[master] a774a40 Make sure to not leave crumbs of the secret file in memory.
Poul-Henning Kamp
phk at FreeBSD.org
Wed Apr 15 14:02:59 CEST 2015
commit a774a407c3e2c000a42a810d3d6e65c0789e785a
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date: Wed Apr 15 07:17:53 2015 +0000
Make sure to not leave crumbs of the secret file in memory.
diff --git a/bin/varnishd/mgt/mgt_main.c b/bin/varnishd/mgt/mgt_main.c
index f77ceb7..9ddaece 100644
--- a/bin/varnishd/mgt/mgt_main.c
+++ b/bin/varnishd/mgt/mgt_main.c
@@ -319,7 +319,7 @@ make_secret(const char *dirname)
char *fn;
int fd;
int i;
- unsigned char buf[256];
+ unsigned char b;
assert(asprintf(&fn, "%s/_.secret", dirname) > 0);
@@ -331,9 +331,10 @@ make_secret(const char *dirname)
exit(1);
}
VRND_Seed();
- for (i = 0; i < sizeof buf; i++)
- buf[i] = random() & 0xff;
- assert(sizeof buf == write(fd, buf, sizeof buf));
+ for (i = 0; i < 256; i++) {
+ b = random() & 0xff;
+ assert(1 == write(fd, &b, 1));
+ }
AZ(close(fd));
VJ_master(JAIL_MASTER_LOW);
AZ(atexit(mgt_secret_atexit));
diff --git a/lib/libvarnish/cli_auth.c b/lib/libvarnish/cli_auth.c
index a538f2b..d7b7bf2 100644
--- a/lib/libvarnish/cli_auth.c
+++ b/lib/libvarnish/cli_auth.c
@@ -43,7 +43,7 @@ VCLI_AuthResponse(int S_fd, const char *challenge,
char response[CLI_AUTH_RESPONSE_LEN + 1])
{
SHA256_CTX ctx;
- uint8_t buf[BUFSIZ];
+ uint8_t buf[SHA256_LEN];
int i;
assert(CLI_AUTH_RESPONSE_LEN == (SHA256_LEN * 2));
@@ -52,8 +52,8 @@ VCLI_AuthResponse(int S_fd, const char *challenge,
SHA256_Update(&ctx, challenge, 32);
SHA256_Update(&ctx, "\n", 1);
do {
- i = read(S_fd, buf, sizeof buf);
- if (i > 0)
+ i = read(S_fd, buf, 1);
+ if (i == 1)
SHA256_Update(&ctx, buf, i);
} while (i > 0);
SHA256_Update(&ctx, challenge, 32);
More information about the varnish-commit
mailing list