From b54bce8e7b54c8700467fefcc74623fa50234046 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sun, 30 Dec 2018 16:40:28 -0500 Subject: [PATCH] Address some optimized-out memset() calls Ilja Van Sprundel reported a list of memset() calls which gcc optimizes out. In krb_auth_su.c, use zap() to clear the password, and remove two memset() calls when there is no password to clear. In iakerb.c, remove an unnecessary memset() before setting the only two fields of the IAKERB header structure. In svr_principal.c, use krb5_free_key_keyblock_contents() instead of hand-freeing key data. In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack shell before returning. (cherry picked from commit 1057b0befec1f1c0e9d4da5521a58496e2dc0997) --- src/clients/ksu/krb_auth_su.c | 4 +--- src/lib/gssapi/krb5/iakerb.c | 1 - src/lib/kadm5/srv/svr_principal.c | 10 ++-------- src/lib/krb5/asn.1/asn1_k_encode.c | 1 - 4 files changed, 3 insertions(+), 13 deletions(-) diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c index 7af48195c..e39685fff 100644 --- a/src/clients/ksu/krb_auth_su.c +++ b/src/clients/ksu/krb_auth_su.c @@ -183,21 +183,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password, if (code ) { com_err(prog_name, code, _("while reading password for '%s'\n"), client_name); - memset(password, 0, sizeof(password)); return (FALSE); } if ( pwsize == 0) { fprintf(stderr, _("No password given\n")); *zero_password = TRUE; - memset(password, 0, sizeof(password)); return (FALSE); } code = krb5_get_init_creds_password(context, &creds, client, password, krb5_prompter_posix, NULL, 0, NULL, options); - memset(password, 0, sizeof(password)); + zap(password, sizeof(password)); if (code) { diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c index bb1072fe4..47c161ec9 100644 --- a/src/lib/gssapi/krb5/iakerb.c +++ b/src/lib/gssapi/krb5/iakerb.c @@ -262,7 +262,6 @@ iakerb_make_token(iakerb_ctx_id_t ctx, /* * Assemble the IAKERB-HEADER from the realm and cookie */ - memset(&iah, 0, sizeof(iah)); iah.target_realm = *realm; iah.cookie = cookie; diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 21c53ece1..9ab2c5a74 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -2093,14 +2093,8 @@ static int decrypt_key_data(krb5_context context, ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i], NULL); if (ret) { - for (; i >= 0; i--) { - if (keys[i].contents) { - memset (keys[i].contents, 0, keys[i].length); - free( keys[i].contents ); - } - } - - memset(keys, 0, n_key_data*sizeof(krb5_keyblock)); + for (; i >= 0; i--) + krb5_free_keyblock_contents(context, &keys[i]); free(keys); return ret; } diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index 65c84be2f..81a34bac9 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -528,7 +528,6 @@ decode_kdc_req_body(const taginfo *t, const uint8_t *asn1, size_t len, if (ret) { free_kdc_req_body(b); free(h.server_realm.data); - memset(&h, 0, sizeof(h)); return ret; } b->server->realm = h.server_realm;