From: Daniel Stenberg <daniel_at_haxx.se
<daniel_at_haxx.se?Subject=Re:%20Fwd:%20Security%20fix:%20reset%20memory%20of%20Curl_easy-&gt;UserDefined-&gt;str>>

Date: Fri, 2 Mar 2018 17:45:30 +0100 (CET)

On Thu, 1 Mar 2018, Prashant Chaudhari wrote:

*> I would like to add attached patch, which zero out the user defined
data. I *
*> am particularly targeting to reset the password/authentication secrets. *
*> *
*> Please find attached patch on the libcurl version 7.57.0. and let me
know if *
*> you can accept it and release. *

Thanks, can you please make it a "unified" diff? Like when using -u with
the
diff tool? That makes it easier for us to receive and review it!


Please find attached unified diff file with the same fix.

Regards,
Prashant
--- url.c       2018-01-30 16:19:20.307137284 -0800
+++ url-changed.c       2018-03-01 13:58:03.530696648 -0800
@@ -281,6 +281,9 @@
   /* Free all dynamic strings stored in the data->set substructure. */
   enum dupstring i;
   for(i = (enum dupstring)0; i < STRING_LAST; i++) {
+    if (data->set.str[i]) {
+      memset(data->set.str[i], 0, strlen(data->set.str[i]) *  sizeof 
(data->set.str[i][0]));
+    }
     Curl_safefree(data->set.str[i]);
   }

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to