[PATCH] Wipe potentially sensitive stack memory.

[Ben Kibbey]

* src/util.h: Add wipememory macro from cJSON.c.
* src/data.c (_gpgme_data_inbound_handler): Wipe buffer before return.
* src/engine-assuan.c (inquire_cb): Ditto.

Signed-off-by: Ben Kibbey <bjk at luxsci.net>
---
 src/cJSON.c         | 10 +---------
 src/data.c          |  2 ++
 src/engine-assuan.c |  3 +++
 src/util.h          |  9 +++++++++
 4 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/src/cJSON.c b/src/cJSON.c
index 7769b0eb..f73e25a3 100644
--- a/src/cJSON.c
+++ b/src/cJSON.c
@@ -49,6 +49,7 @@
 #include <gpg-error.h>
 
 #include "cJSON.h"
+#include "util.h"
 
 /* Only use calloc. */
 #define CALLOC_ONLY 1
@@ -56,15 +57,6 @@
 /* Maximum recursion depth */
 #define MAX_DEPTH 512
 
-/* To avoid that a compiler optimizes certain memset calls away, these
-   macros may be used instead. */
-#define wipememory2(_ptr,_set,_len) do { \
-        volatile char *_vptr=(volatile char *)(_ptr); \
-        size_t _vlen=(_len); \
-        while(_vlen) { *_vptr=(_set); _vptr++; _vlen--; } \
-    } while(0)
-#define wipememory(_ptr,_len) wipememory2(_ptr,0,_len)
-
 /* We use malloc function wrappers from gpgrt (aka libgpg-error).  */
 #include <gpgrt.h>
 #define xtrycalloc(a,b) gpgrt_calloc ((a), (b))
diff --git a/src/data.c b/src/data.c
index 70595907..07e279a9 100644
--- a/src/data.c
+++ b/src/data.c
@@ -594,6 +594,8 @@ _gpgme_data_inbound_handler (void *opaque, int fd)
       buflen -= amt;
     }
   while (buflen > 0);
+
+  wipememory (buffer, sizeof (buffer));
   return TRACE_ERR (0);
 }
 
diff --git a/src/engine-assuan.c b/src/engine-assuan.c
index ab9d05a9..a8c65dca 100644
--- a/src/engine-assuan.c
+++ b/src/engine-assuan.c
@@ -467,6 +467,9 @@ inquire_cb (engine_llass_t llass, const char *keyword, const char *args)
               if (err)
                 break;
             }
+
+          wipememory(buf, sizeof(buf));
+
           /* Tell the caller that we are finished with the data
            * object.  The error code from assuan_send_data has
            * priority over the one from the cleanup function. */
diff --git a/src/util.h b/src/util.h
index bc78c9b8..97bc1da2 100644
--- a/src/util.h
+++ b/src/util.h
@@ -41,6 +41,15 @@
 
 #define DIM(v) (sizeof(v)/sizeof((v)[0]))
 
+
+/* To avoid that a compiler optimizes certain memset calls away, these
+   macros may be used instead. */
+#define wipememory2(_ptr,_set,_len) do { \
+        volatile char *_vptr=(volatile char *)(_ptr); \
+        size_t _vlen=(_len); \
+        while(_vlen) { *_vptr=(_set); _vptr++; _vlen--; } \
+    } while(0)
+#define wipememory(_ptr,_len) wipememory2(_ptr,0,_len)
 
 
 /*-- {posix,w32}-util.c --*/
-- 
2.30.2