memset suggestion.

Rick Jones raj at tardy.cup.hp.com
Sat Nov 9 06:02:37 EST 2002


> > Can you enlighten us why it is bad?  I'm not a compiler guru...
>
> Everyone uses memset() to clear inmemory passwords so people can't go
> digging around in /dev/kmem.  If memset() is optimizated out then the
> password still stick around in memory until it is reallocated and reused.
> 
> But this is only half of the issue.  It could still be in registers or in
> the stack.  Which memset() does not solve.  
 
Which is why the optimization is not "bad" but perhaps "unfortunate"
instead. Within the context of the output of the program, optimizing
the memset away is fine.
 
It seems that the real problem here (?) is an operating environment
that allows access to others to the stack/heap/registers/whatever.
 
> Personally everyone I see that compiles software at greater than -O2
> I tend to LART them over the head with either the bat book or 'hack
> proofing your network'.  That seems to get their attention to
> explain why higher levels of -O may not be what the want (mainly
> when they come whining about their code not working..<sigh>).
 
Of course, then when the do compile at only O2, they start to complain
about the performance of the application... Now where or not the app
not working at higher optimization levels is a bug in the app or a bug
in the optimizer is another discussion...
 
rick jones
quixotic booster of provile-based optimization and higher levels :)



More information about the openssh-unix-dev mailing list