From RISKS: secret scrubbing code removed by optimizers

Markus Friedl markus at
Fri Nov 8 19:51:45 EST 2002

On Fri, Nov 08, 2002 at 09:34:59AM +1100, Darren Tucker wrote:
> This showed up in RISKS and no one has mentioned it here yet, so..
> OpenSSH contains lots of code like:
> char *password = read_passphrase(prompt, 0);
> [do stuff]
> memset(password, 0, strlen(password));

this is not a problem, because 'password' is not on the stack.

however, there are other cases when memset() is called for
automatic variables.


More information about the openssh-unix-dev mailing list