From RISKS: secret scrubbing code removed by optimizers
Markus Friedl
markus at openbsd.org
Fri Nov 8 19:51:45 EST 2002
On Fri, Nov 08, 2002 at 09:34:59AM +1100, Darren Tucker wrote:
> This showed up in RISKS and no one has mentioned it here yet, so..
>
> OpenSSH contains lots of code like:
>
> char *password = read_passphrase(prompt, 0);
> [do stuff]
> memset(password, 0, strlen(password));
this is not a problem, because 'password' is not on the stack.
however, there are other cases when memset() is called for
automatic variables.
-m
More information about the openssh-unix-dev
mailing list