[PATCH] Wipe potentially sensitive stack memory.
Ben Kibbey
bjk at luxsci.net
Wed Jun 9 05:51:07 CEST 2021
* src/util.h: Add wipememory macro from cJSON.c.
* src/data.c (_gpgme_data_inbound_handler): Wipe buffer before return.
* src/engine-assuan.c (inquire_cb): Ditto.
Signed-off-by: Ben Kibbey <bjk at luxsci.net>
---
src/cJSON.c | 10 +---------
src/data.c | 2 ++
src/engine-assuan.c | 3 +++
src/util.h | 9 +++++++++
4 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/src/cJSON.c b/src/cJSON.c
index 7769b0eb..f73e25a3 100644
--- a/src/cJSON.c
+++ b/src/cJSON.c
@@ -49,6 +49,7 @@
#include <gpg-error.h>
#include "cJSON.h"
+#include "util.h"
/* Only use calloc. */
#define CALLOC_ONLY 1
@@ -56,15 +57,6 @@
/* Maximum recursion depth */
#define MAX_DEPTH 512
-/* To avoid that a compiler optimizes certain memset calls away, these
- macros may be used instead. */
-#define wipememory2(_ptr,_set,_len) do { \
- volatile char *_vptr=(volatile char *)(_ptr); \
- size_t _vlen=(_len); \
- while(_vlen) { *_vptr=(_set); _vptr++; _vlen--; } \
- } while(0)
-#define wipememory(_ptr,_len) wipememory2(_ptr,0,_len)
-
/* We use malloc function wrappers from gpgrt (aka libgpg-error). */
#include <gpgrt.h>
#define xtrycalloc(a,b) gpgrt_calloc ((a), (b))
diff --git a/src/data.c b/src/data.c
index 70595907..07e279a9 100644
--- a/src/data.c
+++ b/src/data.c
@@ -594,6 +594,8 @@ _gpgme_data_inbound_handler (void *opaque, int fd)
buflen -= amt;
}
while (buflen > 0);
+
+ wipememory (buffer, sizeof (buffer));
return TRACE_ERR (0);
}
diff --git a/src/engine-assuan.c b/src/engine-assuan.c
index ab9d05a9..a8c65dca 100644
--- a/src/engine-assuan.c
+++ b/src/engine-assuan.c
@@ -467,6 +467,9 @@ inquire_cb (engine_llass_t llass, const char *keyword, const char *args)
if (err)
break;
}
+
+ wipememory(buf, sizeof(buf));
+
/* Tell the caller that we are finished with the data
* object. The error code from assuan_send_data has
* priority over the one from the cleanup function. */
diff --git a/src/util.h b/src/util.h
index bc78c9b8..97bc1da2 100644
--- a/src/util.h
+++ b/src/util.h
@@ -41,6 +41,15 @@
#define DIM(v) (sizeof(v)/sizeof((v)[0]))
+
+/* To avoid that a compiler optimizes certain memset calls away, these
+ macros may be used instead. */
+#define wipememory2(_ptr,_set,_len) do { \
+ volatile char *_vptr=(volatile char *)(_ptr); \
+ size_t _vlen=(_len); \
+ while(_vlen) { *_vptr=(_set); _vptr++; _vlen--; } \
+ } while(0)
+#define wipememory(_ptr,_len) wipememory2(_ptr,0,_len)
/*-- {posix,w32}-util.c --*/
--
2.30.2
More information about the Gnupg-devel
mailing list