cURL / Mailing Lists / curl-library / Single Mail


Uninitialized variable in http_ntlm.c

From: Michael Mueller <>
Date: Tue, 19 Jul 2011 13:38:28 -0700

Hi all,

Sentry (our static analysis tool) found an uninitialized variable bug
in libcurl last night. In the function CURLcode sso_ntlm_initiate,
the code in question (introduced in commit a6d4807):

     const char *ntlm_auth;
     #ifdef DEBUGBUILD
 --> if(!ntlm_auth)
       ntlm_auth = NTLM_AUTH;

Here ntlm_auth is only initialized if the DEBUGBUILD macro is defined,
otherwise it will be used uninitialized in the 'if' statement that
follows. This could result in undefined behavior if ntlm_auth when
eventually dereferenced.

Suggested fix:
   - const char *ntlm_auth;
   + const char *ntlm_auth = NULL;


Mike Mueller
Phone: (401) 405-1525
Software Analysis for C and C++
List admin:
Received on 2011-07-19