readpassphrase(3) buffer needs explicit_bzero(3) on error?

[Alejandro Colomar]

Hi,

I'd like to clarify if it's necessary to clear the buffer in the case 
that the function failed.  Most errors seem to be clearly triggered 
before the first byte is written to the buffer: EINVAL, EIO, EMFILE, 
ENFILE, ENOTTY.


But there is one, EINTR, which is not clear if there was any data 
written or not.  I think this should be clarified, for such a sensitive 
function.


Also, adding explicit_bzero(3) to SEE ALSO might be desirable.

Cheers,

Alex

--



OpenPGP_signature
Description: OpenPGP digital signature

Re: readpassphrase(3) buffer needs explicit_bzero(3) on error?

[Todd C . Miller]

On Wed, 28 Sep 2022 15:49:08 +0200, Alejandro Colomar wrote:

> I'd like to clarify if it's necessary to clear the buffer in the case
> that the function failed.  Most errors seem to be clearly triggered
> before the first byte is written to the buffer: EINVAL, EIO, EMFILE,
> ENFILE, ENOTTY.
> 
> But there is one, EINTR, which is not clear if there was any data
> written or not.  I think this should be clarified, for such a sensitive
> function.

There is no way to know whether or not any data was written to the
buffer before the signal was received.  It is safest to assume that
some data may have been written and use explicit_bzero() to clear
the buffer.

 - todd