...
Note that this solution may truncate the contents of original buffer, secret, if the size of the resized buffer is smaller. This behavior is similar to how realloc() handles resizing to a smaller block of memory ISO/IEC 9899-1999.
Risk Assessment
Failure to clear dynamic memory can result in leaked information.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM33-C | 2 (medium) | 1 (unlikely) | 3 (low) | P6 | L2 |
References
- http://vulncat.fortifysoftware.com/2/HI.html
- http://samate.nist.gov/docs/SAMATE_source_code_analysis_tool_spec_09_15_06.pdf
- Graff 03 Graff, Mark G. and van Wyk, Kenneth R. Secure Coding Principles & Practices: Desigining and Implementing Secure Applications. Sebastopol, CA: O'Reilly & Associates, 2003 (ISBN 0-596-00242-4).
- ISO/IEC 9899-1999 Section 7.20.3, Memory management functions