On Thu, 21 May 2015, Alan Cronin (alcronin) wrote:

> I would like to fix this by setting the memory to zero before freeing it. I
> have two potential changes which can resolve this issue. One of them is to
> create a new Curl_safefree definition in memdebug.h which takes in a pointer
> to a memory location and a size, then overwriting the memory before zeroing.
> The other method is to create a custom allocator / deallocator in our
> application which will zero the memory itself, however we will need to store
> the size with the block of data we allocate to determine how much data to
> zero.

First, it could of course be done with a completely separate malloc
replacement that always zeroes out data that is freed. That would come at the
expense of clearing all freed memory and not just the sensitive ones - but it
will also avoid the risk of missing a few sensitive areas. And you can also do
it without changing a single line of libcurl code.

But is this really going to work? If you pass on a user name or password in
one or more libcurl options, they must remain there so that the handle can be
re-used for subsequent requests. Those areas won't be freed until you decide
to close down the handle!

Assuming we think it can be done and that the first option isn't good enouh,
and you would proceed and do a "clearfree()" function for this purpose, my
concerns with that approach are:

How would you make sure that you clear all the necessary memory blocks? It is
very hard to test this, isn't it? It seems like a method that is just waiting
for a future change to break it.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html