On Sun, Sep 21, 2003 at 12:56:51 +0200, Jarle Greipsland wrote:

> > Wouldn't it be sufficient to just add a comment saying that this behavior
> > is ok because we exit if there's a failure?
> 
> What if an application had registered one or more functions with
> atexit(3)?  Granted, the comsat application does not, and it is
> fairly small and can be understood fairly easily.  However, for
> bigger applications, this might not be the case, and some
> programmer might decide to introduce the clearing of memory on
> exit using an atexit-function, without performing an audit of the
> code pattern for all instances of realloc() in the application.

Let me once again note that, *unlike* the ssh buffer.c bug, in this
case if realloc fails the buf variable will be NULL.  You cannot do a
lot of clean up on the NULL pointer.

Also, if the data in the buffer is so sensitive in the first place,
then if a successfull realloc has to free the old copy, the old copy
is no longer accessible for the program to clean up.  So it's not
enough to zero-out all your buffers accessible via live pointers,
right?

SY, Uwe
-- 
uwe@ptc.spbu.ru                         |       Zu Grunde kommen
http://www.ptc.spbu.ru/~uwe/            |       Ist zu Grunde gehen