From RISKS: secret scrubbing code removed by optimizers

Markus Friedl markus at openbsd.org
Fri Nov 8 19:51:45 EST 2002


On Fri, Nov 08, 2002 at 09:34:59AM +1100, Darren Tucker wrote:
> This showed up in RISKS and no one has mentioned it here yet, so..
> 
> OpenSSH contains lots of code like:
> 
> char *password = read_passphrase(prompt, 0);
> [do stuff]
> memset(password, 0, strlen(password));

this is not a problem, because 'password' is not on the stack.

however, there are other cases when memset() is called for
automatic variables.

-m



More information about the openssh-unix-dev mailing list