[Bug 58921] New: Compiler removal of code to clear password buffer

bugzilla Tue, 26 Jan 2016 04:31:18 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=58921


            Bug ID: 58921
           Summary: Compiler removal of code to clear password buffer
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: [email protected]
          Reporter: [email protected]

Compiler may remove function memset for the purposes of optimization (with the
usage of the argument -O3) in that piece of code:

File: support/passwd_common.c

int get_password(struct passwd_ctx *ctx)
{
...
if (apr_password_get("New password: ", buf, &bufsize) != 0)
   goto err_too_long;
...
memset(buf, '\0', sizeof(buf));
....
}

GitHub link:
https://github.com/apache/httpd/blob/trunk/support/passwd_common.c#L165

If the file is compiled with -O3 argument after we use a command 

objdump -dr passwd_common.o 

the listing will not contain that memset function call.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 58921] New: Compiler removal of code to clear password buffer

Reply via email to