Bug #68909 In my_MD5Final in mysys/md5.c, ctx is not properly zeroed as intended
Submitted: 9 Apr 2013 23:11 Modified: 17 Apr 2013 13:46
Reporter: Jeremy Cole (Basic Quality Contributor) (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Data Types Severity:S3 (Non-critical)
Version:5.5.29 OS:Any
Assigned to: CPU Architecture:Any

[9 Apr 2013 23:11] Jeremy Cole 
Description:
In the my_MD5Final function in mysys/md5.c, a ctx pointer is passed in:

   141  my_MD5Final (unsigned char digest[16], my_MD5Context *ctx) 

At the end of the function it is supposed to be zeroed out:

   179    memset(ctx, 0, sizeof(ctx));  /* In case it's sensitive */

However, since it's a pointer, "sizeof(ctx)" will return the size of the pointer and fail to scrub most of the data structure itself. 

How to repeat:
N/A

Suggested fix:
Instead of "sizeof(ctx)", it should call "sizeof(*ctx)" or "sizeof(my_MD5Context)".
[10 Apr 2013 6:40] MySQL Verification Team 
verified on 5.5
[10 Apr 2013 13:15] Nirbhay Choubey 
Good catch! Shouldn't exist on 5.6 + though.
[17 Apr 2013 13:46] Paul DuBois 
Noted in 5.5.32 changelog.

MD5() code did not properly initialize one of its data structures.
[24 Oct 2013 9:52] Laurynas Biveinis 
This is not fixed in 5.1, and causes a build error on some configs:

Ubuntu 13.10, GCC 4.8.1.

5.1$ bzr revno
4044
$ ./configure --with-debug
...
$ make
...
gcc -DDEFAULT_BASEDIR=\"/usr/local\" -DMYSQL_DATADIR="\"/usr/local/var\"" -DDEFAULT_CHARSET_HOME="\"/usr/local\"" -DSHAREDIR="\"/usr/local/share/mysql\"" -DDEFAULT_HOME_ENV=MYSQL_HOME -DDEFAULT_GROUP_SUFFIX_ENV=MYSQL_GROUP_SUFFIX -DDEFAULT_SYSCONFDIR="\"/usr/local/etc\"" -DHAVE_CONFIG_H -I. -I../include -I../include -I../include -I.   -Wall -Wextra -Wunused -Wwrite-strings -Wno-strict-aliasing -Werror -Wdeclaration-after-statement -g  -DSAFE_MUTEX -g -O2   -DUNIV_LINUX -DUNIV_LINUX -MT md5.o -MD -MP -MF .deps/md5.Tpo -c -o md5.o md5.c
md5.c: In function ‘my_MD5Final’:
md5.c:179:24: error: argument to ‘sizeof’ in ‘memset’ call is the same expression as the destination; did you mean to dereference it? [-Werror=sizeof-pointer-memaccess]
   memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
                        ^
[28 Oct 2013 9:54] Laurynas Biveinis 
5.5$ bzr log -r 4321
------------------------------------------------------------
revno: 4321
committer: Tor Didriksen <tor.didriksen@oracle.com>
branch nick: 5.5
timestamp: Wed 2013-04-17 09:26:51 +0200
message:
  Bug#16626742 IN MY_MD5FINAL IN MYSYS/MD5.C, CTX IS NOT PROPERLY ZEROED AS INTENDED
  
  Zero out the entire struct, rather than the first sizeof(void*) bytes.