From aff7c500d5721e35c998b1b3c78e450fe7ff986d Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 24 Sep 2019 13:23:25 +0200
Subject: [PATCH] buffer: Avoid use of uninitialized values

Fixes the following oss-fuzz bug:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17565

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/buffer.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/buffer.c b/src/buffer.c
index 1f38ae6f..d7d90d07 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -1119,6 +1119,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
             goto cleanup;
         }
 
+        rc = SSH_ERROR;
         switch (*p) {
         case 'b':
             o.byte = va_arg(ap, uint8_t *);
@@ -1128,20 +1129,26 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer,
         case 'w':
             o.word = va_arg(ap,  uint16_t *);
             rlen = ssh_buffer_get_data(buffer, o.word, sizeof(uint16_t));
-            *o.word = ntohs(*o.word);
-            rc = rlen==2 ? SSH_OK : SSH_ERROR;
+            if (rlen == 2) {
+                *o.word = ntohs(*o.word);
+                rc = SSH_OK;
+            }
             break;
         case 'd':
             o.dword = va_arg(ap, uint32_t *);
             rlen = ssh_buffer_get_u32(buffer, o.dword);
-            *o.dword = ntohl(*o.dword);
-            rc = rlen==4 ? SSH_OK : SSH_ERROR;
+            if (rlen == 4) {
+                *o.dword = ntohl(*o.dword);
+                rc = SSH_OK;
+            }
             break;
         case 'q':
             o.qword = va_arg(ap, uint64_t*);
             rlen = ssh_buffer_get_u64(buffer, o.qword);
-            *o.qword = ntohll(*o.qword);
-            rc = rlen==8 ? SSH_OK : SSH_ERROR;
+            if (rlen == 8) {
+                *o.qword = ntohll(*o.qword);
+                rc = SSH_OK;
+            }
             break;
         case 'B':
             o.bignum = va_arg(ap, bignum *);