Page History

Dynamic memory managers are not required to clear freed memory and generally do not because of the additional runtime overhead.  Furthermore, dynamic memory managers are free to reallocate this same memory.  As a result, it is possible to accidently leak sensitive information if it is not cleared before calling a function whichthat frees dynamic memory.  Programmers cannot rely on memory being cleared during allocation either \[[MEM33-C|MEM33-C. Do not assume memory allocation routines initialize memory]\].

In practice, this type of security flaw can expose sensitive information to unintended parties. The Sun tarball vulnerability discussed in _Secure Coding Principles & Practices: Designing and Implementing Secure Applications_ \[[Graf 03|AA. C References#Graf 03]\] and [Sun Security Bulletin #00122 | http://sunsolve.sun.com/search/document.do?assetkey=1-22-00122-1] illustrates a violation of this recommendation leading to sensitive data being leaked. Attackers may also be able to leverage this defect to retrieve sensitive information using techniques, such as _heap inspection_.

The {{calloc()}} function ensures that the newly allocated memory has also bebeen cleared. Because {{sizeof(char)}} is guaranteed to be 1, this solution does not need to check for a numeric overflow as a result of using {{calloc()}} \[[MEM37-C | MEM37-C. Ensure that size arguments to calloc() do not result in an integer overflow]\].

Using {{realloc()}} to resize dynamic memory may inadvertently expose sensitive information, or it may allow heap inspection as is described in Fortify's _Taxonomy of Software Security Errors_ \[[vulncat|http://vulncat.fortifysoftware.com/2/HI.html]\] and NIST's _Source Code Analysis Tool Functional Specification_ \[[NIST 06b|AA. C References#NIST 06b]\]. When {{realloc()}} is called it may allocate a new, larger object, copy the contents, of {{secret}} to this new object, {{free()}} the original object, and assign the newly allocated object to {{secret}}. However, the contents of the original object may remain in memory.

A test is added at the beginning of this code to make sure that the integer multplicationmultiplication does not result in an integer overflow \[[INT32-C|INT32-C. Ensure that integer operations do not result in an overflow]\].