[PATCH] memset_s() and talloc_set_secure()

Stefan Metzmacher metze at samba.org
Thu Oct 11 11:15:17 UTC 2018

Am 11.10.2018 um 13:07 schrieb Andrew Bartlett via samba-technical:
> On Thu, 2018-10-11 at 12:17 +0200, Andreas Schneider via samba-
> technical wrote:
>> Hello,
>> the attached patch adds memset_s() [1] and talloc_set_secure(). It will make 
>> sure that memory is zeroed/erased before freeing to not keep secrets around.
> Stepping back a moment, how do you handle talloc_realloc()?
> That either needs to be banned or handled to ensure the old memory is
> wiped after a memcpy() to new memory (with performance losss). 
> (And that will all need tests).
> Sorry this is turning into a can of worms, but if we do this we need to
> do it completely. 

Yes, I also discussed privately with Andreas that we need to make sure
talloc_report() doesn't leak the content.

The current idea is:

#define talloc_keep_secret(ptr) _talloc_keep_secret(ptr, #ptr);
void _talloc_keep_secret(const void *ptr, const char *name);

While I may prefer to pass name explicit.
I guess talloc_asprintf_append* also needs special handling.
We need to decide what to do with talloc_strdup() and even more complex
talloc_asprintf(..., "%s", secret_talloc_string).
Do we force the caller to reuse talloc_keep_secret() or do we want to
somehow inherit the secret state.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20181011/fc457c2e/signature.sig>

More information about the samba-technical mailing list