[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Cvs-dev] bugfix to previous coverity cid-3404 patch
|
From: |
Mark D. Baushke |
|
Subject: |
[Cvs-dev] bugfix to previous coverity cid-3404 patch |
|
Date: |
Wed, 26 Jul 2006 03:27:02 -0700 |
Hi Christos,
I don't know if you care that the login.c code still 'leaks' the
static cvs_password string or not. If you do, then you may wish
to use the following patch.
I didn't include the xstrdup (cvs_password) that you committed in the
NetBSD get_cvs_password(), as I didn't think it was really needed.
Anyway, here is the NetBSD adapted patch of the change I added to cvs
STABLE and FEATURE sources. Feel free to adopt it or not as you wish. It
will be part of the cvs 1.11.23 and cvs 1.12.14 releases as they become
available.
Enjoy!
-- Mark
Index: client.c
===================================================================
RCS file: /cvsroot/src/gnu/dist/xcvs/src/client.c,v
retrieving revision 1.9
diff -u -p -r1.9 client.c
--- client.c 24 Jul 2006 18:11:19 -0000 1.9
+++ client.c 26 Jul 2006 10:10:30 -0000
@@ -3935,9 +3935,8 @@ auth_server (root, lto_server, lfrom_ser
send_to_server(end, 0);
send_to_server("\012", 1);
- /* Paranoia. */
- memset (password, 0, strlen (password));
- free (password);
+ free_cvs_password (password);
+ password = NULL;
# else /* ! AUTH_CLIENT_SUPPORT */
error (1, 0, "INTERNAL ERROR: This client does not support pserver
authentication");
# endif /* AUTH_CLIENT_SUPPORT */
Index: cvs.h
===================================================================
RCS file: /cvsroot/src/gnu/dist/xcvs/src/cvs.h,v
retrieving revision 1.3
diff -u -p -r1.3 cvs.h
--- cvs.h 23 Jun 2006 22:44:11 -0000 1.3
+++ cvs.h 26 Jul 2006 10:10:30 -0000
@@ -927,6 +927,7 @@ char *descramble PROTO ((char *str));
#ifdef AUTH_CLIENT_SUPPORT
char *get_cvs_password PROTO((void));
+void free_cvs_password PROTO((char *str));
int get_cvs_port_number PROTO((const cvsroot_t *root));
char *normalize_cvsroot PROTO((const cvsroot_t *root));
#endif /* AUTH_CLIENT_SUPPORT */
Index: login.c
===================================================================
RCS file: /cvsroot/src/gnu/dist/xcvs/src/login.c,v
retrieving revision 1.4
diff -u -p -r1.4 login.c
--- login.c 24 Jul 2006 18:11:19 -0000 1.4
+++ login.c 26 Jul 2006 10:10:30 -0000
@@ -566,18 +566,36 @@ login (argc, argv)
password_entry_operation (password_entry_add, current_parsed_root,
typed_password);
- memset (typed_password, 0, strlen (typed_password));
- free (typed_password);
-
- free (cvs_password);
+ free_cvs_password (typed_password);
free (cvsroot_canonical);
- cvs_password = NULL;
return 0;
}
+/* Free the password returned by get_cvs_password() and also free the
+ * saved cvs_password if they are different pointers. Be paranoid
+ * about the in-memory copy of the password and overwrite it with zero
+ * bytes before doing the free().
+ */
+void
+free_cvs_password (char *password)
+{
+ if (password && password != cvs_password)
+ {
+ memset (password, 0, strlen (password));
+ free (password);
+ }
+
+ if (cvs_password)
+ {
+ memset (cvs_password, 0, strlen (cvs_password));
+ free (cvs_password);
+ cvs_password = NULL;
+ }
+}
+
/* Returns the _scrambled_ password. The server must descramble
before hashing and comparing. If password file not found, or
password not found in the file, just return NULL. */
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Cvs-dev] bugfix to previous coverity cid-3404 patch,
Mark D. Baushke <=