curl / Mailing Lists / curl-users / Single Mail


Re: 'make check' and Use of uninitialised value in Curl_rand_hex

From: Daniel Stenberg <>
Date: Thu, 26 Jul 2018 15:54:03 +0200 (CEST)

On Wed, 25 Jul 2018, Jeffrey Walton wrote:

> I used 7.61.0.tar.gz and openssl-1.0.2.o.tar.gz.
> After thinking about this a bit, this may be due to -march=native on a Core
> i5 6th gen. It is also a 64-bit machine so -m64 is present, too. (When I am
> not building for distribution I build for the native machine.)

Seems like a common enough build that it shouldn't trigger any unusual code

curl_mime_init() calls Curl_rand_hex() to ask for 16 random hex character (by
providing a 17 byte length so that it also has room for the zero trailer).

(Unfortunately, curl_mime_init() doesn't check the return code from
Curl_rand_hex(), which we should consider a bug and I intend to fix it.)

Curl_rand_hex() in turn calls Curl_rand() to get a 16/2 == 8 bytes of random
bytes. Since your valgrind complaint is for 8 unitialized bytes, it could be
an indication that this particular call fails and you don't get any random
bytes returned at all. Any chance you can figure out if that's true?

Received on 2018-07-26