Page History

...

The manner in which sensitive information can be properly cleared varies depending on the resource type and platform.

Noncompliant Code Example

...

`free()`

Dynamic memory managers are not required to clear freed memory and generally do not because of the additional runtime overhead. Furthermore, dynamic memory managers are free to reallocate this same memory. As a result, it is possible to accidentally leak sensitive information if it is not cleared before calling a function that frees dynamic memory. Programmers also cannot rely on memory being cleared during allocation (see MEM09-C. Do not assume memory allocation routines initialize memory).

...

Code Block

bgColor	#FFcccc

char *secret;

/* initialize secret */

char *new_secret;
size_t size = strlen(secret);
if (size == SIZE_MAX) {
  /* Handle Errorerror */
}

new_secret = (char *)malloc(size+1);
if (!new_secret) {
  /* Handle Errorerror */
}
strcpy(new_secret, secret);

/* Process new_secret... */

free(new_secret);
new_secret = NULL;

...

Code Block

bgColor	#ccccff

char *secret;

/* initialize secret */

char *new_secret;
size_t size = strlen(secret);
if (size == SIZE_MAX) {
  /* Handle Errorerror */
}

/* use calloc() to zero-out allocated space */
new_secret = (char *)calloc(size+1, sizeof(char));
if (!new_secret) {
  /* Handle Errorerror */
}
strcpy(new_secret, secret);

/* Process new_secret... */

/* sanitize memory  */
memset((volatile char *)new_secret, '\0', size);
free(new_secret);
new_secret = NULL;

...

NOTE: It is possible that the call to memset() in this example will be optimized out, although casting new secret as a volatile character should prevent this (see MSC06-C. Be aware of compiler optimization when dealing with Ensure that sensitive data is not written out to disk). Be very careful to ensure that any sensitive data is actually cleared from memory.

...

Code Block

bgColor	#FFcccc

char *secret;

/* initialize secret */

size_t secret_size = strlen(secret);
/* ... */
if (secret_size > SIZE_MAX/2) {
   /* handle error condition */
}
else {
secret = (char *)realloc(secret, secret_size * 2);
}

The secret_size is tested to ensure that the integer multiplication (secret_size * 2) does not result in an integer overflow (see INT32-C. Ensure that operations on signed integers do not result in overflow).

...

Code Block

bgColor	#ccccff

char *secret;

/* initialize secret */

size_t secret_size = strlen(secret);
char *temp_buff;
/* ... */
if (secret_size > SIZE_MAX/2) {
   /* handle error condition */
}
/* calloc() initializes memory to zero */
temp_buff = (char *)calloc(secret_size * 2, sizeof(char));
if (temp_buff == NULL) {
 /* Handle Errorerror */
}

memcpy(temp_buff, secret, secret_size);

/* sanitize the buffer */
memset((volatile char *)secret, '\0', secret_size);

free(secret);
secret = temp_buff; /* install the resized buffer */
temp_buff = NULL;

...

Wiki Markup

\[[Fortify 06|AA. C References#Fortify 06]\]
\[[Graff 03|AA. C References#Graf 03]\]
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.20.3, "Memory management functions"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XZK Sensitive Information Uncleared Before Use"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 226|http://cwe.mitre.org/data/definitions/226.html], "Sensitive Information Uncleared Before Release," [CWE ID 244|http://cwe.mitre.org/data/definitions/244.html], and "Failure to Clear Heap Memory Before Release"
\[[NIST 06b|AA. C References#NIST 06b]\]

...

Space shortcuts

Page tree

Versions Compared

Old Version 104

New Version 105

Key

Noncompliant Code Example

`free()`