curl / Mailing Lists / curl-library / Single Mail


Re: libcurl leaks information in freed memory

From: Daniel Stenberg via curl-library <>
Date: Thu, 18 Oct 2018 16:00:10 +0200 (CEST)

On Wed, 17 Oct 2018, Gabriel Zachmann wrote:

>> This, plus zeroing buffers is really hard.
> I understand that this is not quite easy. However, while we won't find an
> optimal solution, I think we can do better. Zeroing memory might not succeed
> in all cases and there might be still some parts left on the stack,
> register, etc. But I think we can still memsetting most and it will be much
> harder to get sensitive information.

Any suggestion on how to do this and make sure the compiler doesn't remove the
memset() ?

Also, are you suggesting we clear the memory for all frees? If yes, then we
need to keep track of the sizes somehow and if no, then we need to figure out
which ones and deal with the appropriately.

Can we come up with a way to measure this if we are doing this right or not?

Received on 2018-10-18