krb5 commit [krb5-1.14]: Use zap() more consistently

Tom Yu tlyu at mit.edu
Mon Jan 9 17:53:32 EST 2017 

https://github.com/krb5/krb5/commit/39800f15888135f4df337f9b6f97595c75b385ad
commit 39800f15888135f4df337f9b6f97595c75b385ad
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Oct 31 12:10:48 2016 -0400

    Use zap() more consistently
    
    Use zap() or zapfree() in places where we previously used memset() to
    scrub memory.  Reported by Zhaomo Yang and Brian Johannesmeyer.
    
    (back ported from commit d58cfa06bab766cf1354bc593deea300388072c0)
    
    ticket: 8514
    version_fixed: 1.14.5

 src/kadmin/dbutil/kdb5_create.c           |    8 ++------
 src/kdc/main.c                            |    3 +--
 src/lib/crypto/builtin/enc_provider/rc4.c |    6 ++----
 src/lib/gssapi/krb5/delete_sec_context.c  |    2 +-
 src/lib/gssapi/krb5/export_sec_context.c  |    2 +-
 src/lib/gssapi/krb5/lucid_context.c       |    4 ++--
 src/lib/gssapi/mechglue/g_initialize.c    |    6 ++----
 src/lib/kadm5/srv/svr_principal.c         |    9 ++-------
 src/lib/krb5/krb/authdata.c               |    3 +--
 src/lib/krb5/krb/pac.c                    |   11 +++--------
 10 files changed, 17 insertions(+), 37 deletions(-)

diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c
index 3698d57..6d91af3 100644
--- a/src/kadmin/dbutil/kdb5_create.c
+++ b/src/kadmin/dbutil/kdb5_create.c
@@ -350,12 +350,8 @@ void kdb5_create(argc, argv)
     }
     /* clean up */
     (void) krb5_db_fini(util_context);
-    memset(master_keyblock.contents, 0, master_keyblock.length);
-    free(master_keyblock.contents);
-    if (pw_str) {
-        memset(pw_str, 0, pw_size);
-        free(pw_str);
-    }
+    zapfree(master_keyblock.contents, master_keyblock.length);
+    zapfree(pw_str, pw_size);
     free(master_salt.data);
 
     if (kadm5_create(&global_params)) {
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 82dfc0e..0bbe33a 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -168,8 +168,7 @@ finish_realm(kdc_realm_t *rdp)
             krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc);
         krb5_free_context(rdp->realm_context);
     }
-    memset(rdp, 0, sizeof(*rdp));
-    free(rdp);
+    zapfree(rdp, sizeof(*rdp));
 }
 
 /* Set *val_out to an allocated string containing val1 and/or val2, separated
diff --git a/src/lib/crypto/builtin/enc_provider/rc4.c b/src/lib/crypto/builtin/enc_provider/rc4.c
index 6fca98b..3776f80 100644
--- a/src/lib/crypto/builtin/enc_provider/rc4.c
+++ b/src/lib/crypto/builtin/enc_provider/rc4.c
@@ -144,10 +144,8 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data,
                              (const unsigned char *)iov->data.data, iov->data.length);
     }
 
-    if (state == NULL) {
-        memset(arcfour_ctx, 0, sizeof(ArcfourContext));
-        free(arcfour_ctx);
-    }
+    if (state == NULL)
+        zapfree(arcfour_ctx, sizeof(ArcfourContext));
 
     return 0;
 }
diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c
index 89228ca..4b9dfae 100644
--- a/src/lib/gssapi/krb5/delete_sec_context.c
+++ b/src/lib/gssapi/krb5/delete_sec_context.c
@@ -87,7 +87,7 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token)
         krb5_free_context(ctx->k5_context);
 
     /* Zero out context */
-    memset(ctx, 0, sizeof(*ctx));
+    zap(ctx, sizeof(*ctx));
     xfree(ctx);
 
