Get rid of volatile variables that were a vain attempt to prevent the

compiler from optimizing away memset() calls.  Instead, add a new function,
zero_bytes(), to clear buffers with sensitive contents.
Taken from the sudo cvs repo, man.

8 files changed, 76 insertions, 19 deletions

diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in
index 5a1b6f58640..0b099394891 100644
--- a/usr.bin/sudo/Makefile.in
+++ b/usr.bin/sudo/Makefile.in
@@ -118,7 +118,7 @@ SRCS = alloc.c alloca.c check.c def_data.c defaults.c env.c err.c fileops.c \
        interfaces.c lex.yy.c lsearch.c logging.c parse.c parse.lex \
        parse.yacc set_perms.c sigaction.c snprintf.c strcasecmp.c strerror.c \
        strlcat.c strlcpy.c sudo.c sudo.tab.c testsudoers.c tgetpass.c utime.c \
-       visudo.c $(AUTH_SRCS)
+       visudo.c zero_bytes.c $(AUTH_SRCS)
 
 AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \
 	    auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \
@@ -136,7 +136,7 @@ PARSEOBJS = sudo.tab.o lex.yy.o alloc.o defaults.o
 
 SUDOBJS = check.o env.o getspwuid.o goodpath.o fileops.o find_path.o \
 	  interfaces.o logging.o parse.o set_perms.o sudo.o tgetpass.o \
-	  $(AUTH_OBJS) $(PARSEOBJS)
+	  zero_bytes.o $(AUTH_OBJS) $(PARSEOBJS)
 
 VISUDOBJS = visudo.o fileops.o goodpath.o find_path.o $(PARSEOBJS)
 
diff --git a/usr.bin/sudo/auth/aix_auth.c b/usr.bin/sudo/auth/aix_auth.c
index 3b1ea687763..545591b2535 100644
--- a/usr.bin/sudo/auth/aix_auth.c
+++ b/usr.bin/sudo/auth/aix_auth.c
@@ -74,7 +74,7 @@ aixauth_verify(pw, prompt, auth)
     char *prompt;
     sudo_auth *auth;
 {
-    volatile char *pass;
+    char *pass;
     char *message;
     int reenter = 1;
     int rval = AUTH_FAILURE;
@@ -83,7 +83,7 @@ aixauth_verify(pw, prompt, auth)
     if (pass) {
 	if (authenticate(pw->pw_name, (char *)pass, &reenter, &message) == 0)
 	    rval = AUTH_SUCCESS;
-	memset(pass, 0, strlen(pass));
+	zero_bytes(pass, strlen(pass));
     }
     return(rval);
 }
diff --git a/usr.bin/sudo/auth/bsdauth.c b/usr.bin/sudo/auth/bsdauth.c
index bce66d19797..a2c41867b2a 100644
--- a/usr.bin/sudo/auth/bsdauth.c
+++ b/usr.bin/sudo/auth/bsdauth.c
@@ -116,7 +116,7 @@ bsdauth_verify(pw, prompt, auth)
     char *prompt;
     sudo_auth *auth;
 {
-    volatile char *pass;
+    char *pass;
     char *s;
     size_t len;
     int authok = 0;
@@ -165,7 +165,7 @@ bsdauth_verify(pw, prompt, auth)
 
     if (pass) {
 	authok = auth_userresponse(as, (char *)pass, 1);
-	memset(pass, 0, strlen(pass));
+	zero_bytes(pass, strlen(pass));
     }
 
     /* restore old signal handler */
diff --git a/usr.bin/sudo/auth/fwtk.c b/usr.bin/sudo/auth/fwtk.c
index 29322dbb752..1800842340a 100644
--- a/usr.bin/sudo/auth/fwtk.c
+++ b/usr.bin/sudo/auth/fwtk.c
@@ -114,8 +114,8 @@ fwtk_verify(pw, prompt, auth)
     char *prompt;
     sudo_auth *auth;
 {
-    volatile char *pass;		/* Password from the user */
-    volatile char buf[SUDO_PASS_MAX + 12]; /* General prupose buffer */
+    char *pass;				/* Password from the user */
+    char buf[SUDO_PASS_MAX + 12];	/* General prupose buffer */
     char resp[128];			/* Response from the server */
     int error;
     extern int nil_pw;
@@ -166,8 +166,8 @@ fwtk_verify(pw, prompt, auth)
 	warnx("%s", resp);
     error = AUTH_FAILURE;
 done:
-    memset(pass, 0, strlen(pass));
-    memset(buf, 0, strlen(buf));
+    zero_bytes(pass, strlen(pass));
+    zero_bytes(buf, strlen(buf));
     return(error);
 }
 
