp_session sftp, void *info) { +- ssh_string ret; ++ ssh_string ret = NULL; + uint32_t val; + int i; + +diff --git a/src/string.c b/src/string.c +index acd3cf48..3e044374 100644 +--- a/src/string.c ++++ b/src/string.c +@@ -106,7 +106,7 @@ int ssh_string_fill(struct ssh_string_struct *s, const void *data, size_t len) { + * @note The nul byte is not copied nor counted in the ouput string. + */ + struct ssh_string_struct *ssh_string_from_char(const char *what) { +- struct ssh_string_struct *ptr; ++ struct ssh_string_struct *ptr = NULL; + size_t len; + + if(what == NULL) { +@@ -180,7 +180,7 @@ const char *ssh_string_get_char(struct ssh_string_struct *s) + */ + char *ssh_string_to_char(struct ssh_string_struct *s) { + size_t len; +- char *new; ++ char *new = NULL; + + if (s == NULL) { + return NULL; +@@ -219,7 +219,7 @@ void ssh_string_free_char(char *s) { + * @return Newly allocated copy of the string, NULL on error. + */ + struct ssh_string_struct *ssh_string_copy(struct ssh_string_struct *s) { +- struct ssh_string_struct *new; ++ struct ssh_string_struct *new = NULL; + size_t len; + + if (s == NULL) { +diff --git a/src/threads/winlocks.c b/src/threads/winlocks.c +index a1799531..c1bf1011 100644 +--- a/src/threads/winlocks.c ++++ b/src/threads/winlocks.c +@@ -81,7 +81,7 @@ static struct ssh_threads_callbacks_struct ssh_threads_winlock = + + void ssh_mutex_lock(SSH_MUTEX *mutex) + { +- void *rc; ++ void *rc = NULL; + + CRITICAL_SECTION *mutex_tmp = NULL; + +diff --git a/src/wrapper.c b/src/wrapper.c +index e580e1cc..6e15d54e 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -133,7 +133,7 @@ static void cipher_free(struct ssh_cipher_struct *cipher) { + } + + struct ssh_crypto_struct *crypto_new(void) { +- struct ssh_crypto_struct *crypto; ++ struct ssh_crypto_struct *crypto = NULL; + + crypto = malloc(sizeof(struct ssh_crypto_struct)); + if (crypto == NULL) { +-- +2.35.5 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-2.patch new file mode 100644 index 0000000000..d5c88dd1d6 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-2.patch @@ -0,0 +1,33 @@ +From b35ee876adc92a208d47194772e99f9c71e0bedb Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 28 Apr 2025 11:04:55 +0200 +Subject: [PATCH] CVE-2025-4878 legacy: Properly check return value to avoid + NULL pointer dereference + +Signed-off-by: Jakub Jelen +Reviewed-by: Andreas Schneider + +CVE: CVE-2025-4878 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb] + +Signed-off-by: Rajeshkumar Ramasamy +--- + src/legacy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/legacy.c b/src/legacy.c +index b1c8e150..ecbaf039 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -428,7 +428,7 @@ ssh_private_key privatekey_from_file(ssh_session session, + auth_fn, + auth_data, + &key); +- if (rc == SSH_ERROR) { ++ if (rc != SSH_OK) { + return NULL; + } + +-- +2.48.1 diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index fee711e191..28e3fe2588 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb @@ -22,6 +22,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://run-ptest \ file://CVE-2025-5318.patch \ file://CVE-2025-4877.patch \ + file://CVE-2025-4878-1.patch \ + file://CVE-2025-4878-2.patch \ " SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"