Florian:
Yes, the uninitialized memory will be accessed in some cases, for example:
@@ -1733,10 +1747,12 @@
CK_X9_42_DH1_DERIVE_PARAMS ckParam;
jfieldID fieldID;
jlong jKdf;
jobject jOtherInfo, jPublicData;
+ memset(&ckParam, 0, sizeof(CK_X9_42_DH1_DERIVE_PARAMS));<--- added
initialization
+
/* get kdf */
jX942Dh1DeriveParamsClass = (*env)->FindClass(env,
CLASS_X9_42_DH1_DERIVE_PARAMS);
if (jX942Dh1DeriveParamsClass == NULL) { return ckParam; }
fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "kdf", "J");
if (fieldID == NULL) { return ckParam; }
----- Original Message -----
From: [email protected]
To: [email protected]
Cc: [email protected]
Sent: Wednesday, March 27, 2013 11:48:57 AM GMT -05:00 US/Canada Eastern
Subject: Re: RFR JDK-8003245
On 03/20/2013 04:27 PM, John Zavgren wrote:
> Please consider the following changes that eliminate the use of uninitialized
> memory.
> http://cr.openjdk.java.net/~jzavgren/8003245/webrev.01/
Is the uninitialized memory accessed on the error paths?
--
Florian Weimer / Red Hat Product Security Team