diff --git a/usr.bin/sudo/auth/pam.c b/usr.bin/sudo/auth/pam.c
index b198a32e33d..5f8a0638280 100644
--- a/usr.bin/sudo/auth/pam.c
+++ b/usr.bin/sudo/auth/pam.c
@@ -205,16 +205,16 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
     struct pam_response **response;
     VOID *appdata_ptr;
 {
-    volatile struct pam_response *pr;
+    struct pam_response *pr;
     PAM_CONST struct pam_message *pm;
     const char *p = def_prompt;
-    volatile char *pass;
+    char *pass;
     int n, flags;
     extern int nil_pw;
 
     if ((*response = malloc(num_msg * sizeof(struct pam_response))) == NULL)
 	return(PAM_CONV_ERR);
-    (void) memset(*response, 0, num_msg * sizeof(struct pam_response));
+    zero_bytes(*response, num_msg * sizeof(struct pam_response));
 
     for (pr = *response, pm = *msg, n = num_msg; n--; pr++, pm++) {
 	flags = tgetpass_flags;
@@ -232,7 +232,7 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
 		if (*pr->resp == '\0')
 		    nil_pw = 1;		/* empty password */
 		else
-		    memset(pass, 0, strlen(pass));
+		    zero_bytes(pass, strlen(pass));
 		break;
 	    case PAM_TEXT_INFO:
 		if (pm->msg)
@@ -248,13 +248,12 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
 		/* Zero and free allocated memory and return an error. */
 		for (pr = *response, n = num_msg; n--; pr++) {
 		    if (pr->resp != NULL) {
-			(void) memset(pr->resp, 0, strlen(pr->resp));
+			zero_bytes(pr->resp, strlen(pr->resp));
 			free(pr->resp);
 			pr->resp = NULL;
 		    }
 		}
-		(void) memset(*response, 0,
-		    num_msg * sizeof(struct pam_response));
+		zero_bytes(*response, num_msg * sizeof(struct pam_response));
 		free(*response);
 		*response = NULL;
 		return(PAM_CONV_ERR);
diff --git a/usr.bin/sudo/auth/sudo_auth.c b/usr.bin/sudo/auth/sudo_auth.c
index 33f13d50550..c7b296ac450 100644
--- a/usr.bin/sudo/auth/sudo_auth.c
+++ b/usr.bin/sudo/auth/sudo_auth.c
@@ -117,7 +117,7 @@ verify_user(pw, prompt)
     int success = AUTH_FAILURE;
     int status;
     int flags;
-    volatile char *p;
+    char *p;
     sudo_auth *auth;
     sigaction_t sa, osa;
 
@@ -202,7 +202,7 @@ verify_user(pw, prompt)
 	}
 #ifndef AUTH_STANDALONE
 	if (p)
-	    (void) memset(p, 0, strlen(p));
+	    zero_bytes(p, strlen(p));
 #endif
 
 	/* Exit loop on nil password, but give it a chance to match first. */
diff --git a/usr.bin/sudo/sudo.h b/usr.bin/sudo/sudo.h
index 7cc91d85a3e..07594d3c992 100644
--- a/usr.bin/sudo/sudo.h
+++ b/usr.bin/sudo/sudo.h
@@ -237,6 +237,7 @@ int user_is_exempt	__P((void));
 void set_fqdn		__P((void));
 char *sudo_getepw	__P((struct passwd *));
 int pam_prep_user	__P((struct passwd *));
+void zero_bytes		__P((volatile VOID *, size_t));
 YY_DECL;
 
 /* Only provide extern declarations outside of sudo.c. */
diff --git a/usr.bin/sudo/zero_bytes.c b/usr.bin/sudo/zero_bytes.c
new file mode 100644
index 00000000000..1fc1c1352c9
--- /dev/null
+++ b/usr.bin/sudo/zero_bytes.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1999, 2001 Todd C. Miller <Todd.Miller@courtesan.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * 4. Products derived from this software may not be called "Sudo" nor
+ *    may "Sudo" appear in their names without specific prior written
+ *    permission from the author.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+ * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+
+#include "config.h"
+
+#ifndef lint
+static const char rcsid[] = "$Sudo: zero_bytes.c,v 1.1 2003/12/31 22:46:08 millert Exp $";
+#endif /* lint */
+
+/*
+ * Like bzero(3) but with a volatile pointer.  The hope is that
+ * the compiler will not be able to optimize away this function.
+ */
+void
+zero_bytes(v, n)
+    volatile VOID *v;
+    size_t n;
+{
+    volatile char *p, *ep;
+
+    for (p = v, ep = p + n; p < ep; p++)
+	*p = 0;
+    return;
+}