[master] a774a40 Make sure to not leave crumbs of the secret file in memory.

Poul-Henning Kamp phk at FreeBSD.org
Wed Apr 15 14:02:59 CEST 2015


commit a774a407c3e2c000a42a810d3d6e65c0789e785a
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Wed Apr 15 07:17:53 2015 +0000

    Make sure to not leave crumbs of the secret file in memory.

diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c
index f77ceb7..9ddaece 100644
--- a/bin/varnishd/mgt/mgt_main.c
+++ b/bin/varnishd/mgt/mgt_main.c
@@ -319,7 +319,7 @@ make_secret(const char *dirname)
 	char *fn;
 	int fd;
 	int i;
-	unsigned char buf[256];
+	unsigned char b;
 
 	assert(asprintf(&fn, "%s/_.secret", dirname) > 0);
 
@@ -331,9 +331,10 @@ make_secret(const char *dirname)
 		exit(1);
 	}
 	VRND_Seed();
-	for (i = 0; i < sizeof buf; i++)
-		buf[i] = random() & 0xff;
-	assert(sizeof buf == write(fd, buf, sizeof buf));
+	for (i = 0; i < 256; i++) {
+		b = random() & 0xff;
+		assert(1 == write(fd, &b, 1));
+	}
 	AZ(close(fd));
 	VJ_master(JAIL_MASTER_LOW);
 	AZ(atexit(mgt_secret_atexit));
diff --git a/lib/libvarnish/cli_auth.c b/lib/libvarnish/cli_auth.c
index a538f2b..d7b7bf2 100644
--- a/lib/libvarnish/cli_auth.c
+++ b/lib/libvarnish/cli_auth.c
@@ -43,7 +43,7 @@ VCLI_AuthResponse(int S_fd, const char *challenge,
     char response[CLI_AUTH_RESPONSE_LEN + 1])
 {
 	SHA256_CTX ctx;
-	uint8_t buf[BUFSIZ];
+	uint8_t buf[SHA256_LEN];
 	int i;
 
 	assert(CLI_AUTH_RESPONSE_LEN == (SHA256_LEN * 2));
@@ -52,8 +52,8 @@ VCLI_AuthResponse(int S_fd, const char *challenge,
 	SHA256_Update(&ctx, challenge, 32);
 	SHA256_Update(&ctx, "\n", 1);
 	do {
-		i = read(S_fd, buf, sizeof buf);
-		if (i > 0)
+		i = read(S_fd, buf, 1);
+		if (i == 1)
 			SHA256_Update(&ctx, buf, i);
 	} while (i > 0);
 	SHA256_Update(&ctx, challenge, 32);



More information about the varnish-commit mailing list