From fc5fac83b778f0ff61608c286448ab7fa14ccb2d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 12 Apr 2021 21:59:17 +0200
Subject: [PATCH] kbx: Avoid uninitialized read

* kbx/kbx-client-util.c (datastream_thread): Initialize pointer
* kbx/keybox-dump.c (_keybox_dump_cut_records): free blob
* kbx/kbxserver.c (kbxd_start_command_handler): do not free passed ctrl
* kbx/keyboxd.c (check_own_socket): free sockname

--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
GnuPG-bug-id: 5393
---
 kbx/kbx-client-util.c | 3 ++-
 kbx/kbxserver.c       | 1 -
 kbx/keybox-dump.c     | 4 +++-
 kbx/keyboxd.c         | 5 ++++-
 4 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/kbx/kbx-client-util.c b/kbx/kbx-client-util.c
index bd71cf2ba..f9d06fab8 100644
--- a/kbx/kbx-client-util.c
+++ b/kbx/kbx-client-util.c
@@ -176,7 +176,8 @@ datastream_thread (void *arg)
   int rc;
   unsigned char lenbuf[4];
   size_t nread, datalen;
-  char *data, *tmpdata;
+  char *data = NULL;
+  char *tmpdata;
 
   /* log_debug ("%s: started\n", __func__); */
   while (kcd->fp)
diff --git a/kbx/kbxserver.c b/kbx/kbxserver.c
index 55b478586..0b76cde31 100644
--- a/kbx/kbxserver.c
+++ b/kbx/kbxserver.c
@@ -844,7 +844,6 @@ kbxd_start_command_handler (ctrl_t ctrl, gnupg_fd_t fd, unsigned int session_id)
     {
       log_error (_("can't allocate control structure: %s\n"),
                  gpg_strerror (gpg_error_from_syserror ()));
-      xfree (ctrl);
       return;
     }
   ctrl->server_local->client_pid = ASSUAN_INVALID_PID;
diff --git a/kbx/keybox-dump.c b/kbx/keybox-dump.c
index 3e66b72a1..38608ceaa 100644
--- a/kbx/keybox-dump.c
+++ b/kbx/keybox-dump.c
@@ -881,7 +881,7 @@ _keybox_dump_cut_records (const char *filename, unsigned long from,
                           unsigned long to, FILE *outfp)
 {
   estream_t fp;
-  KEYBOXBLOB blob;
+  KEYBOXBLOB blob = NULL;
   int rc;
   unsigned long recno = 0;
 
@@ -902,6 +902,7 @@ _keybox_dump_cut_records (const char *filename, unsigned long from,
             }
         }
       _keybox_release_blob (blob);
+      blob = NULL;
       recno++;
     }
   if (rc == -1)
@@ -909,6 +910,7 @@ _keybox_dump_cut_records (const char *filename, unsigned long from,
   if (rc)
     fprintf (stderr, "error reading '%s': %s\n", filename, gpg_strerror (rc));
  leave:
+  _keybox_release_blob (blob);
   if (fp != es_stdin)
     es_fclose (fp);
   return rc;
diff --git a/kbx/keyboxd.c b/kbx/keyboxd.c
index 76a0694a4..3f759e6f7 100644
--- a/kbx/keyboxd.c
+++ b/kbx/keyboxd.c
@@ -1795,7 +1795,10 @@ check_own_socket (void)
 
   err = npth_attr_init (&tattr);
   if (err)
-    return;
+    {
+      xfree (sockname);
+      return;
+    }
   npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED);
   err = npth_create (&thread, &tattr, check_own_socket_thread, sockname);
   if (err)