[
https://issues.apache.org/jira/browse/THRIFT-1844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexis Wilke updated THRIFT-1844:
-
Description:
The function handling the SSL password receives a memory copy of the password
which is then passed down to the OpenSSL library. The intermediate buffer used
to get the password is not cleared one used up.
This is a (rather low) security issue in case a memory scraper was used. The
buffer should be cleared once not necessary anymore.
The current function (in 0.9.0) looks like this:
{noformat}
int TSSLSocketFactory::passwordCallback(char* password,
int size,
int,
void* data) {
TSSLSocketFactory* factory = (TSSLSocketFactory*)data;
string userPassword;
factory-getPassword(userPassword, size);
int length = userPassword.size();
if (length size) {
length = size;
}
strncpy(password, userPassword.c_str(), length);
return length;
}
{noformat}
After the strncpy() I would suggest something like this:
{noformat}
for(int i(userPassword.size()); i = 0; --i) {
userPassword[i] = '*';
}
{noformat}
Note that we cannot use the variable size because it gets modified and thus
does not represent the whole password size at that point.
was:
The function handling the SSL password receives a memory copy of the password
which is then passed down to the OpenSSL library. The intermediate buffer used
to get the password is not cleared one used up.
This is a (rather low) security issue in case a memory scraper was used. The
buffer should be cleared once not necessary anymore.
The current function (in 0.9.0) looks like this:
int TSSLSocketFactory::passwordCallback(char* password,
int size,
int,
void* data) {
TSSLSocketFactory* factory = (TSSLSocketFactory*)data;
string userPassword;
factory-getPassword(userPassword, size);
int length = userPassword.size();
if (length size) {
length = size;
}
strncpy(password, userPassword.c_str(), length);
return length;
}
After the strncpy() I would suggest something like this:
for(int i(userPassword.size()); i = 0; --i) {
userPassword[i] = '*';
}
Note that we cannot use the variable size because it gets modified and thus
does not represent the whole password size at that point.
Password string not cleared
---
Key: THRIFT-1844
URL: https://issues.apache.org/jira/browse/THRIFT-1844
Project: Thrift
Issue Type: Bug
Components: C++ - Library
Affects Versions: 0.9
Environment: SSL connection with authentication
Reporter: Alexis Wilke
The function handling the SSL password receives a memory copy of the password
which is then passed down to the OpenSSL library. The intermediate buffer
used to get the password is not cleared one used up.
This is a (rather low) security issue in case a memory scraper was used. The
buffer should be cleared once not necessary anymore.
The current function (in 0.9.0) looks like this:
{noformat}
int TSSLSocketFactory::passwordCallback(char* password,
int size,
int,
void* data) {
TSSLSocketFactory* factory = (TSSLSocketFactory*)data;
string userPassword;
factory-getPassword(userPassword, size);
int length = userPassword.size();
if (length size) {
length = size;
}
strncpy(password, userPassword.c_str(), length);
return length;
}
{noformat}
After the strncpy() I would suggest something like this:
{noformat}
for(int i(userPassword.size()); i = 0; --i) {
userPassword[i] = '*';
}
{noformat}
Note that we cannot use the variable size because it gets modified and thus
does not represent the whole password size at that point.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)