curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: libcurl leaks information in freed memory

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 18 Oct 2018 16:00:10 +0200 (CEST)

On Wed, 17 Oct 2018, Gabriel Zachmann wrote:

>> This, plus zeroing buffers is really hard.
>
> I understand that this is not quite easy. However, while we won't find an
> optimal solution, I think we can do better. Zeroing memory might not succeed
> in all cases and there might be still some parts left on the stack,
> register, etc. But I think we can still memsetting most and it will be much
> harder to get sensitive information.

Any suggestion on how to do this and make sure the compiler doesn't remove the
memset() ?

Also, are you suggesting we clear the memory for all frees? If yes, then we
need to keep track of the sizes somehow and if no, then we need to figure out
which ones and deal with the appropriately.

Can we come up with a way to measure this if we are doing this right or not?

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Received on 2018-10-18

This message: [ Message body ]
Next message: Duane Ellis via curl-library: "BUG / PROBLEM libcurl3 vrs libcurl4 - Ubuntu 18 64bit."
Previous message: Aleksandar Lazic via curl-library: "Re: Using multi-socket facility with epoll"
In reply to: Gabriel Zachmann via curl-library: "libcurl leaks information in freed memory"
Next in thread: Gabriel Zachmann via curl-library: "Re: libcurl leaks information in freed memory"
Reply: Gabriel Zachmann via curl-library: "Re: libcurl leaks information in freed memory"
Reply: Kamil Dudka via curl-library: "Re: libcurl leaks information in freed memory"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]