Hi,

I am consuming libcURL (7.42.1) in an application and we are trying remove / encrypt any instances of a users password in memory. This will be done so that any memory dump will not be searchable for sensitive information. So far we have most of the application covered but have recently seen an issue whereby the password was seen in memory after making a HTTP request. This is as a result of libcURL storing the password in a string and freeing it correctly. However, the password still remains until the memory is reallocated and overwritten.

I would like to fix this by setting the memory to zero before freeing it. I have two potential changes which can resolve this issue.
One of them is to create a new Curl_safefree definition in memdebug.h which takes in a pointer to a memory location and a size, then overwriting the memory before zeroing.
The other method is to create a custom allocator / deallocator in our application which will zero the memory itself, however we will need to store the size with the block of data we allocate to determine how much data to zero.

Have you any recommendations for this? Has this issue ever come up before and if so how has it been solved?

Thanks,
Alan

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-05-21