     /* zero the handle itself */
diff --git a/src/lib/gssapi/krb5/export_sec_context.c b/src/lib/gssapi/krb5/export_sec_context.c
index 1b3de68..49bd76d 100644
--- a/src/lib/gssapi/krb5/export_sec_context.c
+++ b/src/lib/gssapi/krb5/export_sec_context.c
@@ -91,7 +91,7 @@ error_out:
         if (kret != 0 && context != 0)
             save_error_info((OM_uint32)kret, context);
     if (obuffer && bufsize) {
-        memset(obuffer, 0, bufsize);
+        zap(obuffer, bufsize);
         xfree(obuffer);
     }
     if (*minor_status == 0)
diff --git a/src/lib/gssapi/krb5/lucid_context.c b/src/lib/gssapi/krb5/lucid_context.c
index 449e71f..a894f0e 100644
--- a/src/lib/gssapi/krb5/lucid_context.c
+++ b/src/lib/gssapi/krb5/lucid_context.c
@@ -266,9 +266,9 @@ free_lucid_key_data(
 {
     if (key) {
         if (key->data && key->length) {
-            memset(key->data, 0, key->length);
+            zap(key->data, key->length);
             xfree(key->data);
-            memset(key, 0, sizeof(gss_krb5_lucid_key_t));
+            zap(key, sizeof(gss_krb5_lucid_key_t));
         }
     }
 }
diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c
index b7e8a8d..42299eb 100644
--- a/src/lib/gssapi/mechglue/g_initialize.c
+++ b/src/lib/gssapi/mechglue/g_initialize.c
@@ -513,10 +513,8 @@ releaseMechInfo(gss_mech_info *pCf)
 	if (cf->mech_type != GSS_C_NO_OID &&
 	    cf->mech_type != &cf->mech->mech_type)
 		generic_gss_release_oid(&minor_status, &cf->mech_type);
-	if (cf->mech != NULL && cf->freeMech) {
-		memset(cf->mech, 0, sizeof(*cf->mech));
-		free(cf->mech);
-	}
+	if (cf->freeMech)
+		zapfree(cf->mech, sizeof(*cf->mech));
 	if (cf->dl_handle != NULL)
 		krb5int_close_plugin(cf->dl_handle);
 	if (cf->int_mech_type != GSS_C_NO_OID)
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 1d4365c..87b8c23 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -122,13 +122,8 @@ kadm5_ret_t krb5_copy_key_data_contents(context, from, to)
         if ( from->key_data_length[i] ) {
             to->key_data_contents[i] = malloc(from->key_data_length[i]);
             if (to->key_data_contents[i] == NULL) {
-                for (i = 0; i < idx; i++) {
-                    if (to->key_data_contents[i]) {
-                        memset(to->key_data_contents[i], 0,
-                               to->key_data_length[i]);
-                        free(to->key_data_contents[i]);
-                    }
-                }
+                for (i = 0; i < idx; i++)
+                    zapfree(to->key_data_contents[i], to->key_data_length[i]);
                 return ENOMEM;
             }
             memcpy(to->key_data_contents[i], from->key_data_contents[i],
diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index fb8beb3..b4cbefe 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -479,8 +479,7 @@ krb5_authdata_context_free(krb5_context kcontext,
         context->modules = NULL;
     }
     krb5int_close_plugin_dirs(&context->plugins);
-    memset(context, 0, sizeof(*context));
-    free(context);
+    zapfree(context, sizeof(*context));
 }
 
 krb5_error_code KRB5_CALLCONV
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 2458695..82c112e 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -125,14 +125,9 @@ krb5_pac_free(krb5_context context,
               krb5_pac pac)
 {
     if (pac != NULL) {
-        if (pac->data.data != NULL) {
-            memset(pac->data.data, 0, pac->data.length);
-            free(pac->data.data);
-        }
-        if (pac->pac != NULL)
-            free(pac->pac);
-        memset(pac, 0, sizeof(*pac));
-        free(pac);
+        zapfree(pac->data.data, pac->data.length);
+        free(pac->pac);
+        zapfree(pac, sizeof(*pac));
     }
 }

More information about the cvs-krb5 mailing list