On Thu, 21 May 2015, Alan Cronin (alcronin) wrote:
I would like to fix this by setting the memory to zero before freeing it. I have two potential changes which can resolve this issue. One of them is to create a new Curl_safefree definition in memdebug.h which takes in a pointer to a memory location and a size, then overwriting the memory before zeroing. The other method is to create a custom allocator / deallocator in our application which will zero the memory itself, however we will need to store the size with the block of data we allocate to determine how much data to zero.
First, it could of course be done with a completely separate malloc replacement that always zeroes out data that is freed. That would come at the expense of clearing all freed memory and not just the sensitive ones - but it will also avoid the risk of missing a few sensitive areas. And you can also do it without changing a single line of libcurl code.
But is this really going to work? If you pass on a user name or password in one or more libcurl options, they must remain there so that the handle can be re-used for subsequent requests. Those areas won't be freed until you decide to close down the handle!
Assuming we think it can be done and that the first option isn't good enouh, and you would proceed and do a "clearfree()" function for this purpose, my concerns with that approach are:
How would you make sure that you clear all the necessary memory blocks? It is very hard to test this, isn't it? It seems like a method that is just waiting for a future change to break it.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
