mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-29 11:41:15 +03:00
Call setbuf when reading or writing files: programs
After opening a file containing sensitive data, call mbedtls_setbuf() to disable buffering. This way, we don't expose sensitive data to a memory disclosure vulnerability in a buffer outside our control. This commit adds a call to mbedtls_setbuf() after each call to fopen(), but only in sample programs that were calling mbedtls_platform_zeroize(). Don't bother protecting stdio buffers in programs where application buffers weren't protected. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
@ -101,6 +101,10 @@ void nss_keylog_export( void *p_expkey,
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* Ensure no stdio buffering of secrets, as such buffers cannot be
|
||||
* wiped. */
|
||||
mbedtls_setbuf( f, NULL );
|
||||
|
||||
if( fwrite( nss_keylog_line, 1, len, f ) != len )
|
||||
{
|
||||
fclose( f );
|
||||
|
Reference in New Issue
Block a user