[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-2199-gcc23f91

Jeremy Allison jra at samba.org
Fri Apr 25 14:43:37 GMT 2008

On Fri, Apr 25, 2008 at 11:36:40AM +0400, Alexander Bokovoy wrote:

> Here we have non-equal behavior. Previously, the mountpassword content
> was zeroed before freeing it due to security reasons. As

Ah. Looking more carefully I am right and you are wrong. There is no
security benefit in zeroing out the password here. It's before a free,
so just free it.

> mount_cifs_usage() could be called multiple times (its call is in the
> getopt_long()'s loop) and, particulary, after password has been filled
> in, mountpassword's memory could still keep the password. Thus, memset()
> is still needed.

So what if the discarded memory holds the password ? No one but root
has access to the memory space and root has access to the password

This is "voodoo" security - has no benefit.


More information about the samba-technical mailing list