Local, automatic variables can assume unexpected values if they are used before they are initialized. The C standard specifies, "If an object that has automatic storage duration is not initialized explicitly, its value is indeterminate" [ISO/IEC 9899:2011]. (See also undefined behavior 11 of Annex J.)
...
In the noncompliant code example below, the function mbrlen() is passed the address of an automatic mbstate_t object that has not been properly initialized, leading to undefined behavior. See undefined behavior 200 in Annex J of C11 [ISO/IEC 9899:2011].
| Code Block | ||||
|---|---|---|---|---|
| ||||
void f(const char *mbs) {
size_t len;
mbstate_t state;
len = mbrlen(mbs, strlen(mbs), &state);
/* ... */
}
|
...
Distributions derived from Debian, particularly VU#925211 in the OpenSSL package for Debian Linux, are said to reference uninitialized memory. One might say that uninitialized memory causes the vulnerability, but this is not entirely true. The original OpenSSL code uses uninitialized memory as an additional source of randomness to an already - randomly - generated key. This generates good keys, but also causes the code-auditing tools Valgrind and Purify to issue warnings. Debian tries to fix the warnings with two changes. One actually eliminates the uninitialized memory access, but the other weakens the randomness of the keys.
...
CERT C++ Secure Coding Standard: EXP33-CPP. Do not reference uninitialized memory
ISO/IEC 9899:2011 Section Section 6.7.9, "Initialization"
ISO/IEC TR 17961 (Draft) Referencing uninitialized memory [uninitref]
ISO/IEC TR 24772 "LAV Initialization of Variablesvariables"
Bibliography
[Flake 2006]
[Mercy 2006]
[xorl 2009] "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read"
...