Bug 58921

Summary: Compiler removal of code to clear password buffer
Product: Apache httpd-2 Reporter: AppChecker <appchecker>
Component: CoreAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal CC: appchecker
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description AppChecker 2016-01-26 12:30:53 UTC
Compiler may remove function memset for the purposes of optimization (with the usage of the argument -O3) in that piece of code:

File: support/passwd_common.c

int get_password(struct passwd_ctx *ctx)
if (apr_password_get("New password: ", buf, &bufsize) != 0)
   goto err_too_long;
memset(buf, '\0', sizeof(buf));

GitHub link: https://github.com/apache/httpd/blob/trunk/support/passwd_common.c#L165

If the file is compiled with -O3 argument after we use a command 

objdump -dr passwd_common.o 

the listing will not contain that memset function call.
Comment 1 Christophe JAILLET 2018-04-09 20:55:08 UTC
if needed, 'apr_crypto_memzero()' in APR trunk can be taken and used for that.