From 05dc6552ea0e8f0002d21ca36d7ff47d4c088bd7 Mon Sep 17 00:00:00 2001

From: Greg Hudson <ghudson@mit.edu>

Date: Sun, 30 Dec 2018 16:40:28 -0500

Subject: [PATCH] Address some optimized-out memset() calls

Ilja Van Sprundel reported a list of memset() calls which gcc

optimizes out.  In krb_auth_su.c, use zap() to clear the password, and

remove two memset() calls when there is no password to clear.  In

iakerb.c, remove an unnecessary memset() before setting the only two

fields of the IAKERB header structure.  In svr_principal.c, use

krb5_free_key_keyblock_contents() instead of hand-freeing key data.

In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack

shell before returning.

(cherry picked from commit 1057b0befec1f1c0e9d4da5521a58496e2dc0997)

(cherry picked from commit 1dfff7202448a950c9133cdfe43d650092d930fd)

(cherry picked from commit 54348bbfaec50bb72d1625c015f8e5c4cfa59e0d)

---

 src/clients/ksu/krb_auth_su.c      |  4 +---

 src/lib/gssapi/krb5/iakerb.c       |  1 -

 src/lib/kadm5/srv/svr_principal.c  | 10 ++--------

 src/lib/krb5/asn.1/asn1_k_encode.c |  1 -

 4 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c

index 7af48195c..e39685fff 100644

--- a/src/clients/ksu/krb_auth_su.c

+++ b/src/clients/ksu/krb_auth_su.c

@@ -183,21 +183,19 @@ krb5_boolean ksu_get_tgt_via_passwd(context, client, options, zero_password,

     if (code ) {

         com_err(prog_name, code, _("while reading password for '%s'\n"),

                 client_name);

-        memset(password, 0, sizeof(password));

         return (FALSE);

     }

     if ( pwsize == 0) {

         fprintf(stderr, _("No password given\n"));

         *zero_password = TRUE;

-        memset(password, 0, sizeof(password));

         return (FALSE);

     }

     code = krb5_get_init_creds_password(context, &creds, client, password,

                                         krb5_prompter_posix, NULL, 0, NULL,

                                         options);

-    memset(password, 0, sizeof(password));

+    zap(password, sizeof(password));

     if (code) {

diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c

index bb1072fe4..47c161ec9 100644

--- a/src/lib/gssapi/krb5/iakerb.c

+++ b/src/lib/gssapi/krb5/iakerb.c

@@ -262,7 +262,6 @@ iakerb_make_token(iakerb_ctx_id_t ctx,

     /*

      * Assemble the IAKERB-HEADER from the realm and cookie

      */

-    memset(&iah, 0, sizeof(iah));

     iah.target_realm = *realm;

     iah.cookie = cookie;

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c

index 64a4a2e97..73733d371 100644

--- a/src/lib/kadm5/srv/svr_principal.c

+++ b/src/lib/kadm5/srv/svr_principal.c

@@ -2141,14 +2141,8 @@ static int decrypt_key_data(krb5_context context,

         ret = krb5_dbe_decrypt_key_data(context, NULL, &key_data[i], &keys[i],

                                         NULL);

         if (ret) {

-            for (; i >= 0; i--) {

-                if (keys[i].contents) {

-                    memset (keys[i].contents, 0, keys[i].length);

-                    free( keys[i].contents );

-                }

-            }

-

-            memset(keys, 0, n_key_data*sizeof(krb5_keyblock));

+            for (; i >= 0; i--)

+                krb5_free_keyblock_contents(context, &keys[i]);

             free(keys);

             return ret;

         }

diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c

index 889460989..c4f9aacdf 100644

--- a/src/lib/krb5/asn.1/asn1_k_encode.c

+++ b/src/lib/krb5/asn.1/asn1_k_encode.c

@@ -532,7 +532,6 @@ decode_kdc_req_body(const taginfo *t, const unsigned char *asn1, size_t len,

         if (ret) {

             free_kdc_req_body(b);

             free(h.server_realm.data);

-            memset(&h, 0, sizeof(h));

             return ret;

         }

         b->server->realm = h.server_realm;