Use of Uninitialized Variable #2
Description
WebSockify Bug Report - Project Srishti
Note: This is an old bug found by source code audit.
While looking at websockify.c in websockify/other, I noticed an obvious Use of Uninitialized Variable bug.
unsigned int tout_start, tout_end, cout_start, cout_end;
unsigned int tin_start, tin_end;
ssize_t len, bytes;
tout_start = tout_end = cout_start = cout_end;You can see that tout_start, tout_end, cout_start, cout_end variables are not initialized before they are used. However, after evaluating the control flow, I do not see a security issue.
if (tout_end == tout_start) {
// Nothing queued for target, so read from client
FD_SET(client, &rlist);
} else {
// Data queued for target, so write to it
FD_SET(target, &wlist);
}
if (cout_end == cout_start) {
// Nothing queued for client, so read from target
FD_SET(target, &rlist);
} else {
// Data queued for client, so write to it
FD_SET(client, &wlist);
}But, this is not recommended in Secure Coding practices.
The issue can be depicted by below given dummy C snippet.
dummy.c
#include <stdio.h>
int main()
{
unsigned int tout_start, tout_end, cout_start, cout_end;
tout_start = tout_end = cout_start = cout_end;
printf("&tout_start: [%p], tout_start: [%p]\n", &tout_start, tout_start);
printf("&tout_end: [%p], tout_end: [%p]\n", &tout_end, tout_end);
printf("&cout_start: [%p], cout_start: [%p]\n", &cout_start, cout_start);
printf("&cout_end: [%p], cout_end: [%p]\n", &cout_end, cout_end);
return 0;
}Output
sh-4.3$ main
&tout_start: [0x7ffd2384337c], tout_start: [0x23843460]
&tout_end: [0x7ffd23843378], tout_end: [0x23843460]
&cout_start: [0x7ffd23843374], cout_start: [0x23843460]
&cout_end: [0x7ffd23843370], cout_end: [0x23843460]
sh-4.3$ main
&tout_start: [0x7ffd8cb6c63c], tout_start: [0x8cb6c720]
&tout_end: [0x7ffd8cb6c638], tout_end: [0x8cb6c720]
&cout_start: [0x7ffd8cb6c634], cout_start: [0x8cb6c720]
&cout_end: [0x7ffd8cb6c630], cout_end: [0x8cb6c720]From the output, you can observe that the value of tout_start, tout_end, cout_start, cout_end variables differ each run.
Recommendation
Initialize the variables with a concrete value.
tout_start = tout_end = cout_start = cout_end = 0;Credits
Ashfaq Ansari - Project Srishti